[nsp-sec] Internap+AT&T: Interesting prefix hijacking
Steven Orchard
sorch at internap.com
Tue Jun 29 07:05:07 EDT 2010
In catching up on email this morning, I am aware that one of our
downstream customers decided to act as a transit for a subset of the
internet. While I cannot confirm, nor deny, any malice intent, I know
that the situation was remedied upon notification.
Regards,
---------------------------------------------------------------------------
Steven Orchard Email: sorch at Internap.com
Sr. VP - Operations and Customer Service Phone: (404) 302-9867
Internap Network Services
** The contents of this email message are confidential and proprietary. **
---------------------------------------------------------------------------
On Tue, 29 Jun 2010, Chris Morrow wrote:
: Date: Tue, 29 Jun 2010 01:33:22 -0400
: Sender: nsp-security-bounces at puck.nether.net
: From: Chris Morrow <morrowc at ops-netman.net>
: To: nsp-security at puck.nether.net
: Subject: Re: [nsp-sec] Internap+AT&T: Interesting prefix hijacking
:
: ----------- nsp-security Confidential --------
:
: On 06/29/10 01:23, Hank Nussbacher wrote:
: > ----------- nsp-security Confidential --------
: >
: > Yesterday, at Jun 27 18:31:04 2010 GMT there was an interesting
: > hijacking going on which looks like a test run. The following
: > prefixes were hijacked and announced:
: >
: > AS1680 82.166.110.0/24
: > ...only 1 AS1680- prefix hijacked...
: > AS5486 213.8.156.0/22
: > AS5486 213.8.122.0/23
: > ...60 more prefixes...
: > AS9116 83.130.144.0/20
: > AS9116 77.125.64.0/18
: > AS9116 77.127.0.0/18
: > AS9116 80.178.208.0/21
: > AS9116 80.230.128.0/18
: > AS9116 87.71.64.0/18
: > AS9116 84.228.32.0/19
: > AS9116 84.229.208.0/20
: > AS9116 87.69.64.0/18
: > AS9116 87.71.128.0/19
: > ...about 390 more AS9116 prefixes...
: >
: > There are two interesting aspects here:
: >
: > a) the prefixes announced were more specifics that were not being
: > announced previously by the ISP and therefore usurped traffic destined
: > to Israel.
: >
: > b) The ASN path for all hijacks was:
: > 812 2828 7018 17231 17231 17231 17231 17231 17231 10913 22212 xxxx
: > [where xxxx is Israeli ISP ASN]
: >
: > AS22222 is Omaha Steaks in the US
:
: 22222? 22212 is in the path above? 22212 == internap though yea.
:
: > AS10913 is Internap in US
: > AS17231 is ATT-CERFNET in US
:
: att ens... ENS is ATT's being their datacenter arm no?
:
: >
: > As far as I know, Israel has not become a commonwealth of Omaha.
:
: omaha steaks actually is just a company that sells second rate meat...
: wrapped in bacon actually quite often.
:
: > Can this please be looked into?
:
: I'd ask JayB where/why these prefixes leaked from ENS -> 7018... I don't
: think he's on nsp-sec, but I can probably shuttle an email toward him if
: you'd like? (take the original, copy you, etc minus nsp-sec headers)
:
: -chris
:
: > Thanks,
: > Hank
: >
: >
: >
: > _______________________________________________
: > nsp-security mailing list
: > nsp-security at puck.nether.net
: > https://puck.nether.net/mailman/listinfo/nsp-security
: >
: > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
: > community. Confidentiality is essential for effective Internet security
: > counter-measures.
: > _______________________________________________
:
:
:
: _______________________________________________
: nsp-security mailing list
: nsp-security at puck.nether.net
: https://puck.nether.net/mailman/listinfo/nsp-security
:
: Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
: community. Confidentiality is essential for effective Internet security counter-measures.
: _______________________________________________
:
More information about the nsp-security
mailing list