[nsp-sec] Internap+AT&T: Interesting prefix hijackingZ

Steven Orchard sorch at internap.com
Tue Jun 29 10:30:51 EDT 2010 

I think you are reading the path backwards... and it seems you are
digging for failure.  If you would like to discuss in person, please
feel free to call my number in the sig.

If you reverse the path you will find the following:

<Israeli ISP ASN> <INAP Backbone> <INAP edge ASN> <INAP downstream
customer> <INAP down-stream's other provider> <NSP peering>
<world/downstream/peer/who knows>

So the ISP advertises to my backbone, which I advertise to my downstream
at my edge, who then leaked to their provider, who passed it along to
the world.

And no I do not control the ASN registration of my downstream customer,
as I do not provide them.  And no, there is no hiding going on, just a
lack of understanding.

Best,
Steve


---------------------------------------------------------------------------
Steven Orchard                                    Email: sorch at Internap.com
Sr. VP - Operations and Customer Service            Phone:   (404) 302-9867
Internap Network Services                              

** The contents of this email message are confidential and proprietary. **
---------------------------------------------------------------------------




On Tue, 29 Jun 2010, Hank Nussbacher wrote:

: Date: Tue, 29 Jun 2010 17:02:23 +0300 (IDT)
: Sender: nsp-security-bounces at puck.nether.net
: From: Hank Nussbacher <hank at efes.iucc.ac.il>
: To: Steven Orchard <sorch at internap.com>
: Cc: nsp-security at puck.nether.net
: Subject: Re: [nsp-sec] Internap+AT&T: Interesting prefix hijacking
: 
: ----------- nsp-security Confidential --------
: 
: On Tue, 29 Jun 2010, Steven Orchard wrote:
: 
: Incidentally, you state that a downstream customer was to blame - but AS22212
: points to:
: OrgName:    Internap Network Services Corporation
: OrgID:      PNAP
: Address:    250 Williams Street
: Address:    Suite E100
: City:       Atlanta
: StateProv:  GA
: PostalCode: 30303
: Country:    US
: 
: You don't register the true name of your downstream customer ASNs?  Or is the
: culprit hiding behind Internap on purpose?
: 
: -Hank
: 
: > ----------- nsp-security Confidential --------
: > 
: > 
: > In catching up on email this morning, I am aware that one of our
: > downstream customers decided to act as a transit for a subset of the
: > internet.  While I cannot confirm, nor deny, any malice intent, I know
: > that the situation was remedied upon notification.
: > 
: > Regards,
: > ---------------------------------------------------------------------------
: > Steven Orchard                                    Email: sorch at Internap.com
: > Sr. VP - Operations and Customer Service            Phone:   (404) 302-9867
: > Internap Network Services
: > 
: > ** The contents of this email message are confidential and proprietary. **
: > ---------------------------------------------------------------------------
: > 
: > 
: > 
: > 
: > On Tue, 29 Jun 2010, Chris Morrow wrote:
: > 
: > : Date: Tue, 29 Jun 2010 01:33:22 -0400
: > : Sender: nsp-security-bounces at puck.nether.net
: > : From: Chris Morrow <morrowc at ops-netman.net>
: > : To: nsp-security at puck.nether.net
: > : Subject: Re: [nsp-sec] Internap+AT&T: Interesting prefix hijacking
: > :
: > : ----------- nsp-security Confidential --------
: > :
: > : On 06/29/10 01:23, Hank Nussbacher wrote:
: > : > ----------- nsp-security Confidential --------
: > : >
: > : > Yesterday, at Jun 27 18:31:04 2010 GMT there was an interesting
: > : > hijacking going on which looks like a test run.  The following
: > : > prefixes were hijacked and announced:
: > : >
: > : > AS1680 82.166.110.0/24
: > : > ...only 1 AS1680- prefix hijacked...
: > : > AS5486 213.8.156.0/22
: > : > AS5486 213.8.122.0/23
: > : > ...60 more prefixes...
: > : > AS9116 83.130.144.0/20
: > : > AS9116 77.125.64.0/18
: > : > AS9116 77.127.0.0/18
: > : > AS9116 80.178.208.0/21
: > : > AS9116 80.230.128.0/18
: > : > AS9116 87.71.64.0/18
: > : > AS9116 84.228.32.0/19
: > : > AS9116 84.229.208.0/20
: > : > AS9116 87.69.64.0/18
: > : > AS9116 87.71.128.0/19
: > : > ...about 390 more AS9116 prefixes...
: > : >
: > : > There are two interesting aspects here:
: > : >
: > : > a) the prefixes announced were more specifics that were not being
: > : > announced previously by the ISP and therefore usurped traffic destined
: > : > to Israel.
: > : >
: > : > b) The ASN path for all hijacks was:
: > : > 812 2828 7018 17231 17231 17231 17231 17231 17231 10913 22212 xxxx
: > : > [where xxxx is Israeli ISP ASN]
: > : >
: > : > AS22222 is Omaha Steaks in the US
: > :
: > : 22222? 22212 is in the path above? 22212 == internap though yea.
: > :
: > : > AS10913 is Internap in US
: > : > AS17231 is ATT-CERFNET in US
: > :
: > : att ens... ENS is ATT's being their datacenter arm no?
: > :
: > : >
: > : > As far as I know, Israel has not become a commonwealth of Omaha.
: > :
: > : omaha steaks actually is just a company that sells second rate meat...
: > : wrapped in bacon actually quite often.
: > :
: > : > Can this please be looked into?
: > :
: > : I'd ask JayB where/why these prefixes leaked from ENS -> 7018... I don't
: > : think he's on nsp-sec, but I can probably shuttle an email toward him if
: > : you'd like? (take the original, copy you, etc minus nsp-sec headers)
: > :
: > : -chris
: > :
: > : > Thanks,
: > : > Hank
: > : >
: > : >
: > : >
: > : > _______________________________________________
: > : > nsp-security mailing list
: > : > nsp-security at puck.nether.net
: > : > https://puck.nether.net/mailman/listinfo/nsp-security
: > : >
: > : > Please do not Forward, CC, or BCC this E-mail outside of the
: > nsp-security
: > : > community. Confidentiality is essential for effective Internet security
: > : > counter-measures.
: > : > _______________________________________________
: > :
: > :
: > :
: > : _______________________________________________
: > : nsp-security mailing list
: > : nsp-security at puck.nether.net
: > : https://puck.nether.net/mailman/listinfo/nsp-security
: > :
: > : Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
: > : community. Confidentiality is essential for effective Internet security
: > counter-measures.
: > : _______________________________________________
: > :
: > 
: > 
: > _______________________________________________
: > nsp-security mailing list
: > nsp-security at puck.nether.net
: > https://puck.nether.net/mailman/listinfo/nsp-security
: > 
: > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
: > community. Confidentiality is essential for effective Internet security
: > counter-measures.
: > _______________________________________________
: > 
: 
: 
: _______________________________________________
: nsp-security mailing list
: nsp-security at puck.nether.net
: https://puck.nether.net/mailman/listinfo/nsp-security
: 
: Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
: community. Confidentiality is essential for effective Internet security
: counter-measures.
: _______________________________________________
:

More information about the nsp-security mailing list