Re: BGP hijack of Spamhaus?

[Job Snijders <job.snijders () atrato com>]

Hi Nicolai,

It really happened, here are my notes. 

        http://instituut.net/~job/cb3rob-spamhaus-hijack-21-mar-2013.txt

Renesys also confirmed seeing the /32 from that direction, but they could
not share the data because of an NDA. 

Because it was a /32, it was a hyperlocal event, if you can read Dutch and
read the comments on the greenhost.nl blog, you'll see that Kamphuis is
not denying, but rather elaborates on what he did:

        "wijst er ook maar even op dat onze uiteraard in-house developed
        dns code die we voor dit project ingezet hebben ook keurig op
        stdout liet zien WAT er door WIE werdt opgevraagd…"

Roughly translates to:

        "Let me emphasize that our in-house developed dns code, which was
        used for this project very nicely logged to stdout WHO was requesting
        WHAT"

Kind regards,

Job

On Mar 29, 2013, at 7:05 PM, Nicolai <nicolai-nanog () chocolatine org> wrote:

> Hi all,
>
> Regarding the Spamhaus DDoS attack, there's a Cisco article [0]
> detailing its chronology, which cites greenhost.nl [1] claiming a BGP
> hijack by AS34109 (CB3ROB).  Here, a /32 was announced (and accepted...)
> for 0.ns.spamhaus.org, and the fraudulent server returned 127.0.0.2 for
> *all* DNSBL queries, with the intent to undermine confidence in
> Spamhaus.
>
> Are there any confirmations of this claim?  This needs to be
> investigated and proven/disproven.
>
> Nicolai
>
> 0. http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/
> 1. https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/

-- 
AS5580 - Atrato IP Networks