[renesys] The New Threat: Targeted Internet Traffic Misdirection
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Nov 26 21:09:24 UTC 2013
On Wed, Nov 20, 2013 at 01:54:00PM -0500,
Christopher Morrow <morrowc.lists at gmail.com> wrote
a message of 11 lines which said:
> someone has already parsed out all route announcements from
> ris/routeviews for the 2 specific incidents in question in the
> article? and posted the contents somewhere for review? I didn't see
> Renesys do that :(
Indeed. But the data is public. Let's use RouteViews. Renesys gave us
the exact time (0736 UTC) and the origin AS. From the time, let's find
the relevant RouteViews file, whose URL is made of date and time:
ftp://archive.routeviews.org/route-views.linx/bgpdata/2013.07/UPDATES/updates.20130731.0730.bz2
Download, bunzip2, bgpdump to translate the MRT to text, then
Control-S in emacs to find announces by AS 48685. And here it is:
TIME: 07/31/13 07:36:46
TYPE: BGP4MP/MESSAGE/Update
FROM: 195.66.236.35 AS6067
TO: 195.66.237.222 AS6447
ORIGIN: IGP
ASPATH: 6067 6677 48685
NEXT_HOP: 195.66.236.35
ANNOUNCE
64.81.96.0/24
64.81.97.0/24
64.81.101.0/24
64.81.103.0/24
64.81.110.0/24
64.81.112.0/24
64.81.113.0/24
64.81.115.0/24
64.81.116.0/24
64.81.122.0/24
64.81.125.0/24
64.81.127.0/24
64.81.161.0/24
64.81.162.0/24
64.81.163.0/24
64.81.164.0/24
64.81.166.0/24
64.81.167.0/24
64.81.169.0/24
64.81.170.0/24
64.81.171.0/24
64.81.172.0/24
64.81.177.0/24
64.81.192.0/19
64.81.199.0/24
64.81.203.0/24
64.81.204.0/24
64.81.205.0/24
64.81.208.0/24
64.81.209.0/24
64.81.212.0/24
64.81.214.0/24
64.105.6.0/23
64.105.14.0/23
64.105.20.0/23
64.105.24.0/21
64.105.32.0/21
64.105.52.0/23
64.105.54.0/23
64.105.56.0/23
64.105.58.0/23
64.105.60.0/23
64.105.62.0/23
64.105.66.0/23
64.105.70.0/23
64.105.72.0/21
64.105.82.0/23
64.105.88.0/21
64.105.114.0/23
64.105.128.0/21
64.105.144.0/21
64.105.160.0/23
64.105.162.0/23
64.105.176.0/23
64.105.180.0/22
64.105.192.0/23
64.105.194.0/23
64.105.202.0/23
64.105.210.0/23
64.105.212.0/23
64.105.218.0/23
64.105.220.0/23
64.105.226.0/23
64.105.230.0/23
64.105.240.0/23
64.105.242.0/23
64.105.244.0/22
64.105.252.0/23
66.92.20.0/24
66.92.22.0/24
66.92.46.0/24
66.92.52.0/22
66.92.64.0/19
66.92.99.0/24
66.92.100.0/24
66.92.106.0/24
66.92.144.0/24
66.92.145.0/24
66.92.147.0/24
66.92.149.0/24
66.92.152.0/24
66.92.159.0/24
66.92.160.0/24
66.92.161.0/24
66.92.162.0/24
66.92.176.0/23
66.92.213.0/24
66.92.215.0/24
66.92.224.0/20
66.92.240.0/23
66.92.241.0/24
66.93.24.0/24
66.93.25.0/24
66.93.38.0/24
66.93.39.0/24
66.93.40.0/24
66.93.49.0/24
66.93.56.0/24
66.93.59.0/24
66.93.62.0/24
66.93.74.0/24
66.93.81.0/24
66.93.82.0/24
66.93.83.0/24
66.93.84.0/23
66.93.88.0/22
66.93.99.0/24
66.93.100.0/24
66.93.103.0/24
66.93.106.0/24
66.93.107.0/24
66.93.115.0/24
66.93.168.0/23
66.93.174.0/24
66.93.176.0/23
66.93.214.0/24
66.93.216.0/24
66.93.216.0/21
66.93.224.0/24
66.93.224.0/22
66.93.228.0/24
66.93.232.0/22
66.93.240.0/24
66.93.241.0/24
66.93.242.0/24
66.93.243.0/24
66.93.244.0/24
66.93.246.0/24
66.93.248.0/24
66.93.251.0/24
66.93.252.0/23
66.134.2.0/23
66.134.18.0/23
66.134.36.0/23
66.134.38.0/23
66.134.40.0/21
66.134.48.0/21
66.134.58.0/23
66.134.60.0/23
66.134.64.0/21
66.134.76.0/23
66.134.78.0/23
66.134.98.0/23
66.134.106.0/23
66.134.116.0/23
66.134.118.0/23
66.134.136.0/21
66.134.150.0/23
66.134.152.0/21
66.134.168.0/21
66.134.176.0/23
66.134.178.0/23
66.134.182.0/23
66.134.184.0/21
66.134.208.0/21
66.134.216.0/23
66.134.220.0/23
66.134.224.0/21
66.134.232.0/21
66.134.240.0/21
66.166.10.0/23
66.166.46.0/23
66.166.64.0/21
66.166.94.0/23
66.166.112.0/23
66.166.114.0/23
66.166.136.0/23
66.166.138.0/23
66.166.144.0/21
66.166.160.0/23
66.166.162.0/23
66.166.176.0/23
66.166.180.0/23
66.166.184.0/23
66.166.200.0/21
66.166.216.0/21
66.166.244.0/23
66.166.246.0/23
66.166.248.0/23
66.166.254.0/23
66.167.0.0/21
66.167.10.0/23
66.167.26.0/23
66.167.32.0/21
66.167.50.0/23
66.167.60.0/23
66.167.62.0/23
66.167.64.0/21
66.167.72.0/21
66.167.80.0/21
66.167.96.0/21
66.167.104.0/21
66.167.118.0/23
66.167.136.0/22
66.167.152.0/21
66.167.170.0/23
66.167.176.0/21
66.167.196.0/23
66.167.208.0/23
66.167.216.0/21
66.167.224.0/21
66.167.252.0/23
66.167.254.0/23
66.253.10.0/24
66.253.20.0/24
66.253.21.0/24
66.253.22.0/24
66.253.28.0/22
66.253.40.0/22
66.253.44.0/24
66.253.45.0/24
66.253.46.0/24
66.253.47.0/24
66.253.52.0/22
66.253.56.0/24
66.253.81.0/24
66.253.82.0/24
66.253.83.0/24
66.253.84.0/24
66.253.92.0/24
66.253.93.0/24
66.253.118.0/24
67.100.0.0/23
67.100.4.0/23
67.100.48.0/21
67.100.56.0/21
67.100.72.0/21
67.100.80.0/21
67.100.96.0/21
67.100.104.0/21
67.100.112.0/21
67.100.124.0/22
67.100.128.0/23
67.100.136.0/23
67.100.138.0/23
67.100.144.0/21
67.100.168.0/21
67.100.184.0/21
67.100.192.0/21
67.100.220.0/23
67.101.14.0/23
67.101.16.0/21
67.101.72.0/21
67.101.92.0/23
67.101.94.0/23
67.101.124.0/22
67.101.128.0/21
67.101.140.0/23
67.101.142.0/23
67.101.152.0/21
67.101.176.0/21
67.101.192.0/21
67.101.200.0/21
67.101.224.0/23
67.101.230.0/23
67.101.240.0/21
67.101.248.0/21
67.102.0.0/21
67.102.8.0/23
67.102.32.0/21
67.102.40.0/21
67.102.48.0/21
67.102.60.0/23
67.102.96.0/21
67.102.112.0/21
67.102.120.0/23
67.102.124.0/23
67.102.144.0/21
67.102.152.0/21
67.102.166.0/23
67.102.168.0/21
67.102.176.0/21
67.102.200.0/21
67.102.234.0/23
67.102.240.0/21
67.102.248.0/21
67.103.0.0/21
67.103.8.0/21
67.103.24.0/21
67.103.64.0/21
67.103.102.0/23
67.103.110.0/23
67.103.112.0/21
67.103.160.0/23
67.103.162.0/23
67.103.192.0/21
67.103.200.0/23
67.103.202.0/23
67.103.226.0/23
67.103.250.0/23
67.103.252.0/23
67.103.254.0/23
68.164.24.0/21
68.164.32.0/21
68.164.44.0/23
68.164.78.0/23
68.164.80.0/20
68.164.96.0/21
68.164.126.0/23
68.164.160.0/21
68.164.192.0/21
68.164.208.0/23
These addresses have no relationship with Iceland so we can say it's a
hijacking. But do note there is no AS prepending in the announce (the
trick described by Kapela & PIlosov to create a clean return path).
Finding the other announces in RouteViews is left as an exercice
(hint: use a RouteViews collector close from the announce, here in
England, because the hijacking announce did not propagate everywhere).
More information about the NANOG
mailing list