MFN/AboveNet blocking pac-rim.net/spamshield.org MX

Kai Schlichting kai at pac-rim.net
Mon Jul 7 15:51:54 UTC 2003


Coming back from my vacation, I had to discover that some losers
(who, no doubt, had something to lose as far as their hijacked IP space
is concerned) have attempted to DoS the MX for pac-rim.net/spamshield.org
by sending a few 100,000 spams with randomized @pac-rim.net return
addresses around June 25/26th, and us seeing 10,000's of bounces
generated by misbehaving mail hosts that bounce to MAIL FROM: addresses
sometime after their mail back-end decides that the recipients don't
exist (nice AOL-style abuse amplifier, just un-AOL-like unthrottled).

At the same time, MFN/Above.net seems to have null0'd 208.241.101.2 (in
response to that? we have yet to see a SINGLE complaint/forwarded copy),
thus denying transit of all their non-multihomed downstreams (or those
that transit through them to the UUnet /10 aggregate this IP lives in)
to our MXs, as well as the SpamShield.org website and the private
SpamShield DNSBL zone origin host.

While we have to suffer constantly under attempts of unlawful trespass
originating from MFN/Above.net's customers, with never a peep of a follow-up
after the auto-reply coming back from abuse at above.net (and in quite a few
cases with such trespass continuing unabated) we've never bothered
to null0 more than a surrounding /22 around for such abuse for more than a
brief amount of time (1-3 days max). Whoever is wielding 'enable' power at
MFN/AboveNet may want to re-think what abuse actually is - and may
want to consult with his boss at this time wether it was appropriate to
block a DoS victims' MX without contacting same beforehand.

Meanwhile it seems that it took Above.net a LOT longer to null0 hijacked
IP space (like: a couple weeks) announced from customer AS 26891 than it
took them to null0 a /32 they seemed to perceive as a threat that isn't
paying them:

# routes (20030515):
# 199.120.163.0/24 from AS: 26891 (upstreams: 6461),
# 199.120.164.0/24 from AS: 26891 (upstreams: 6461),
# 199.166.200.0/22 from AS: 26891 (upstreams: 6461),
# 199.201.151.0/24 from AS: 26891 (upstreams: 6461),
# 199.201.152.0/24 from AS: 26891 (upstreams: 6461),
# 204.19.162.0/24 from AS: 26891 (upstreams: 6461 23352),
(all gone now)

Waiting for AboveNet/MFN's mail on this - and no, renumbering the host
to another IP number would be too annoying.

bye,Kai


--------

sonet:~# tcptraceroute -s 208.241.101.2 whois.gandi.net
Selected device exp0, address 208.241.101.2, port 58193 for outgoing packets
Tracing the path to whois.gandi.net (80.67.173.20) on TCP port 80, 30 hops max
[...]
 4  0.so-1-1-0.XL2.NYC1.ALTER.NET (152.63.19.98)  10.150 ms  8.815 ms  10.136 ms
 5  0.so-7-0-0.XL2.NYC8.Alter.Net (152.63.0.37)  13.199 ms  11.889 ms  12.103 ms
 6  0.so-3-0-0.XR2.NYC8.ALTER.NET (152.63.19.34)  16.530 ms  13.251 ms  11.268 ms
 7  182.ATM6-0.BR1.NYC8.ALTER.NET (152.63.23.173)  8.762 ms  7.053 ms  10.339 ms
 8  * * *
 9  * * *
^C

sonet:~# tcptraceroute -s another.address.on.the.same.box whois.gandi.net
Selected device exp0, address x.x.x.x, port 58185 for outgoing packets
Tracing the path to whois.gandi.net (80.67.173.20) on TCP port 80, 30 hops max
[...]
 4  0.so-1-1-0.XL2.NYC1.ALTER.NET (152.63.19.98)  9.631 ms  8.728 ms  10.066 ms
 5  0.so-7-0-0.XL2.NYC8.Alter.Net (152.63.0.37)  9.621 ms  8.731 ms  10.017 ms
 6  0.so-3-0-0.XR2.NYC8.ALTER.NET (152.63.19.34)  9.663 ms  8.736 ms  10.131 ms
 7  182.ATM5-0.BR1.NYC8.ALTER.NET (152.63.23.77)  19.588 ms  9.054 ms  10.067 ms
 8  200.atm6-0.pr1.lga2.us.mfnx.net (208.184.231.245)  29.625 ms  36.590 ms  29.811 ms
 9  so-2-2-0.cr2.lga2.us.mfnx.net (216.200.127.169)  49.795 ms  35.010 ms  29.780 ms
10  so-0-0-0.cr2.lga1.us.mfnx.net (208.184.232.197)  49.766 ms  28.664 ms  39.752 ms
11  so-6-0-0.cr2.lhr3.uk.above.net (64.125.31.181)  99.797 ms  103.668 ms  99.700 ms
12  so-0-0-0.cr1.lhr3.uk.above.net (208.184.231.145)  109.793 ms  108.402 ms  99.705 ms
13  pos12-0.cr1.cdg2.fr.above.net (64.125.31.130)  109.857 ms  107.870 ms  109.774 ms
14  pos0-2.er1a.cdg2.fr.above.net (208.184.231.205)  109.799 ms  108.622 ms  109.779 ms
15  gitoyen-voltaire-gw.gitoyen.net (62.4.73.30)  119.632 ms  111.625 ms  109.781 ms
16  80.67.168.6 (80.67.168.6)  129.879 ms  119.700 ms  109.803 ms
17  jd.gandi.net (80.67.173.20) [open]  109.893 ms  1.390 ms  119.798 ms





More information about the NANOG mailing list