nanog mailing list archives
Re: odd hijack
From: Nick Feamster <feamster () cc gatech edu>
Date: Fri, 10 Nov 2006 12:00:23 -0500
On Fri, Nov 10, 2006 at 07:20:10AM +0200, Hank Nussbacher wrote:
AS29449 is not the problem. It is the upstreams of AS5602 (KPNQwest Italia) and AS286 (KPN) that let this crap leak.
In fact, it may not even be the immediate upstreams. In our paper, we describe specific examples where it's very hard to track exactly who's at fault, because so much of the AS path appears to be forged. See finding #5 in the excerpt below. I include the most germane excerpt from the paper below, for people's convenience. btw, Randy Bush helped us understand this technique a bit better and coined the phrase spectrum agility. "... We have called this technique ``spectrum agility'' because it allows a spammer the flexibility to use a wide variety of IP addresses within a very large block from which to send spam. The large IP address block allows the mail relays to ``hop'' between a large number of IP addresses, thereby evading IP-based filtering techniques like DNSBLs. Judging from Figure~\ref{fig:dnsbls} and our analysis in Section~\ref{sec:dnsbls}, the technique seems to be rather effective. As an added benefit, route announcements for shorter IP prefixes (\ie, larger blocks of IP addresses) are less likely to be blocked by ISPs' route filters than route announcements or hijacks for longer prefixes. Upon further inspection, we also discovered the following interesting features: (1)~the IP addresses of the mail relays sending this spam are widely distributed across the IP address space; (2)~the IP addresses from which we see spam in this address space typically appear only once; (3)~on February 6, 2006, attempts to contact the mail relays that we observed using this technique revealed that that roughly 60-80\% of these hosts were not reachable by {\tt traceroute}; (4)~many of the IP addresses of these mail relays were located in allocated, albeit unannounced and unused IP address space; and (5)~many of the AS paths for these announcements contained reserved (\ie, to-date unallocated AS numbers), suggesting a possible attempt to further hamper traceability by forging elements of the AS path. ... " -Nick
Current thread:
- odd hijack Josh Karlin (Nov 09)
- Re: odd hijack Hank Nussbacher (Nov 09)
- Re: odd hijack Josh Karlin (Nov 09)
- Re: odd hijack Hank Nussbacher (Nov 10)
- Re: odd hijack steve (Nov 10)
- Re: odd hijack Nick Feamster (Nov 10)
- Re: odd hijack Randy Bush (Nov 10)
- Re: odd hijack Josh Karlin (Nov 10)
- Re: odd hijack Randy Bush (Nov 10)
- Re: odd hijack Josh Karlin (Nov 09)
- Re: odd hijack Nick Feamster (Nov 10)
- Re: odd hijack Hank Nussbacher (Nov 09)