Re: IP Hijacking For Dummies

[Ronald F. Guilmette]

In message 

Re: IPv4 Hijacking For Idiots

[valdis . kletnieks]

On Mon, 05 Jun 2017 18:04:54 -0700, "Ronald F. Guilmette" said:

> So you're saying that whichever criminal is behind this stuff, that he
> maybe could have pulled it all off for the astounding and impressive
> sum of zero dollars and zero cents ($0.00) ?
>
> (Well, I guess that's not quite accurate.  I guess that he at least had
> to pay for the cost of re-registering the wirelessnetbg.info domain name.

Anybody who didn't just fall out of a tree will use a stolen but still
functional credit card for that.  So yeah, it's zero money out of their own
pocket.


pgpzc3gwWEjds.pgp
Description: PGP signature

Re: IPv4 Hijacking For Idiots

[Ronald F. Guilmette]

In message 
William Herrin  wrote:

>You actually got lost a couple steps back.
>
>First, you want to control the POC emails for the IP addresses. Controlling
>just the POC emails for the AS number won't do you any good.

Ummm... in this case there doesn't seem to be any reason to believe
that the hijacker(s) have gotten anywhere near to controlling the POC
emails for any, let alone -all- of the relevant (Columbian) IP blocks...
only the POC emails for the ASN.

But you are suggesting that they -did- get control of those, all essentially
simultaneously (or anyway sometime during the past 2 months), for all
of about five or six or seven separate and different Columbian entities.

That theory would seem to fail the Occam's razor test.  It just doesn't
seem at all liklely.

>Let's say you have gained control of the POC emails for the IP address
>block. Stay completely away from the historical BGP peers. They might know
>the real registrant and get suspicious when you show up.

Good point!  I'll have to remember to put that in the book. :-)

>Go to somebody
>else, dummy up some letterhead for the purported registrant and write
>yourself a letter authorizing the ISP to whom the letter is presented to
>route those IP addresses. Explain that you're a networking contractor
>working for the organization holding the registration and give them
>adequate contact information for yourself: postal address, email, phone.
>Not "1234 Main, box 30" but "1234 Main, Suite 30". Paid for with the
>cash-bought debit card. You get the idea.

Yes.  The whole general identity theft ruse isn't that complicated to
understand.  I still don't get how these crooks managed to get past
that occular biometric scan, but I guess the check cleared, so maybe
that goes a long way towards explaining -that- mystery. :-)

>Then you pay the ISP to connect you to the Internet and present your
>letter. Until the inevitable complaints roll it, that's it: you have
>control of those IP addresses.

I guess that I must be hoplessly naive to believe that the likes of
either Hurricane or Level3 might employ some warm body, at least part
time, to actually look for this kind of blatant gibberish, and flag
it for further inquiry when it arises.  I would volunteer to do the
job for them if they would just keep me in Cheetos.  (Cheetos are my
new favorite snack ever since last November's election. :-)

>I've read article after article after article bemoanging the fact that
>> "BGP isn't secure",
>
>They're talking about a different problem: ISPs are supposed to configure
>end-user BGP sessions per BCP38 which limits which BGP announcements the
>customer can make. Some ISPs are sloppy and incompetent and don't do this.

Yea.  I kinda thought that most or all of the very public hand-wringing
over the "insecurity" of BGP was indeed about this other aspect of the
problem.  But I just wanted to be sure that I was clear in my own mind
about this.  The insecurity -isn't- that any Joe Blow can just willy nilly
connect up to any router on the Internet and push bogus routes into it.
The insecurity is only that people/entities you know, trust, and have
actual business relationships with can (and apparently do), in many cases, 
pass goofy stuff to you, and if you are not fastidious enough about washing
up after such contacts, then you pass those bits of nonsense along to
everybody else who you have relationships with...  sort-of like chlamydia.


Regards,
rfg

Re: IP Hijacking For Dummies

[Aftab Siddiqui]

Same mobile number (+92-304-4000736 <+92%20304%204000736>) and address are
listed here for Blue Angel Hosting with only 1 peer AS206776.

aut-num:AS206349
as-name:blueangelhost
org:ORG-BPL5-RIPE
sponsoring-org: ORG-HGC2-RIPE
import: from AS206776 accept ANY
export: to AS206776 announce AS206349
import: from AS57344 accept ANY
export: to AS57344 announce AS206349
admin-c:SS30461-RIPE
tech-c: SS30461-RIPE
remarks:For information on "status:" attribute read
https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
status: ASSIGNED
mnt-by: RIPE-NCC-END-MNT
mnt-by: blueangelhost
mnt-routes: blueangelhost
created:2017-02-08T10:44:15Z
last-modified:  2017-02-08T10:44:15Z
source: RIPE

organisation:   ORG-BPL5-RIPE
org-name:   BlueAngelHost Pvt. Ltd
org-type:   OTHER
address:HOUSE NO 173 STREET NO 4 BLOCK E YOHANA ABAD, FEROZ
PUR ROAD, LAHORE, PAKISTAN
abuse-c:ACRO1320-RIPE
mnt-ref:MNT-NETERRA
mnt-ref:AZ39139-MNT
mnt-ref:MNT-LIR-BG
mnt-by: blueangelhost
created:2016-10-21T17:23:02Z
last-modified:  2016-11-01T21:03:31Z
source: RIPE # Filtered

person: Sunil Shahzad
address:HOUSE NO 173 STREET NO 4 BLOCK E YOHANA ABAD, FEROZ
PUR ROAD, LAHORE, PAKISTAN
phone:  +92-304-4000736
nic-hdl:SS30461-RIPE
mnt-by: blueangelhost
created:2016-10-21T17:19:19Z
last-modified:  2016-10-21T17:19:19Z
source: RIPE


On Tue, 6 Jun 2017 at 09:48 Ronald F. Guilmette 
wrote:

>
> Late last night, I put together the following simple annotated listing of
> the routes being announced by AS34991.
>
> Beyond the quite apparent fact that this "Bulgarian" network is announcing
> a bunch of routes for blocks of IPv4 space allocated to various parties
> within the nation of Columbia (including the National University thereof)
> the other thing that struck me about this was the apparent relevance of
> a company called "host-offshore.com".
>
> Looking at the web site for that, it provides only a single contact
> phone number which is unambiguously a -Pakistani- phone number.  But
> of course, that makes perfect sense, because Pakistan is just down the
> street from Bulgaria (NOT!)
>
> It did also strike me as passing strange that this company has apparently
> elected to not actually put its own web server, name servers, or mail
> server anywhere within its own duly allocated IPv4 blocks.
>
> Things got even a bit more interesting when I tried to actually order a
> server from this company.  Apparently, all of their virtual servers
> are "sold out".  However... and please, somebody check me on this...
> I guess that all of the browsers on all of the platforms I have ready
> access to are broken or something, because try as I might, I could never
> quite succeed at reaching any page on this company's web site where I
> could order up -any- kind of server, virtual, dedicated, or otherwise.
>
> So, you know, this hosting company appears somewhat unique and unusual,
> at least from where I am sitting, in the sense that it is perhaps the
> only such "hosting" company that I've ever run across in my travels that
> doesn't actually have -anything- for sale.
>
> Personally, I don't really give a rat's ass if this site is just a cover
> for some inept criminals, or for Panstani ISI, or for the FSB, or for
> some of Putin's patriots, or even if it belongs to the NSA.  But I cannot
> help but bemoan the fact that here we are, and it is 2017 already, and
> yet, whichever bunch of lame-ass jerks are in fact behind this thing,
> apparently aren't even capable of slapping together a cover web site
> that is more than just some entirely shallow and not very effective false
> front.
>
> As a researcher and student of such things, I just think that by now,
> in 2017, we should have a somewhat more skilled class of frauds, rogues,
> criminals and spies on the Internet.  I mean this is just baby stuff,
> and it only takes a couple of minutes and few clicks to see past such
> transparent gibberish.
>
> So c'mon all ye criminals, rogues and spys!  You need to up your game
> fer cryin' out loud!  At least present us with something a bit more
> challenging than -this- kind of very superflous crap.  I mean, have you
> no self-respect?
>
> Gssshhh!
>
>
> Regards,
> rfg
>
>
>
> ===
> 79.124.77.0/24  -- Bulgaria -- host-offshore.com
> 82.118.233.0/24 -- Blugaria -- wirelessnetbg.info
> 91.92.144.0/24  -- Bulgaria -- host-offshore.com
> 130.185.254.0/24 -- Belize? -- host-offshore.com - formerly routed by
> Verdina)
> 152.204.132.0/24 -- Columbia
> 152.204.133.0/24 -- Columbia
> 152.231.25.0/24 -- Columbia
> 152.231.28.0/24 -- Columbia
> 168.176.187.0/24 -- Columbia, National University of
> 168.176.192.0/24 -- 

Re: IPv4 Hijacking For Idiots

[Ronald F. Guilmette]

In message 
Christopher Morrow  wrote:

>most times i've seen isp DIA links bgp was 'free' or had been..
>
>> talking about the cost of adding an upstream BGP session.
>
>ok. so either free or some up-charge by the isp.

Wait a minute.  I just wanna make sure that I am getting this.

So you're saying that whichever criminal is behind this stuff, that he
maybe could have pulled it all off for the astounding and impressive
sum of zero dollars and zero cents ($0.00) ?

(Well, I guess that's not quite accurate.  I guess that he at least had
to pay for the cost of re-registering the wirelessnetbg.info domain name.
I don't know what .info domains cost anymore, but the last time I looked
you could get one of those for less than ten bucks.  I suppose that Internet
criminals everwhere will be greatly heartened by the low cost of entry
into this game.  I'm guessing that it probably costs much much more to
become an Amway distributor, for example.  Even second-story men have to
invest more than this for a set of appropriate tools.)


Regards,
rfg

Re: IPv4 Hijacking For Idiots

[William Herrin]

On Mon, Jun 5, 2017 at 6:56 AM, Ronald F. Guilmette 
wrote:

> So, I guess then, if you're clever, you look and see who the ASN you've
> just successfully hijacked has historically peered with, and then you
> somehow arrange to send route announcements to those guys, right?
> (I'm talking about AS206776 and AS57344 here, BTW.)
>
> But see, this is where I get lost.  I mean how do you push your route
> announcements to these guys?


Hi Ron,

You actually got lost a couple steps back.

First, you want to control the POC emails for the IP addresses. Controlling
just the POC emails for the AS number won't do you any good.

Let's say you have gained control of the POC emails for the IP address
block. Stay completely away from the historical BGP peers. They might know
the real registrant and get suspicious when you show up. Go to somebody
else, dummy up some letterhead for the purported registrant and write
yourself a letter authorizing the ISP to whom the letter is presented to
route those IP addresses. Explain that you're a networking contractor
working for the organization holding the registration and give them
adequate contact information for yourself: postal address, email, phone.
Not "1234 Main, box 30" but "1234 Main, Suite 30". Paid for with the
cash-bought debit card. You get the idea.

Then you pay the ISP to connect you to the Internet and present your
letter. Until the inevitable complaints roll it, that's it: you have
control of those IP addresses.



> (I don't actually know that much about
> how BGP actually works in practice, so please bear with me.)  How do
> you know what IP address to send your announcements to?


You don't. Even if the session wasn't disabled when the customer stopped
paying, you're not physically connected to the same network interface where
it was configured. This reasoning path is a dead end.


I've read article after article after article bemoanging the fact that
> "BGP isn't secure",


They're talking about a different problem: ISPs are supposed to configure
end-user BGP sessions per BCP38 which limits which BGP announcements the
customer can make. Some ISPs are sloppy and incompetent and don't do this.
Unfortunately, once you're a level or two upstream the backbone ISP
actually can't do much to limit the BGP announcements because it's often
impractical to determine whether a block of IP addresses can legitimately
be announced from a given peer.

Regards,
Bill Herrin




-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

IP Hijacking For Dummies

[Ronald F. Guilmette]

Late last night, I put together the following simple annotated listing of
the routes being announced by AS34991.

Beyond the quite apparent fact that this "Bulgarian" network is announcing
a bunch of routes for blocks of IPv4 space allocated to various parties
within the nation of Columbia (including the National University thereof)
the other thing that struck me about this was the apparent relevance of
a company called "host-offshore.com".

Looking at the web site for that, it provides only a single contact
phone number which is unambiguously a -Pakistani- phone number.  But
of course, that makes perfect sense, because Pakistan is just down the
street from Bulgaria (NOT!)

It did also strike me as passing strange that this company has apparently
elected to not actually put its own web server, name servers, or mail
server anywhere within its own duly allocated IPv4 blocks.

Things got even a bit more interesting when I tried to actually order a
server from this company.  Apparently, all of their virtual servers
are "sold out".  However... and please, somebody check me on this...
I guess that all of the browsers on all of the platforms I have ready
access to are broken or something, because try as I might, I could never
quite succeed at reaching any page on this company's web site where I
could order up -any- kind of server, virtual, dedicated, or otherwise.

So, you know, this hosting company appears somewhat unique and unusual,
at least from where I am sitting, in the sense that it is perhaps the
only such "hosting" company that I've ever run across in my travels that
doesn't actually have -anything- for sale.

Personally, I don't really give a rat's ass if this site is just a cover
for some inept criminals, or for Panstani ISI, or for the FSB, or for
some of Putin's patriots, or even if it belongs to the NSA.  But I cannot
help but bemoan the fact that here we are, and it is 2017 already, and
yet, whichever bunch of lame-ass jerks are in fact behind this thing,
apparently aren't even capable of slapping together a cover web site
that is more than just some entirely shallow and not very effective false
front.

As a researcher and student of such things, I just think that by now,
in 2017, we should have a somewhat more skilled class of frauds, rogues,
criminals and spies on the Internet.  I mean this is just baby stuff,
and it only takes a couple of minutes and few clicks to see past such
transparent gibberish.

So c'mon all ye criminals, rogues and spys!  You need to up your game
fer cryin' out loud!  At least present us with something a bit more
challenging than -this- kind of very superflous crap.  I mean, have you
no self-respect?

Gssshhh!


Regards,
rfg



===
79.124.77.0/24  -- Bulgaria -- host-offshore.com
82.118.233.0/24 -- Blugaria -- wirelessnetbg.info
91.92.144.0/24  -- Bulgaria -- host-offshore.com
130.185.254.0/24 -- Belize? -- host-offshore.com - formerly routed by Verdina)
152.204.132.0/24 -- Columbia
152.204.133.0/24 -- Columbia
152.231.25.0/24 -- Columbia
152.231.28.0/24 -- Columbia
168.176.187.0/24 -- Columbia, National University of
168.176.192.0/24 -- Columbia, National University of
168.176.194.0/24 -- Columbia, National University of
168.176.218.0/24 -- Columbia, National University of
168.176.219.0/24 -- Columbia, National University of
179.1.71.0/24 -- Columbia
181.57.40.0/24 -- Columbia
186.113.13.0/24 -- Columbia
186.113.15.0/24 -- Columbia
186.147.230.0/24 -- Columbia
190.90.31.0/24 -- Columbia
190.90.88.0/24 -- Columbia
200.1.65.0/24 -- Columbia
200.14.44.0/24 -- Columbia
200.24.3.0/24 -- Columbia
200.24.5.0/24 -- Columbia

Re: IPv4 Hijacking For Idiots

[Ronald F. Guilmette]

In message 
Christopher Morrow  wrote:

>that doesn't seem to be what's happening in ron's example though...
>
>it looks, to me, like the example ron has is more a case of:
>  1) register contacts for lost asn (AS34991)
>  2) setup equipment/etc at an IX (bulgaria-ix it seems, at least) with
>another shill/lost-child asn (AS206776)

I'm perplexed at why you would call AS206776 a "lost child", so perhaps
you could explain that.  From where I'm sitting, it does look rather
entirely dodgy... being (allegedly) located as it is in the British
Virgin Islands, and having only been created (manufactured?) circa
2016-11-04.  But bpg.he.net is showing that it has 35 peers, and that
it is peering even with the likes of big boys like HE.net and Level3,
just to name a few.

>  3) start doing the bgps with the IX fabric's route-server

Yeabut again, I personally would like to be enlightened about the basic
mechanics of how one causes this to happen.  If I am Joe Blow criminal
and I somehow manage to finnagle my way into having a machine which is
physically present within some IX at some locale, somewhere on planet
earth, then does that mean that, by definition, I know -where- to inject
bogus routes and -how- to inject bogus routes and that I have the
-capability- in inject bogus routes into the kind of "fabric route
server" you speak of?

And by the way, I see now that I botched the Subject: for this thread
that I started.  I meant to say "IP Hijacking for Dummies".  Obviously,
this activity has become so popular that it is high time that somebody
wrote one of those "XYZ for Dummies" books, you know, with the yellow
and black covers, so that aspiring but ignorant criminals don't have to
always start from scratch and learn how to do this stuff from the ground up,
based just on piecing together little scraps and fragments of information
scattered all over the Internet.

>  4) profit (or something)

Yea.  I don't think that hijackers are doing this stuff just for fun.
But they've already figured out how to MAKE MONEY FAST from the purloined
IP space, so that part probably doesn't even need to go in the book.

>err, you'll have to better explain this I think.
>
>Are you saying: "get an ASN from RIR that costs 100USD" (might, probably
>does)
>
>this doesn't get you a peering/transit contract though...

Yea, this is a part of what I'm still mystified about.

Have AS206776 and AS57344 been paid to pass the routes given to them
by AS34991 ?  And have they been paid an extra premium, above and beyond
the normal fee for this service, you know, to look the other way and
do the old Muhammad Ali rope-a-dope and act stupid/innocent when and
if anybody ever calls them out for this rather entirely blatant and
brazen bogosity?

I've seen this movie before, and not that long ago.  And it's just not
nearly as entertaining the second time around.  The upstreams shrug and
offer the lame excuse of "Oh... well... the routes are all properly
registered in the RIPE route registry, so, you know, how could we have
possibly known that anything was amiss?"  But as I learned last time
this lame excuse was used, any baboon with a keyboard and a pulse can
get himself a RIPE account and then create all of the bogus route objects
he or she desires.  And since it took me less than a day to find out this
ludicrous but true fact last time, I have to wonder if network operators,
and particularly those in the RIPE region, are in some cases being
-willfully ignorant- of the fact that a route object's presence within
the RIPE data base has a reliability value roughly equal to that of a
three dollar bill.


Regards,
rfg


P.S.  I'll be more than happy to take it upon myself... even being the
basically unknown nobody and non-network-operator that I am... to send
polite emails to both AS206776 and AS57344, asking them, as politely as
I can manage, to please explain just WTF they think they are doing.  But
if past experience from the last such event is any guide, these emails
will have no effect whatsoever.  So that leads me to ask the obvious
next question:  Is it at all likely that anybody at, say, HE.net and/or
Level3 might give enough of a damn about any of this ludicrous and clearly
malevolent bogosity so that they mught actually be inclined to have a
friendly word with the folks at AS206776 and AS57344?  And if so, how
might I get in touch with any such people (at HE and/or Level3)?

IPv6 traffic percentages?

[Bajpai, Vaibhav]

Hello,

> nanog-isp at mail.com nanog-isp at mail.com 
> Wed Jan 20 12:14:42 UTC 2016
> 
> Hello all,
> 
> Would those with IPv6 deployments kindly share some statistics on their 
> percentage of IPv6 traffic?
> Bonus points for sharing top IPv6 sources. Anything else than the usual 
> suspects, Google/YouTube, Netflix and Facebook?
> 
> Some public information I've found so far:
> - Comcast around 25% IPv6 traffic 
> (http://www.lightreading.com/ethernet-ip/ip-protocols-software/facebook-ipv6-is-a-real-world-big-deal/a/d-id/718395)
> - Comcast has over 1 Tb/s (of mostly YouTube traffic) over IPv6 
> (http://corporate.comcast.com/comcast-voices/comcast-reaches-key-milestone-in-launch-of-ipv6-broadband-network)
> - Swisscom 26% IPv6 traffic, 60% YouTube 
> (http://www.swinog.ch/meetings/swinog27/p/01_Martin_Gysi.pdf)
> 
> I'd be very much interested in hearing from smaller ISPs, especially those 
> having a very limited number of IPv4 addresses and/or running out. 
> 
> Thanks,
> Jared

The v6 numbers from ^ NANOG post are now more than 1 year old. Thought 
to re-bump this thread. Would it be possible to share updated numbers 
of v6 traffic share within your network and % contribution by top apps.

Thanks a bunch!

-- Vaibhav

--
Vaibhav Bajpai
www.vaibhavbajpai.com

Postdoctoral Researcher
TU Munich, Germany
--

Anyone Competent within ATT ASE (On Demand)?

[Nick W]

I have an ASEOD change order (disconnect from EVC, then add to new EVC)
that is effectively stuck and has taken 4 of my circuits down. I'm unable
to initiate new changes to the affected circuits. I've got 2 tickets open,
escalated to level 6, spoken with 2 different ENOC people, and no one seems
to be able to do anything or help me, and no one knows how to get a hold of
anyone that can actually work on On Demand circuits. Been at this for 12
hours now...

This network automation stuff is fun, eh? Except when you outsource the
people that fix it, and they apparently don't work on weekends... or don't
exist at all.


Thanks,
Nick

Re: NANOG70 tee shirt mystery

[Jon Sevier]

It's a play on Pearl Jam's "Ten" album cover as best as I can tell.

-Jon

On Jun 4, 2017 16:57, "Matthew Petach"  wrote:

> So, I've been staring at the NANOG70 tee shirt for
> a bit now:
>
> https://flic.kr/p/VejX5y
>
> and I have to admit, I'm a bit stymied.
>
> Usually, the tee-shirts are somewhat referential
> to the location or to a particular event; but this
> one is leaving me scratching my head.
>
> Is it perhaps a shot of the network engineering
> "Ooops (I broke the network again)"  concert
> tour?
>
> Or is there some other cultural reference at
> play that I'm not aware of?
>
> Enquiring minds want to know!(tm).  :)
>
> Matt
>

India Data Center Contacts

[Gabe Cole]

I am trying to track down contacts at the following data centers in India
if anyone can help.


   1. Net4
   2. NetMagic
   3. Ricoh


-- 
G. Gabriel Cole
*RTE Group, Inc.*
*Strategic Consulting for Mission Critical Infrastructure*
56 Woodridge Rd
Wellesley, MA 02482
US +1-617-303-8707
fax +1-781-209-5577
www.rtegroup.com
g...@rtegroup.com
skype:  ggabrielcole
Twitter:  @DataCenterGuru
Linked In:  http://www.linkedin.com/in/gabecole
Blog:  http://datacenterguru.blogspot.com/

The information contained herein is confidential and proprietary to RTE
Group, Inc. It is intended for presentation to and permitted use solely by
those person(s) to whom it has been transmitted by RTE Group, Inc. and it
is transmitted to such person(s) solely for, conditional upon, and only to
the extent necessary for use by such person(s) as part of their business
relationship with RTE Group, Inc. or to further their respective
evaluation(s) of a potential business relationship with RTE Group, Inc.,
and no other use, release, or reproduction of this information is permitted.

Re: IPv4 Hijacking For Idiots

[Christopher Morrow]

On Mon, Jun 5, 2017 at 12:28 PM, Mel Beckman  wrote:

> Chris,
>
> I didn’t research Ron’s specific example. I was speaking in generalities.
> I’m assuming any BGP hijacker already has two or more DIA connections. It
> only costs $100 to add BGP peering to that setup. Yes, they will need an
> ASN. I was only
>

most times i've seen isp DIA links bgp was 'free' or had been..


> talking about the cost of adding an upstream BGP session.
>

ok. so either free or some up-charge by the isp.


>
>  -mel
>
>
> On Jun 5, 2017, at 9:03 AM, Christopher Morrow 
> wrote:
>
>
>
> On Mon, Jun 5, 2017 at 7:05 AM, Mel Beckman  wrote:
>
>> One way is for the hijacker to simply peer with himself. The hijacker has
>> an existing peering arrangement with, say, AT He then tells AT that he
>> will be transit for AS advertising XYZ routes, by dint of a cheerfully
>> forged LOA. Once filters have been updated, the hijacker advertises the
>> space to himself, and then from thence to AT
>>
>
> that doesn't seem to be what's happening in ron's example though...
>
> it looks, to me, like the example ron has is more a case of:
>   1) register contacts for lost asn (AS34991)
>   2) setup equipment/etc at an IX (bulgaria-ix it seems, at least) with
> another shill/lost-child asn (AS206776)
>   3) start doing the bgps with the IX fabric's route-server
>   4) profit (or something)
>
> so here the IXP operator (balkans ix actually?)
>   http://lg.bix.bg/?query=summary==rs1.bix.bg+%28IPv4%29
>   (search for 206776 -> http://lg.bix.bg/?query=
> bgp=neighbors+193.169.198.191=rs1.bix.bg+(IPv4))
>
> should probably look more than just side-eyes at their customer...
>
>
>>
>> It's no great trick getting peering set up. Just fill out a ten-question
>> BGP app and pay a one-time fee of maybe $100, and you're done.
>>
>
> err, you'll have to better explain this I think.
>
> Are you saying: "get an ASN from RIR that costs 100USD" (might, probably
> does)
>
> this doesn't get you a peering/transit contract though...
>
> -chris
>
>
>>
>>  -mel beckman
>>
>> > On Jun 5, 2017, at 3:56 AM, Ronald F. Guilmette 
>> wrote:
>> >
>> >
>> > The more I know, the less I understand.
>> >
>> > Maybe some of you kind folks can help.
>> >
>> > Please explain for me the following scenario, and how this all actually
>> > works in practice.
>> >
>> > Let's say that you're a malevolent Bad Actor and all you want to do is
>> > to get hold of some ASN that nobody is watching too closely, and then
>> > use that to announce some routes to some IPv4 space that nobody is
>> > watching too closely, so that you can then parcel out that IP space
>> > to your snowshoe spammer pals... at least until somebody gets wise.
>> >
>> > OK, so you pull down a copy of, say, the RIPE WHOIS database, and you
>> > programatically walk your way through it, looking for contact email
>> > addresses on ASN records where the domain of the contact email address
>> > has become unregistered.  Say for example the one for AS34991.  So
>> > then you re-register that contact domain, fresh, and then you start
>> > telling all of your friends and enemies that you -are- AS34991.
>> >
>> > That part seems simple enough, and indeed, I've seen -this- part of the
>> > movie several times before.  However once you have stepped into the
>> > identity of the former owners of the ASN, if you then want to actually
>> > proceed to -announce- some routes, and actually ave those routes make
>> > it out onto the Internet generally, then you still have to -peer- with
>> > somebody, right?
>> >
>> > So, I guess then, if you're clever, you look and see who the ASN you've
>> > just successfully hijacked has historically peered with, and then you
>> > somehow arrange to send route announcements to those guys, right?
>> > (I'm talking about AS206776 andAS57344 here, BTW.)
>> >
>> > But see, this is where I get lost.  I mean how do you push your route
>> > announcements to these guys?  (I don't actually know that much about
>> > how BGP actually works in practice, so please bear with me.)  How do
>> > you know what IP address to send your announcements to?  And if you are
>> > going to push your route announcements out to, say, the specific routers
>> > that are run by AS206776 and AS57344, i.e. the ones that will send your
>> > desired route announcements out to the rest of the Internet... well..
>> > how do you find out the IP addresses of those routers on those other
>> > networks?  Do you call up the NOCs at those other networks and do a bit
>> > of social engineering on them to find out the IP addresses you need to
>> > send to?  And can you just send BGP messages to the routers on those
>> > other networks without -any- authentication or anything and have those
>> > routers just blindly accept them -and- relay them on to the whole rest
>> > of the Internet??
>> >
>> > I've read article after article after article bemoanging the 

Re: IPv4 Hijacking For Idiots

[Mel Beckman]

Chris,

I didn’t research Ron’s specific example. I was speaking in generalities. I’m 
assuming any BGP hijacker already has two or more DIA connections. It only 
costs $100 to add BGP peering to that setup. Yes, they will need an ASN. I was 
only talking about the cost of adding an upstream BGP session.

 -mel


On Jun 5, 2017, at 9:03 AM, Christopher Morrow 
> wrote:



On Mon, Jun 5, 2017 at 7:05 AM, Mel Beckman 
> wrote:
One way is for the hijacker to simply peer with himself. The hijacker has an 
existing peering arrangement with, say, AT He then tells AT that he will 
be transit for AS advertising XYZ routes, by dint of a cheerfully forged 
LOA. Once filters have been updated, the hijacker advertises the space to 
himself, and then from thence to AT

that doesn't seem to be what's happening in ron's example though...

it looks, to me, like the example ron has is more a case of:
  1) register contacts for lost asn (AS34991)
  2) setup equipment/etc at an IX (bulgaria-ix it seems, at least) with another 
shill/lost-child asn (AS206776)
  3) start doing the bgps with the IX fabric's route-server
  4) profit (or something)

so here the IXP operator (balkans ix actually?)
  http://lg.bix.bg/?query=summary==rs1.bix.bg+%28IPv4%29
  (search for 206776 -> 
http://lg.bix.bg/?query=bgp=neighbors+193.169.198.191=rs1.bix.bg+(IPv4))

should probably look more than just side-eyes at their customer...


It's no great trick getting peering set up. Just fill out a ten-question BGP 
app and pay a one-time fee of maybe $100, and you're done.

err, you'll have to better explain this I think.

Are you saying: "get an ASN from RIR that costs 100USD" (might, probably does)

this doesn't get you a peering/transit contract though...

-chris


 -mel beckman

> On Jun 5, 2017, at 3:56 AM, Ronald F. Guilmette 
> > wrote:
>
>
> The more I know, the less I understand.
>
> Maybe some of you kind folks can help.
>
> Please explain for me the following scenario, and how this all actually
> works in practice.
>
> Let's say that you're a malevolent Bad Actor and all you want to do is
> to get hold of some ASN that nobody is watching too closely, and then
> use that to announce some routes to some IPv4 space that nobody is
> watching too closely, so that you can then parcel out that IP space
> to your snowshoe spammer pals... at least until somebody gets wise.
>
> OK, so you pull down a copy of, say, the RIPE WHOIS database, and you
> programatically walk your way through it, looking for contact email
> addresses on ASN records where the domain of the contact email address
> has become unregistered.  Say for example the one for AS34991.  So
> then you re-register that contact domain, fresh, and then you start
> telling all of your friends and enemies that you -are- AS34991.
>
> That part seems simple enough, and indeed, I've seen -this- part of the
> movie several times before.  However once you have stepped into the
> identity of the former owners of the ASN, if you then want to actually
> proceed to -announce- some routes, and actually ave those routes make
> it out onto the Internet generally, then you still have to -peer- with
> somebody, right?
>
> So, I guess then, if you're clever, you look and see who the ASN you've
> just successfully hijacked has historically peered with, and then you
> somehow arrange to send route announcements to those guys, right?
> (I'm talking about AS206776 andAS57344 here, BTW.)
>
> But see, this is where I get lost.  I mean how do you push your route
> announcements to these guys?  (I don't actually know that much about
> how BGP actually works in practice, so please bear with me.)  How do
> you know what IP address to send your announcements to?  And if you are
> going to push your route announcements out to, say, the specific routers
> that are run by AS206776 and AS57344, i.e. the ones that will send your
> desired route announcements out to the rest of the Internet... well..
> how do you find out the IP addresses of those routers on those other
> networks?  Do you call up the NOCs at those other networks and do a bit
> of social engineering on them to find out the IP addresses you need to
> send to?  And can you just send BGP messages to the routers on those
> other networks without -any- authentication or anything and have those
> routers just blindly accept them -and- relay them on to the whole rest
> of the Internet??
>
> I've read article after article after article bemoanging the fact that
> "BGP isn't secure", but now I'm starting to wonder just how massively
> and unbelieveably unsecure it actually is.  I mean would these routers
> being run by AS206776 and AS57344 just blindly accept -any- route
> announcements sent to them from literally -any- IP address?  (That seems
> positively looney tunes to me!  I mean things can't really be 

Re: IPv4 Hijacking For Idiots

[Christopher Morrow]

On Mon, Jun 5, 2017 at 7:05 AM, Mel Beckman  wrote:

> One way is for the hijacker to simply peer with himself. The hijacker has
> an existing peering arrangement with, say, AT He then tells AT that he
> will be transit for AS advertising XYZ routes, by dint of a cheerfully
> forged LOA. Once filters have been updated, the hijacker advertises the
> space to himself, and then from thence to AT
>

that doesn't seem to be what's happening in ron's example though...

it looks, to me, like the example ron has is more a case of:
  1) register contacts for lost asn (AS34991)
  2) setup equipment/etc at an IX (bulgaria-ix it seems, at least) with
another shill/lost-child asn (AS206776)
  3) start doing the bgps with the IX fabric's route-server
  4) profit (or something)

so here the IXP operator (balkans ix actually?)
  http://lg.bix.bg/?query=summary==rs1.bix.bg+%28IPv4%29
  (search for 206776 ->
http://lg.bix.bg/?query=bgp=neighbors+193.169.198.191=rs1.bix.bg+(IPv4)
)

should probably look more than just side-eyes at their customer...


>
> It's no great trick getting peering set up. Just fill out a ten-question
> BGP app and pay a one-time fee of maybe $100, and you're done.
>

err, you'll have to better explain this I think.

Are you saying: "get an ASN from RIR that costs 100USD" (might, probably
does)

this doesn't get you a peering/transit contract though...

-chris


>
>  -mel beckman
>
> > On Jun 5, 2017, at 3:56 AM, Ronald F. Guilmette 
> wrote:
> >
> >
> > The more I know, the less I understand.
> >
> > Maybe some of you kind folks can help.
> >
> > Please explain for me the following scenario, and how this all actually
> > works in practice.
> >
> > Let's say that you're a malevolent Bad Actor and all you want to do is
> > to get hold of some ASN that nobody is watching too closely, and then
> > use that to announce some routes to some IPv4 space that nobody is
> > watching too closely, so that you can then parcel out that IP space
> > to your snowshoe spammer pals... at least until somebody gets wise.
> >
> > OK, so you pull down a copy of, say, the RIPE WHOIS database, and you
> > programatically walk your way through it, looking for contact email
> > addresses on ASN records where the domain of the contact email address
> > has become unregistered.  Say for example the one for AS34991.  So
> > then you re-register that contact domain, fresh, and then you start
> > telling all of your friends and enemies that you -are- AS34991.
> >
> > That part seems simple enough, and indeed, I've seen -this- part of the
> > movie several times before.  However once you have stepped into the
> > identity of the former owners of the ASN, if you then want to actually
> > proceed to -announce- some routes, and actually ave those routes make
> > it out onto the Internet generally, then you still have to -peer- with
> > somebody, right?
> >
> > So, I guess then, if you're clever, you look and see who the ASN you've
> > just successfully hijacked has historically peered with, and then you
> > somehow arrange to send route announcements to those guys, right?
> > (I'm talking about AS206776 andAS57344 here, BTW.)
> >
> > But see, this is where I get lost.  I mean how do you push your route
> > announcements to these guys?  (I don't actually know that much about
> > how BGP actually works in practice, so please bear with me.)  How do
> > you know what IP address to send your announcements to?  And if you are
> > going to push your route announcements out to, say, the specific routers
> > that are run by AS206776 and AS57344, i.e. the ones that will send your
> > desired route announcements out to the rest of the Internet... well..
> > how do you find out the IP addresses of those routers on those other
> > networks?  Do you call up the NOCs at those other networks and do a bit
> > of social engineering on them to find out the IP addresses you need to
> > send to?  And can you just send BGP messages to the routers on those
> > other networks without -any- authentication or anything and have those
> > routers just blindly accept them -and- relay them on to the whole rest
> > of the Internet??
> >
> > I've read article after article after article bemoanging the fact that
> > "BGP isn't secure", but now I'm starting to wonder just how massively
> > and unbelieveably unsecure it actually is.  I mean would these routers
> > being run by AS206776 and AS57344 just blindly accept -any- route
> > announcements sent to them from literally -any- IP address?  (That seems
> > positively looney tunes to me!  I mean things can't really be THAT
> > colossally and unbelievably stupid, can they?)
> >
> > Thanks in advance for any enlightenment.
> >
> >
> > Regards,
> > rfg
> >
> >
> > P.S.  It would appear to be the case that since some time in April of
> this
> > year the "Bulgarian" network, AS34991, had evinced a rather sudden and
> > pronounced affinity for various portion of the IPv4 

Re: IPv4 Hijacking For Idiots

[Mel Beckman]

One way is for the hijacker to simply peer with himself. The hijacker has an 
existing peering arrangement with, say, AT He then tells AT that he will 
be transit for AS advertising XYZ routes, by dint of a cheerfully forged 
LOA. Once filters have been updated, the hijacker advertises the space to 
himself, and then from thence to AT

It's no great trick getting peering set up. Just fill out a ten-question BGP 
app and pay a one-time fee of maybe $100, and you're done.

 -mel beckman

> On Jun 5, 2017, at 3:56 AM, Ronald F. Guilmette  
> wrote:
> 
> 
> The more I know, the less I understand.
> 
> Maybe some of you kind folks can help.
> 
> Please explain for me the following scenario, and how this all actually
> works in practice.
> 
> Let's say that you're a malevolent Bad Actor and all you want to do is
> to get hold of some ASN that nobody is watching too closely, and then
> use that to announce some routes to some IPv4 space that nobody is
> watching too closely, so that you can then parcel out that IP space
> to your snowshoe spammer pals... at least until somebody gets wise.
> 
> OK, so you pull down a copy of, say, the RIPE WHOIS database, and you
> programatically walk your way through it, looking for contact email
> addresses on ASN records where the domain of the contact email address
> has become unregistered.  Say for example the one for AS34991.  So
> then you re-register that contact domain, fresh, and then you start
> telling all of your friends and enemies that you -are- AS34991.
> 
> That part seems simple enough, and indeed, I've seen -this- part of the
> movie several times before.  However once you have stepped into the
> identity of the former owners of the ASN, if you then want to actually
> proceed to -announce- some routes, and actually ave those routes make
> it out onto the Internet generally, then you still have to -peer- with
> somebody, right?
> 
> So, I guess then, if you're clever, you look and see who the ASN you've
> just successfully hijacked has historically peered with, and then you
> somehow arrange to send route announcements to those guys, right?
> (I'm talking about AS206776 andAS57344 here, BTW.)
> 
> But see, this is where I get lost.  I mean how do you push your route
> announcements to these guys?  (I don't actually know that much about
> how BGP actually works in practice, so please bear with me.)  How do
> you know what IP address to send your announcements to?  And if you are
> going to push your route announcements out to, say, the specific routers
> that are run by AS206776 and AS57344, i.e. the ones that will send your
> desired route announcements out to the rest of the Internet... well..
> how do you find out the IP addresses of those routers on those other
> networks?  Do you call up the NOCs at those other networks and do a bit
> of social engineering on them to find out the IP addresses you need to
> send to?  And can you just send BGP messages to the routers on those
> other networks without -any- authentication or anything and have those
> routers just blindly accept them -and- relay them on to the whole rest
> of the Internet??
> 
> I've read article after article after article bemoanging the fact that
> "BGP isn't secure", but now I'm starting to wonder just how massively
> and unbelieveably unsecure it actually is.  I mean would these routers
> being run by AS206776 and AS57344 just blindly accept -any- route
> announcements sent to them from literally -any- IP address?  (That seems
> positively looney tunes to me!  I mean things can't really be THAT
> colossally and unbelievably stupid, can they?)
> 
> Thanks in advance for any enlightenment.
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  It would appear to be the case that since some time in April of this
> year the "Bulgarian" network, AS34991, had evinced a rather sudden and
> pronounced affinity for various portion of the IPv4 address space nominally
> associated with the nation of Columbia, including at least five /24 blocks
> within 168.176.0.0/16 which, from where I am sitting, would appear to belong
> to the National University of Columbia.
> 
> Oh well.  They apparently haven't been missing those five gaping holes in
> their /16 since the time the more specifics started showing up in April.
> 
> And anyway, so far it looks like the new owners of AS34991 haven't actually
> sub-leased any of those /24s to any spammers yet.  Only the 190.90.88.0/24
> block seems to be filled, wall-to-all, with snowshoe spammers so far.
> 
> 

Northern Ireland

[Rod Beck]

Who are the main competitive local providers in Belfast?


Regards,


Roderick.


Roderick Beck

Director of Global Sales

United Cable Company

www.unitedcablecompany.com

85 Király utca, 1077 Budapest

rod.b...@unitedcablecompany.com

36-30-859-5144


[1467221477350_image005.png]

IPv4 Hijacking For Idiots

[Ronald F. Guilmette]

The more I know, the less I understand.

Maybe some of you kind folks can help.

Please explain for me the following scenario, and how this all actually
works in practice.

Let's say that you're a malevolent Bad Actor and all you want to do is
to get hold of some ASN that nobody is watching too closely, and then
use that to announce some routes to some IPv4 space that nobody is
watching too closely, so that you can then parcel out that IP space
to your snowshoe spammer pals... at least until somebody gets wise.

OK, so you pull down a copy of, say, the RIPE WHOIS database, and you
programatically walk your way through it, looking for contact email
addresses on ASN records where the domain of the contact email address
has become unregistered.  Say for example the one for AS34991.  So
then you re-register that contact domain, fresh, and then you start
telling all of your friends and enemies that you -are- AS34991.

That part seems simple enough, and indeed, I've seen -this- part of the
movie several times before.  However once you have stepped into the
identity of the former owners of the ASN, if you then want to actually
proceed to -announce- some routes, and actually ave those routes make
it out onto the Internet generally, then you still have to -peer- with
somebody, right?

So, I guess then, if you're clever, you look and see who the ASN you've
just successfully hijacked has historically peered with, and then you
somehow arrange to send route announcements to those guys, right?
(I'm talking about AS206776 and AS57344 here, BTW.)

But see, this is where I get lost.  I mean how do you push your route
announcements to these guys?  (I don't actually know that much about
how BGP actually works in practice, so please bear with me.)  How do
you know what IP address to send your announcements to?  And if you are
going to push your route announcements out to, say, the specific routers
that are run by AS206776 and AS57344, i.e. the ones that will send your
desired route announcements out to the rest of the Internet... well..
how do you find out the IP addresses of those routers on those other
networks?  Do you call up the NOCs at those other networks and do a bit
of social engineering on them to find out the IP addresses you need to
send to?  And can you just send BGP messages to the routers on those
other networks without -any- authentication or anything and have those
routers just blindly accept them -and- relay them on to the whole rest
of the Internet??

I've read article after article after article bemoanging the fact that
"BGP isn't secure", but now I'm starting to wonder just how massively
and unbelieveably unsecure it actually is.  I mean would these routers
being run by AS206776 and AS57344 just blindly accept -any- route
announcements sent to them from literally -any- IP address?  (That seems
positively looney tunes to me!  I mean things can't really be THAT
colossally and unbelievably stupid, can they?)

Thanks in advance for any enlightenment.


Regards,
rfg


P.S.  It would appear to be the case that since some time in April of this
year the "Bulgarian" network, AS34991, had evinced a rather sudden and
pronounced affinity for various portion of the IPv4 address space nominally
associated with the nation of Columbia, including at least five /24 blocks
within 168.176.0.0/16 which, from where I am sitting, would appear to belong
to the National University of Columbia.

Oh well.  They apparently haven't been missing those five gaping holes in
their /16 since the time the more specifics started showing up in April.

And anyway, so far it looks like the new owners of AS34991 haven't actually
sub-leased any of those /24s to any spammers yet.  Only the 190.90.88.0/24
block seems to be filled, wall-to-all, with snowshoe spammers so far.