Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables.
Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary.
It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider.
Thanks
Sameer Khosla
Managing Director
Neutral Data Centers Corp.
Twitter: @skhoslaTO
are you sure they aren't engaged with a wider SP community?
(the dictionary seems relevant for: "Oh crap, my root account DOES
have password123 as the password :(")
Reading the article, I assumed that perhaps Level 3 was an upstream carrier, but RIPE stats shows that the covering prefix (103.41.120.0/22) is announced by AS63509, an Indonesian organization. It looks like they're fighting back by announcing their own /24 now.
I love the AS's address:
descr:Jl. Marcedes Bens No.258
descr:Gunung Putri, Bogor
descr:Jawa Barat 16964
country:ID
While a Level 3 /24 announcement will certainly have a world wide impact, I agree that it seems misguided when the originating AS can announce their own /24. It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484).
--Blake
Seems like it this is pretty ineffective. The group already moved subnets once, they will likely do this again, all Cisco/L3 have done is slow them down a bit.
Stephen Mikulasik
I was wondering why a non-allocated AS was being allowed to announce the
blocks but it appears that APNIC has revoked the 63854 ASN?
http://wq.apnic.net/apnic-bin/whois.pl?searchtext=AS63854&object_type=aut-num
Based on google's cache, it was still there late March.
BGP routing table entry for 103.41.125.0/24, version 108425142
Paths: (1 available, best #1, table default)
Not advertised to any peer
6939 4134 36678 26484 63854
Blake Hudson wrote:
It does make one wonder why Cisco or Level 3 is involved, why they
feel they have the authority to hijack someone else's IP space, and
why they didn't go through law enforcement. This is especially true
for the second netblock (43.255.190.0/23), announced by a US company
(AS26484).
vigilantes always wear white hats.
randy
Wrong. Batman, for example, wears a black hat.
-mel via cell
Wrong. Batman, for example, wears a black hat.
vigilantes always wear white hats.
i stand corrected
Just to add to the noise.... I think batman wears a black mask/helmet, but
I've never considered it a mask. I didn't look at the details on this, but
did L3 sink the routes at their border or did they expressly announce the
route to sink it?
-jim
I think that, properly, Batman wears a cowl, not a hat.
Thank you, Mask Man.
-Bill
folk are getting kinda bent out of shape about this, and about L3
doing 'something' but look at:
<https://stat.ripe.net/widget/bgplay#w.resource=23.234.60.140>
what's 4134 doing there? This one as well:
wowsa! howdy 4134, having fun there?
I think that, properly, Batman wears a cowl, not a hat.
<http://en.wikipedia.org/wiki/Batsuit>
"... the details of his costume from time to time, it is most often
depicted as consisting of: matching black (or blue) scalloped cape,
bat-like cowl, gloves with a series of scalloped, fin-like
protuberances, boots, and outerwear briefs; a yellow utility belt;
and, a skintight gray body suit..."
In response to Sameer Khosla's comment that we should work with the entire
service provider community:
Talos is the threat intelligence group within Cisco. We absolutely
welcome discussions with any network operator on how we can improve the
state of security on the Internet. Please contact me directly via email
and we can have a discussion about how we can work together going forward.
Thank you in advance,
Matthew Olney
Manager, Talos Threat Intelligence Analytics
Cisco
While I agree that the (at least temporary) mitigation of the threat was overall a good thing, I'm not really happy with the method used. Decisions to drop/block/filter traffic should be done locally. I would have appreciated Talos coming to the various *nog lists and saying something like "Hey, there's some really bad guys here. Here's the evidence of their bad behavior, you really should block them." That probably would have had a wider reach than just going to Level3.
--Chris
Seconded
this kind of decision should be left to the various providers, and be
taken openly. while i am sure the decision has been taken with the best
intention, i'd prefer not seeing this kind of power wielded in a
discretionary fashion. 'tis a road that can lead to places i'm pretty
sure nobody wants to go.
Can anyone else get to http://blogs.cisco.com ? I can't seem to reach it and was wondering if there was a counterattack of some type. Traceroute takes me to Rackspace in Dallas but the web site is not up.
Steven Naslund
Chicago IL
Websites up for me.
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
Sorry, I’m getting it now too. False alarm.
Steve