Prefix hijacking, how to prevent and fix currently

Thu Sep 4 18:47:42 UTC 2014

Hi Doug, All,

We’ve seen similar things, including hijacks of less specific IP prefixes (even /8s), correlated with spam behavior.  

We presented on this at NANOG 35:
http://nanog.org/meetings/nanog36/presentations/feamster.pdf

Slide 4 shows a short-lived BGP announcement for IP space that was the source of spam.  Interestingly, many of the short-lived annoucements that we observed were /8s.  Subsequent slides explain why.  Subsequent slides explain these observations in more detail, and we had a paper in SIGCOMM’06 describing this activity in more detail:
http://www.cc.gatech.edu/~feamster/papers/p396-ramachandran.pdf

We have a couple of pieces of follow-up work:
- It turns out that you can use BGP dynamics as features to design filters for spam and other attack traffic (we have a couple of papers on this)
- Some of these observable dynamics are also useful for establishing AS reputation (a la Hostexploit) - we have some ongoing work here

Happy to talk more, either on-list or off-list.

Cheers,
-Nick

On Aug 31, 2014, at 2:04 PM, Doug Madory <dmadory at renesys.com> wrote:

> FWIW, this is from an IP squatting operation I came across in recent weeks. I encounter these things regularly in the course of working with BGP data - probably others do too. Usually I look up the ASN or prefix and often it has already been added to someone's spam source list. When I see that, I assume the "system is working" and move on.
> 
> In this case, starting late Jun, we have seen IP address ranges from around the world (most ranges are unused, sometimes hijacked space) announced by one of two (formerly unused) ASNs and routed through another formerly unused ASN, 57756, then on to Anders (AS39792) and out to the Internet in the following form:
> 
> 	... 39792 57756 {3.721, 43239}	prefix
> 
> The prefixes are only routed for an hour or two before it moves on to the next range of IP address space. Not sure if this is for spam or something else. Either way, it is probably associated with something bad. Earlier this month I reached out to a contact at Anders in Russia and gave him some details about what was happening. I didn't get a response, but within a couple of days the routing (mostly) shifted from Anders to through Petersburg Internet Network (AS44050). I have no idea if this was due to my email. The day it moved to PIN I sent similar emails to addresses I could find at PIN, but haven't seen any response. Now the these routes take one of two forms:
> 
> 	... 39792 57756 {3.721, 43239}	prefix
> 
> Or
> 
> 	... 44050 57756 {3.721, 43239}	prefix
> 
> This is mostly routed through Cogent (AS174), but Anders (AS39792) also has a lot of peers. I would advise that people treat any route coming through AS57756 is probably bad. AS57756 doesn't originate anything and hasn't since 28-Jun when it very briefly hijacked some NZ space.
> 
> Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in Feb about IP squatting for spam generation. Pierre and I have since compared notes on this topic.
> 
> -Doug Madory
> 
> ----- Original Message -----
>> From: "Tarun Dua" <lists at tarundua.net>
>> To: nanog at nanog.org
>> Sent: Thursday, August 28, 2014 12:55:25 PM
>> Subject: Prefix hijacking, how to prevent and fix currently
>> 
>> AS Number 43239
>> AS Name SPETSENERGO-AS SpetsEnergo Ltd.
>> 
>> Has started hijacking our IPv4 prefix, while this prefix was NOT in
>> production, it worries us that it was this easy for someone to hijack
>> it.
>> 
>> http://bgp.he.net/AS43239#_prefixes
>> 
>> 103.20.212.0/22 <- This belongs to us.
>> 
>> 103.238.232.0/22 KNS Techno Integrators Pvt. Ltd.
>> 193.43.33.0/24 hydrocontrol S.C.R.L.
>> 193.56.146.0/24 TRAPIL - Societe des Transports Petroliers par Pipeline
>> 
>> Where do we complain to get this fixed.
>> 
>> -Tarun
>> AS132420
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140904/2466a4a6/attachment.sig>