[nsp-sec] Why do a route hijack for 1 second?

Sweeney, William- CIPS Bill_Sweeney at cable.comcast.com
Mon Jul 20 10:13:19 EDT 2009 

That would be my guess too, the user is just checking to see if the change is still possible. 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Peter Moody
> Sent: Monday, July 20, 2009 2:01 AM
> To: Hank Nussbacher
> Cc: nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Why do a route hijack for 1 second?
> 
> ----------- nsp-security Confidential --------
> 
> to continue to see if it's possible? a short duration hijack of a
> small block could be a spear phish. or maybe I've been watching too
> bourne identity recently though :)
> 
> Cheers,
> /peter
> 
> On Sun, Jul 19, 2009 at 10:51 PM, Hank Nussbacher<hank at efes.iucc.ac.il> wrote:
> > ----------- nsp-security Confidential --------
> >
> > I have a strange case.  It involves 147.237.234.0/24 and route hijacking
> > from AS31500 (AS1680 has no peering arrangement with AS31500).  It started
> > on July 1 for 31 minutes and then quiet for 2 weeks and now we have seen the
> > following:
> >
> > Date:                         2009-07-17 11:02:06 UTC
> > Duration:                     35sec
> >
> > Date:                         2009-07-18 00:27:05 UTC
> > Duration:                     1sec
> >
> > Date:                         2009-07-19 00:27:18 UTC
> > Duration:                     1sec
> >
> > Date:                         2009-07-20 00:26:55 UTC
> > Duration:                     1sec
> >
> > I am seeing this via Cyclops:
> > Alert type:                   next-hop change
> > No. monitors:                 1
> > Announced ASPATH:             31500 1680
> >
> > Only 1 monitor sees it which means it is very localized (probably in
> > Russia).  But what would be the benefit of doing this next hop change for
> > just 1 second and clearly as a cron job to run every night?  Any ideas?
> >
> > Thanks,
> > Hank
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security
> > counter-measures.
> > _______________________________________________
> >
> 
> 
> 
> --
> Peter Moody      Google    1.650.253.7306
> Network Security Engineer  pgp:0xC3410038
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

More information about the nsp-security mailing list