[nsp-sec] Why do a route hijack for 1 second?
Chris Morrow
morrowc at ops-netman.net
Mon Jul 20 10:59:57 EDT 2009
On Mon, 20 Jul 2009, Sweeney, William- CIPS wrote:
> ----------- nsp-security Confidential --------
>
> That would be my guess too, the user is just checking to see if the
> change is still possible.
Is it possible (given the possible cron hypothesis) that this is a
short-term leak of some internal route (to a proxy/filter-device/better
path) that's leaking during nightly route-filter updates?
(so something not necessarily malicious)
-Chris
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>> bounces at puck.nether.net] On Behalf Of Peter Moody
>> Sent: Monday, July 20, 2009 2:01 AM
>> To: Hank Nussbacher
>> Cc: nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] Why do a route hijack for 1 second?
>>
>> ----------- nsp-security Confidential --------
>>
>> to continue to see if it's possible? a short duration hijack of a
>> small block could be a spear phish. or maybe I've been watching too
>> bourne identity recently though :)
>>
>> Cheers,
>> /peter
>>
>> On Sun, Jul 19, 2009 at 10:51 PM, Hank Nussbacher<hank at efes.iucc.ac.il> wrote:
>>> ----------- nsp-security Confidential --------
>>>
>>> I have a strange case. It involves 147.237.234.0/24 and route hijacking
>>> from AS31500 (AS1680 has no peering arrangement with AS31500). It started
>>> on July 1 for 31 minutes and then quiet for 2 weeks and now we have seen the
>>> following:
>>>
>>> Date: 2009-07-17 11:02:06 UTC
>>> Duration: 35sec
>>>
>>> Date: 2009-07-18 00:27:05 UTC
>>> Duration: 1sec
>>>
>>> Date: 2009-07-19 00:27:18 UTC
>>> Duration: 1sec
>>>
>>> Date: 2009-07-20 00:26:55 UTC
>>> Duration: 1sec
>>>
>>> I am seeing this via Cyclops:
>>> Alert type: next-hop change
>>> No. monitors: 1
>>> Announced ASPATH: 31500 1680
>>>
>>> Only 1 monitor sees it which means it is very localized (probably in
>>> Russia). But what would be the benefit of doing this next hop change for
>>> just 1 second and clearly as a cron job to run every night? Any ideas?
>>>
>>> Thanks,
>>> Hank
>>>
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security
>>> counter-measures.
>>> _______________________________________________
>>>
>>
>>
>>
>> --
>> Peter Moody Google 1.650.253.7306
>> Network Security Engineer pgp:0xC3410038
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list