Re: IP announce DOS

[Alex Thurlow <buddychrist () gmail com>]

This was actually another block allocated to us by ARIN.  It is most 
definitely portable.


Burton Strauss wrote:

> Fer sure...
>
> Addresses come in two kinds ...
>
> If the address space was allocated TO YOU, either directly by a regional
> registry (ARIN, RIPE, LACNIC, APNIC, AFRINIC, etc.) or by IANA, you have the
> rights to move it.
>
> If the address space was allocated to the ISP and subdivided, by them, then
> you DO NOT own it and can not move it.
>
> (Hence called portable and non-portable).
>
>
> You can check the status of a block by doing a whois query (whois -h
> whois.arin.net <address>) and you'll usually be able to figure it out from
> the output:
>
> $ nslookup www.skylist.net
> <snip />
> Name:   www.skylist.net
> Address: 66.219.61.67
>
> $ whois -h whois.arin.net 66.219.61.67
>
> [Querying whois.arin.net]
> [Redirected to rwhois.corenap.com:4321]
> [Querying rwhois.corenap.com]
> [rwhois.corenap.com]
> %rwhois V-1.5:003fff:00 cache02.ns.corenap.com (by Network Solutions, Inc.
> V-1.5.7.3)
> network:Auth-Area:66.219.32.0/19
> network:ID:NET-66-219-61-0-1
> network:Network-Name:NET-66-219-61-0-1
> network:IP-Network:66.219.61.0/24
> network:Org-Name:SKYLIST, Inc.
> network:Street-Address:Private Residence
> network:City:Austin
> network:State:TX
> network:Postal-Code:78720
> network:Country-Code:US
> network:Tech-Contact:hostmaster () corenap com
> network:Updated:20050517
> network:Updated-By:hostmaster () corenap com
> network:Class-Name:network
>
> %ok
>
> If you look, you'll see that there are two blocks - a big one to Corenet and
> a subnet to Skylist. If it were your space, portable, then you should only
> see the single allocation (sometimes this is listed in the output as
> 'NetType: Direct Allocation'.
>
>
>
>
> -----Burton
>
>
>
>
> -----Original Message-----
> From: Thomas Ng [mailto:thomasng () ida gov sg] 
> Sent: Thursday, June 09, 2005 10:50 PM
> To: 'Alex Thurlow'; security-basics () securityfocus com
> Subject: RE: IP announce DOS
>
> Hi,
>
> Shouldn't it be that each ISPs have their own big blocks? Chances are, the
> class C given to you is in the middle of one of these huge blocks. I am not
> sure what is your agreement with the old and new ISP, but I don't think it
> is that simple to transfer the same set of IPs from one ISP to another. It
> is technically possible ... but I don't think it is that simple.
>
> Usually what I do when I change ISP is to just ask for a new set of IPs from
> the new ISP, change the DNS, allow the TTLs to run out and shift to the new
> sets of IP address. If you play with the DNS correctly, you can get minimal
> downtime, dependent on size and sophistication of your network.
>
> Rgds,
> Thomas
>
>
>
>  
>
> > -----Original Message-----
> > From: Alex Thurlow [mailto:buddychrist () gmail com]
> > Sent: Thursday, June 09, 2005 5:24 AM
> > To: 'security-basics () securityfocus com'
> > Subject: IP announce DOS
> > Importance: High
> >
> > I'm not positive this is the correct list to ask, but it is a security 
> > concern, so I thought I would.  The company I work for had T1 lines 
> > running to our office provided by a local provider.  We had our own C 
> > block of IPs being announced by them and routed to us over those T1s.
> > Our relationship with them went sour (for many reasons I won't get
> >    
> into
>  
>
> > here), and we had to move to a different provider.  We had the routing 
> > switched over to them.  Everything was fine.  Here it is a few weeks 
> > later, and suddenly our old provider starts announcing these IPs
> >    
> again.
>  
>
> > The end result is a partial DOS attack (hence writing to this list) as 
> > some people can't reach us.  They won't stop the announcement.  I
> >    
> don't
>  
>
> > know all the details on what they've said there as it's now gone to 
> > executives and legal people dealing with them.  Is there anything we
> >    
> can
>  
>
> > do here from a network standpoint?  Someone we can report them to?
> >    
> How
>  
>
> > do people protect themselves from just anyone announcing IPs that
> >    
> aren't
>  
>
> > theirs?
> >
> > Thanks in advance,
> > Alex Thurlow
> >
> >
> > ________________________________________
> >
> > SKYLIST
> > Email Marketing Solutions that Deliver Service You Can Trust
> >
> > You are receiving this email message
> > from a representative of SKYLIST, Inc.
> > 13171 Pond Springs Road, Austin, TX 78729 Toll Free: 877.250.2922
> >
> > To cease all communication with SKYLIST, visit 
> > http://www.skylist.net/unsubscribe
> > or send an email to unsubscribe () skylist com
> >    
>
>
>
>  



________________________________________

SKYLIST
Email Marketing Solutions that Deliver
Service You Can Trust

You are receiving this email message
from a representative of SKYLIST, Inc.
13171 Pond Springs Road, Austin, TX 78729
Toll Free: 877.250.2922

To cease all communication with SKYLIST, visit
http://www.skylist.net/unsubscribe
or send an email to unsubscribe () skylist com