Re: Hunting for bogus BGP announcement for 204.106.93.155

2002-10-03 Thread Marshall Eubanks 


We did _not_ see 204.106.93.155
here at AS 16517 in our multicast status
runs in either BGP or MBGP announcements - this means that Sprint and 
UUNet were not announcing it (nor was Internet2).

-- 
  Regards
  Marshall Eubanks



David G. Andersen wrote:

> On Thu, Oct 03, 2002 at 06:48:53PM +0200, Jesper Skriver mooed:
> 
>>On Thu, Oct 03, 2002 at 04:35:45PM +0100, [EMAIL PROTECTED]
>>wrote:
>>
>>
>>>For the last two days, between approximately 7pm to 2am Eastern
>>>time, a spammer hijacked a piece of our address space, presumably
>>>by announcing some size of aggregate containing the IP address
>>>204.106.93.155. During the time that the spammer had connectivity
>>>using this bogus announcement,
>>>
>>RIS didn't pick anything up
>>
>  Nor did our BGP monitors, nor our db of Routeviews.
> 
> http://bgp.lcs.mit.edu/
> 
> Interestingly, we se _no_ announcements of any netblock containing
> this address, ever.  I assume you haven't brought this address space
> on-line yet?
> 
>   -Dave
> 
> 




T.M. Eubanks
Multicast Technologies, Inc
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624   Fax : 703-293-9609
e-mail : [EMAIL PROTECTED]
http://www.multicasttech.com

Test your network for multicast :
http://www.multicasttech.com/mt/
  Status of Multicast on the Web  :
  http://www.multicasttech.com/status/index.html

Re: Hunting for bogus BGP announcement for 204.106.93.155

2002-10-03 Thread David G. Andersen 


On Thu, Oct 03, 2002 at 06:48:53PM +0200, Jesper Skriver mooed:
> 
> On Thu, Oct 03, 2002 at 04:35:45PM +0100, [EMAIL PROTECTED]
> wrote:
> 
> > For the last two days, between approximately 7pm to 2am Eastern
> > time, a spammer hijacked a piece of our address space, presumably
> > by announcing some size of aggregate containing the IP address
> > 204.106.93.155. During the time that the spammer had connectivity
> > using this bogus announcement,
> 
> RIS didn't pick anything up
 
Nor did our BGP monitors, nor our db of Routeviews.

http://bgp.lcs.mit.edu/

Interestingly, we se _no_ announcements of any netblock containing
this address, ever.  I assume you haven't brought this address space
on-line yet?

  -Dave

-- 
work: [EMAIL PROTECTED]  me:  [EMAIL PROTECTED]
  MIT Laboratory for Computer Science   http://www.angio.net/
  I do not accept unsolicited commercial email.  Do not spam me.

Re: Hunting for bogus BGP announcement for 204.106.93.155

2002-10-03 Thread Jesper Skriver 


On Thu, Oct 03, 2002 at 04:35:45PM +0100, [EMAIL PROTECTED]
wrote:

> For the last two days, between approximately 7pm to 2am Eastern
> time, a spammer hijacked a piece of our address space, presumably
> by announcing some size of aggregate containing the IP address
> 204.106.93.155. During the time that the spammer had connectivity
> using this bogus announcement,

RIS didn't pick anything up



/Jesper

-- 
Jesper Skriver, jesper(at)skriver(dot)dk  -  CCIE #5456
Senior network engineer @ AS3292, TDC Tele Danmark

One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.

Hunting for bogus BGP announcement for 204.106.93.155

2002-10-03 Thread Michael . Dillon 


For the last two days, between approximately 7pm to 2am Eastern time, a 
spammer hijacked a piece of our address space, presumably by announcing 
some size of aggregate containing the IP address 204.106.93.155. During the time that 
the spammer had connectivity using this bogus 
announcement, they originated many spam messages for a porn website. 
Possibly, they also provided connectivity for the porn website during that 
time. And they probably also announced various other netblocks which you 
may be able to deduce by studying the emails posted to nanas here 


If anyone has some idle time this evening, and you happen to successfully 
traceroute to 204.106.93.155 then I would appreciate seeing a copy of that 
traceroute as well as a BGP dump with all of the routes announced by the 
AS containing this netblock.

At the current time we are not announcing the netblock containing this 
address but even if we were, the address is currently unassigned, i.e. a 
portscan would show it not in use, and therefore the hijacker could still 
successfully announce a longer prefix than us to use our address space.

If you are not filtering your inbound BGP sessions, then this spammer 
could be your customer. Or maybe this spammer is abusing the hospitality 
of your local Internet exchange.

I was originally alerted to this spam by a half dozen messages from 
spamcop and I've asked the spamcop folks to collect a traceroute as soon 
as they identify the spam so that we have a better chance of tracking down 
the rogue ISP/XP (or sloppy ISP/XP) that is letting these spammer announce 
bogus routes.

---
Michael Dillon