BGP hijack of Spamhaus?

• Previous message (by thread): BGP hijack of Spamhaus?
• Next message (by thread): BGP hijack of Spamhaus?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Nicolai,

It really happened, here are my notes. 

	http://instituut.net/~job/cb3rob-spamhaus-hijack-21-mar-2013.txt

Renesys also confirmed seeing the /32 from that direction, but they could
not share the data because of an NDA. 

Because it was a /32, it was a hyperlocal event, if you can read Dutch and
read the comments on the greenhost.nl blog, you'll see that Kamphuis is
not denying, but rather elaborates on what he did:

	"wijst er ook maar even op dat onze uiteraard in-house developed
	dns code die we voor dit project ingezet hebben ook keurig op
	stdout liet zien WAT er door WIE werdt opgevraagd…"

Roughly translates to:

	"Let me emphasize that our in-house developed dns code, which was
	used for this project very nicely logged to stdout WHO was requesting
	WHAT"

Kind regards,

Job

On Mar 29, 2013, at 7:05 PM, Nicolai <nicolai-nanog at chocolatine.org> wrote:

> Hi all,
> 
> Regarding the Spamhaus DDoS attack, there's a Cisco article [0]
> detailing its chronology, which cites greenhost.nl [1] claiming a BGP
> hijack by AS34109 (CB3ROB).  Here, a /32 was announced (and accepted...)
> for 0.ns.spamhaus.org, and the fraudulent server returned 127.0.0.2 for
> *all* DNSBL queries, with the intent to undermine confidence in
> Spamhaus.
> 
> Are there any confirmations of this claim?  This needs to be
> investigated and proven/disproven.
> 
> Nicolai
> 
> 0. http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/
> 1. https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/
> 

-- 
AS5580 - Atrato IP Networks

• Previous message (by thread): BGP hijack of Spamhaus?
• Next message (by thread): BGP hijack of Spamhaus?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]