[nsp-sec] Internap+AT&T: Interesting prefix hijacking

Hank Nussbacher hank at efes.iucc.ac.il
Tue Jun 29 08:46:53 EDT 2010 

On Tue, 29 Jun 2010, Steven Orchard wrote:

Thanks.  You don't do ASN or prefix filtering on your downstreams?

-Hank

> ----------- nsp-security Confidential --------
>
>
> In catching up on email this morning, I am aware that one of our
> downstream customers decided to act as a transit for a subset of the
> internet.  While I cannot confirm, nor deny, any malice intent, I know
> that the situation was remedied upon notification.
>
> Regards,
> ---------------------------------------------------------------------------
> Steven Orchard                                    Email: sorch at Internap.com
> Sr. VP - Operations and Customer Service            Phone:   (404) 302-9867
> Internap Network Services
>
> ** The contents of this email message are confidential and proprietary. **
> ---------------------------------------------------------------------------
>
>
>
>
> On Tue, 29 Jun 2010, Chris Morrow wrote:
>
> : Date: Tue, 29 Jun 2010 01:33:22 -0400
> : Sender: nsp-security-bounces at puck.nether.net
> : From: Chris Morrow <morrowc at ops-netman.net>
> : To: nsp-security at puck.nether.net
> : Subject: Re: [nsp-sec] Internap+AT&T: Interesting prefix hijacking
> :
> : ----------- nsp-security Confidential --------
> :
> : On 06/29/10 01:23, Hank Nussbacher wrote:
> : > ----------- nsp-security Confidential --------
> : >
> : > Yesterday, at Jun 27 18:31:04 2010 GMT there was an interesting
> : > hijacking going on which looks like a test run.  The following
> : > prefixes were hijacked and announced:
> : >
> : > AS1680 82.166.110.0/24
> : > ...only 1 AS1680- prefix hijacked...
> : > AS5486 213.8.156.0/22
> : > AS5486 213.8.122.0/23
> : > ...60 more prefixes...
> : > AS9116 83.130.144.0/20
> : > AS9116 77.125.64.0/18
> : > AS9116 77.127.0.0/18
> : > AS9116 80.178.208.0/21
> : > AS9116 80.230.128.0/18
> : > AS9116 87.71.64.0/18
> : > AS9116 84.228.32.0/19
> : > AS9116 84.229.208.0/20
> : > AS9116 87.69.64.0/18
> : > AS9116 87.71.128.0/19
> : > ...about 390 more AS9116 prefixes...
> : >
> : > There are two interesting aspects here:
> : >
> : > a) the prefixes announced were more specifics that were not being
> : > announced previously by the ISP and therefore usurped traffic destined
> : > to Israel.
> : >
> : > b) The ASN path for all hijacks was:
> : > 812 2828 7018 17231 17231 17231 17231 17231 17231 10913 22212 xxxx
> : > [where xxxx is Israeli ISP ASN]
> : >
> : > AS22222 is Omaha Steaks in the US
> :
> : 22222? 22212 is in the path above? 22212 == internap though yea.
> :
> : > AS10913 is Internap in US
> : > AS17231 is ATT-CERFNET in US
> :
> : att ens... ENS is ATT's being their datacenter arm no?
> :
> : >
> : > As far as I know, Israel has not become a commonwealth of Omaha.
> :
> : omaha steaks actually is just a company that sells second rate meat...
> : wrapped in bacon actually quite often.
> :
> : > Can this please be looked into?
> :
> : I'd ask JayB where/why these prefixes leaked from ENS -> 7018... I don't
> : think he's on nsp-sec, but I can probably shuttle an email toward him if
> : you'd like? (take the original, copy you, etc minus nsp-sec headers)
> :
> : -chris
> :
> : > Thanks,
> : > Hank
> : >
> : >
> : >
> : > _______________________________________________
> : > nsp-security mailing list
> : > nsp-security at puck.nether.net
> : > https://puck.nether.net/mailman/listinfo/nsp-security
> : >
> : > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> : > community. Confidentiality is essential for effective Internet security
> : > counter-measures.
> : > _______________________________________________
> :
> :
> :
> : _______________________________________________
> : nsp-security mailing list
> : nsp-security at puck.nether.net
> : https://puck.nether.net/mailman/listinfo/nsp-security
> :
> : Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> : community. Confidentiality is essential for effective Internet security counter-measures.
> : _______________________________________________
> :
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list