Hi all,
Regarding the Spamhaus DDoS attack, there's a Cisco article [0]
detailing its chronology, which cites greenhost.nl [1] claiming a BGP
hijack by AS34109 (CB3ROB). Here, a /32 was announced (and accepted...)
for 0.ns.spamhaus.org, and the fraudulent server returned 127.0.0.2 for
*all* DNSBL queries, with the intent to undermine confidence in
Spamhaus.
Are there any confirmations of this claim? This needs to be
investigated and proven/disproven.
Nicolai
0. http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/
1. https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/
Hi Nicolai,
It really happened, here are my notes.
http://instituut.net/~job/cb3rob-spamhaus-hijack-21-mar-2013.txt
Renesys also confirmed seeing the /32 from that direction, but they could
not share the data because of an NDA.
Because it was a /32, it was a hyperlocal event, if you can read Dutch and
read the comments on the greenhost.nl blog, you'll see that Kamphuis is
not denying, but rather elaborates on what he did:
"wijst er ook maar even op dat onze uiteraard in-house developed
dns code die we voor dit project ingezet hebben ook keurig op
stdout liet zien WAT er door WIE werdt opgevraagd…"
Roughly translates to:
"Let me emphasize that our in-house developed dns code, which was
used for this project very nicely logged to stdout WHO was requesting
WHAT"
Kind regards,
Job
Thanks again for this, Job. (Other response in private mail.)
I just wanted to note for anyone interested, there's another article
stating that AS34109 (CB3ROB) had also recently hijacked 205.19.72.0/23,
owned by the DoD, over the two week period from March 7-21.
http://www.bgpmon.net/looking-at-the-spamhouse-ddos-from-a-bgp-perspective/
Nicolai