[nsp-sec] Internap+AT&T: Interesting prefix hijacking

Steven Orchard sorch at internap.com
Tue Jun 29 08:49:30 EDT 2010 

I do... but if I advertise them a table, their other provider does not
filter by ASN/prefix (perhaps because they are sister companies, and
they have a configuration issue, there can be a route leak.

Steve



On Tue, 29 Jun 2010, Hank Nussbacher wrote:

: Date: Tue, 29 Jun 2010 15:46:53 +0300 (IDT)
: From: Hank Nussbacher <hank at efes.iucc.ac.il>
: To: Steven Orchard <sorch at internap.com>
: Cc: Chris Morrow <morrowc at ops-netman.net>, nsp-security at puck.nether.net
: Subject: Re: [nsp-sec] Internap+AT&T: Interesting prefix hijacking
: 
: On Tue, 29 Jun 2010, Steven Orchard wrote:
: 
: Thanks.  You don't do ASN or prefix filtering on your downstreams?
: 
: -Hank
: 
: > ----------- nsp-security Confidential --------
: > 
: > 
: > In catching up on email this morning, I am aware that one of our
: > downstream customers decided to act as a transit for a subset of the
: > internet.  While I cannot confirm, nor deny, any malice intent, I know
: > that the situation was remedied upon notification.
: > 
: > Regards,
: > ---------------------------------------------------------------------------
: > Steven Orchard                                    Email: sorch at Internap.com
: > Sr. VP - Operations and Customer Service            Phone:   (404) 302-9867
: > Internap Network Services
: > 
: > ** The contents of this email message are confidential and proprietary. **
: > ---------------------------------------------------------------------------
: > 
: > 
: > 
: > 
: > On Tue, 29 Jun 2010, Chris Morrow wrote:
: > 
: > : Date: Tue, 29 Jun 2010 01:33:22 -0400
: > : Sender: nsp-security-bounces at puck.nether.net
: > : From: Chris Morrow <morrowc at ops-netman.net>
: > : To: nsp-security at puck.nether.net
: > : Subject: Re: [nsp-sec] Internap+AT&T: Interesting prefix hijacking
: > :
: > : ----------- nsp-security Confidential --------
: > :
: > : On 06/29/10 01:23, Hank Nussbacher wrote:
: > : > ----------- nsp-security Confidential --------
: > : >
: > : > Yesterday, at Jun 27 18:31:04 2010 GMT there was an interesting
: > : > hijacking going on which looks like a test run.  The following
: > : > prefixes were hijacked and announced:
: > : >
: > : > AS1680 82.166.110.0/24
: > : > ...only 1 AS1680- prefix hijacked...
: > : > AS5486 213.8.156.0/22
: > : > AS5486 213.8.122.0/23
: > : > ...60 more prefixes...
: > : > AS9116 83.130.144.0/20
: > : > AS9116 77.125.64.0/18
: > : > AS9116 77.127.0.0/18
: > : > AS9116 80.178.208.0/21
: > : > AS9116 80.230.128.0/18
: > : > AS9116 87.71.64.0/18
: > : > AS9116 84.228.32.0/19
: > : > AS9116 84.229.208.0/20
: > : > AS9116 87.69.64.0/18
: > : > AS9116 87.71.128.0/19
: > : > ...about 390 more AS9116 prefixes...
: > : >
: > : > There are two interesting aspects here:
: > : >
: > : > a) the prefixes announced were more specifics that were not being
: > : > announced previously by the ISP and therefore usurped traffic destined
: > : > to Israel.
: > : >
: > : > b) The ASN path for all hijacks was:
: > : > 812 2828 7018 17231 17231 17231 17231 17231 17231 10913 22212 xxxx
: > : > [where xxxx is Israeli ISP ASN]
: > : >
: > : > AS22222 is Omaha Steaks in the US
: > :
: > : 22222? 22212 is in the path above? 22212 == internap though yea.
: > :
: > : > AS10913 is Internap in US
: > : > AS17231 is ATT-CERFNET in US
: > :
: > : att ens... ENS is ATT's being their datacenter arm no?
: > :
: > : >
: > : > As far as I know, Israel has not become a commonwealth of Omaha.
: > :
: > : omaha steaks actually is just a company that sells second rate meat...
: > : wrapped in bacon actually quite often.
: > :
: > : > Can this please be looked into?
: > :
: > : I'd ask JayB where/why these prefixes leaked from ENS -> 7018... I don't
: > : think he's on nsp-sec, but I can probably shuttle an email toward him if
: > : you'd like? (take the original, copy you, etc minus nsp-sec headers)
: > :
: > : -chris
: > :
: > : > Thanks,
: > : > Hank
: > : >
: > : >
: > : >
: > : > _______________________________________________
: > : > nsp-security mailing list
: > : > nsp-security at puck.nether.net
: > : > https://puck.nether.net/mailman/listinfo/nsp-security
: > : >
: > : > Please do not Forward, CC, or BCC this E-mail outside of the
: > nsp-security
: > : > community. Confidentiality is essential for effective Internet security
: > : > counter-measures.
: > : > _______________________________________________
: > :
: > :
: > :
: > : _______________________________________________
: > : nsp-security mailing list
: > : nsp-security at puck.nether.net
: > : https://puck.nether.net/mailman/listinfo/nsp-security
: > :
: > : Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
: > : community. Confidentiality is essential for effective Internet security
: > counter-measures.
: > : _______________________________________________
: > :
: > 
: > 
: > _______________________________________________
: > nsp-security mailing list
: > nsp-security at puck.nether.net
: > https://puck.nether.net/mailman/listinfo/nsp-security
: > 
: > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
: > community. Confidentiality is essential for effective Internet security
: > counter-measures.
: > _______________________________________________
: > 
:

More information about the nsp-security mailing list