MFN/AboveNet blocking pac-rim.net/spamshield.org MX
Kai Schlichting
kai at pac-rim.net
Mon Jul 7 15:51:54 UTC 2003
Coming back from my vacation, I had to discover that some losers
(who, no doubt, had something to lose as far as their hijacked IP space
is concerned) have attempted to DoS the MX for pac-rim.net/spamshield.org
by sending a few 100,000 spams with randomized @pac-rim.net return
addresses around June 25/26th, and us seeing 10,000's of bounces
generated by misbehaving mail hosts that bounce to MAIL FROM: addresses
sometime after their mail back-end decides that the recipients don't
exist (nice AOL-style abuse amplifier, just un-AOL-like unthrottled).
At the same time, MFN/Above.net seems to have null0'd 208.241.101.2 (in
response to that? we have yet to see a SINGLE complaint/forwarded copy),
thus denying transit of all their non-multihomed downstreams (or those
that transit through them to the UUnet /10 aggregate this IP lives in)
to our MXs, as well as the SpamShield.org website and the private
SpamShield DNSBL zone origin host.
While we have to suffer constantly under attempts of unlawful trespass
originating from MFN/Above.net's customers, with never a peep of a follow-up
after the auto-reply coming back from abuse at above.net (and in quite a few
cases with such trespass continuing unabated) we've never bothered
to null0 more than a surrounding /22 around for such abuse for more than a
brief amount of time (1-3 days max). Whoever is wielding 'enable' power at
MFN/AboveNet may want to re-think what abuse actually is - and may
want to consult with his boss at this time wether it was appropriate to
block a DoS victims' MX without contacting same beforehand.
Meanwhile it seems that it took Above.net a LOT longer to null0 hijacked
IP space (like: a couple weeks) announced from customer AS 26891 than it
took them to null0 a /32 they seemed to perceive as a threat that isn't
paying them:
# routes (20030515):
# 199.120.163.0/24 from AS: 26891 (upstreams: 6461),
# 199.120.164.0/24 from AS: 26891 (upstreams: 6461),
# 199.166.200.0/22 from AS: 26891 (upstreams: 6461),
# 199.201.151.0/24 from AS: 26891 (upstreams: 6461),
# 199.201.152.0/24 from AS: 26891 (upstreams: 6461),
# 204.19.162.0/24 from AS: 26891 (upstreams: 6461 23352),
(all gone now)
Waiting for AboveNet/MFN's mail on this - and no, renumbering the host
to another IP number would be too annoying.
bye,Kai
--------
sonet:~# tcptraceroute -s 208.241.101.2 whois.gandi.net
Selected device exp0, address 208.241.101.2, port 58193 for outgoing packets
Tracing the path to whois.gandi.net (80.67.173.20) on TCP port 80, 30 hops max
[...]
4 0.so-1-1-0.XL2.NYC1.ALTER.NET (152.63.19.98) 10.150 ms 8.815 ms 10.136 ms
5 0.so-7-0-0.XL2.NYC8.Alter.Net (152.63.0.37) 13.199 ms 11.889 ms 12.103 ms
6 0.so-3-0-0.XR2.NYC8.ALTER.NET (152.63.19.34) 16.530 ms 13.251 ms 11.268 ms
7 182.ATM6-0.BR1.NYC8.ALTER.NET (152.63.23.173) 8.762 ms 7.053 ms 10.339 ms
8 * * *
9 * * *
^C
sonet:~# tcptraceroute -s another.address.on.the.same.box whois.gandi.net
Selected device exp0, address x.x.x.x, port 58185 for outgoing packets
Tracing the path to whois.gandi.net (80.67.173.20) on TCP port 80, 30 hops max
[...]
4 0.so-1-1-0.XL2.NYC1.ALTER.NET (152.63.19.98) 9.631 ms 8.728 ms 10.066 ms
5 0.so-7-0-0.XL2.NYC8.Alter.Net (152.63.0.37) 9.621 ms 8.731 ms 10.017 ms
6 0.so-3-0-0.XR2.NYC8.ALTER.NET (152.63.19.34) 9.663 ms 8.736 ms 10.131 ms
7 182.ATM5-0.BR1.NYC8.ALTER.NET (152.63.23.77) 19.588 ms 9.054 ms 10.067 ms
8 200.atm6-0.pr1.lga2.us.mfnx.net (208.184.231.245) 29.625 ms 36.590 ms 29.811 ms
9 so-2-2-0.cr2.lga2.us.mfnx.net (216.200.127.169) 49.795 ms 35.010 ms 29.780 ms
10 so-0-0-0.cr2.lga1.us.mfnx.net (208.184.232.197) 49.766 ms 28.664 ms 39.752 ms
11 so-6-0-0.cr2.lhr3.uk.above.net (64.125.31.181) 99.797 ms 103.668 ms 99.700 ms
12 so-0-0-0.cr1.lhr3.uk.above.net (208.184.231.145) 109.793 ms 108.402 ms 99.705 ms
13 pos12-0.cr1.cdg2.fr.above.net (64.125.31.130) 109.857 ms 107.870 ms 109.774 ms
14 pos0-2.er1a.cdg2.fr.above.net (208.184.231.205) 109.799 ms 108.622 ms 109.779 ms
15 gitoyen-voltaire-gw.gitoyen.net (62.4.73.30) 119.632 ms 111.625 ms 109.781 ms
16 80.67.168.6 (80.67.168.6) 129.879 ms 119.700 ms 109.803 ms
17 jd.gandi.net (80.67.173.20) [open] 109.893 ms 1.390 ms 119.798 ms
More information about the NANOG
mailing list