BGP hijack of Spamhaus?

Hi all,

Regarding the Spamhaus DDoS attack, there's a Cisco article [0]
detailing its chronology, which cites [1] claiming a BGP
hijack by AS34109 (CB3ROB). Here, a /32 was announced (and accepted...)
for, and the fraudulent server returned for
*all* DNSBL queries, with the intent to undermine confidence in

Are there any confirmations of this claim? This needs to be
investigated and proven/disproven.



Hi Nicolai,

It really happened, here are my notes.

Renesys also confirmed seeing the /32 from that direction, but they could
not share the data because of an NDA.

Because it was a /32, it was a hyperlocal event, if you can read Dutch and
read the comments on the blog, you'll see that Kamphuis is
not denying, but rather elaborates on what he did:

  "wijst er ook maar even op dat onze uiteraard in-house developed
  dns code die we voor dit project ingezet hebben ook keurig op
  stdout liet zien WAT er door WIE werdt opgevraagd…"

Roughly translates to:

  "Let me emphasize that our in-house developed dns code, which was
  used for this project very nicely logged to stdout WHO was requesting

Kind regards,


Thanks again for this, Job. (Other response in private mail.)

I just wanted to note for anyone interested, there's another article
stating that AS34109 (CB3ROB) had also recently hijacked,
owned by the DoD, over the two week period from March 7-21.