Hijacking machine: ASAS201640 / AS200002

Mailman List Mirror (Read Only)
1

I don't routinely follow this list, so I'm not sure how much of this is
common knowledge already, but...

  http://blogs.cisco.com/security/talos/help-my-ip-address-has-been-hijacked/

Current route announcements for AS201640:

36.0.56.0/21 probable hijack - China
41.92.206.0/23 probable hijack - Cameroon
41.198.80.0/20 probable hijack - South Africa
41.198.224.0/20 probable hijack - South Africa
61.242.128.0/19 probable hijack - China
119.227.224.0/19 probable hijack - India
123.29.96.0/19 probable hijack - Vietnam
177.22.117.0/24 probable hijack - Brazil
187.189.158.0/23 probable hijack - Mexico
202.39.112.0/20 probable hijack - Taiwan Network Information Center
210.57.0.0/19 probable hijack - Telstra/Japan

It would appear that AS201640 may possibly exist at the present time
only for the purpose of providing illicitly obtained IP space for
spammers, including but not limited to the ""Mike Prescott" mentioned
in the Cisco blog entry cited above.

The spammer, "Mike Prescott"... not his real last name... has also been
spotted spewing from IP space routed by AS200002, which is AS201640's
only connection to the rest of the world.

Coincidence? You be the judge.

Regards,
rfg

P.S. If anybody is able to look up _all_ of the route announcements
that have been made by AS201640 over the past few months, I for one would
definitely like to see those. Please e-mail them to me off list. I
already know that "Mike Prescott" has been spewing from at least one
of the above current announcements (202.39.112.0/20) and probably all
of the others too. But there are additional route announcements that
have already been withdrawn, and I'd like to check those for "Mike
Prescott" footprints also.

P.P.S. To the real "Mike P."... on the off chance that he might see
this... You can run, but you don't hide very well. You should have
gotten out of the game in 1998 when you had the chance. Maybe the
Powers That Be will lock you up this time.

2

Hi Ronald,

<snip>

P.S. If anybody is able to look up _all_ of the route announcements that
have been made by AS201640 over the past few months, I for one would
definitely like to see those. Please e-mail them to me off list. I
already know that "Mike Prescott" has been spewing from at least one of the
above current announcements (202.39.112.0/20) and probably all of the
others too. But there are additional route announcements that have already
been withdrawn, and I'd like to check those for "Mike Prescott" footprints
also.

<snip>

http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=201640
http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=200002

or

http://www.cidr-report.org/cgi-bin/as-report?as=AS201640&view=2.0
http://www.cidr-report.org/cgi-bin/as-report?as=AS200002&view=2.0

- --
Mit freundlichen Grüßen // Kind regards

Armin Kneip

Network & System Operator
ASN: 12586, 31025

Mail: ak@ghostnet.de
PGP ID: 0x563C099C
Fingerprint: CE89 0605 5E21 5611 E526 72DD 759F 4DAA 563C 099C

GHOSTnet GmbH
Kaiser-Friedrich-Promenade 65
D-61348 Bad Homburg v.d.H (Germany)
Office +49 (0) 6172 185025
Fax +49 (0) 6172 185029
Internet: www.ghostnet.de
Mail: noc@ghostnet.de

Sitz: Kaiser-Friedrich-Promenade 65, D-61348 Bad Homburg v.d.H.
Amtsgericht Bad Homburg v.d.H. HRB 8637, UST-ID-Nr. DE206435465
Geschäftsführer: Sebastian Grafmüller

3

Hello again, Ronald.

  I don't know for certain that it's all-inclusive, but I would look at https://stat.ripe.net/widget/routing-history#w.resource=AS201640 .

  Unlike last time, I don't have any contacts at the relevant ISPs. Shame.

      Jima

4

In message <54542174.30809@ghostnet.de>,

http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=201640
http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=200002

or

http://www.cidr-report.org/cgi-bin/as-report?as=AS201640&view=2.0
http://www.cidr-report.org/cgi-bin/as-report?as=AS200002&view=2.0

Thank you.

Unfortunately, the former pair of links only seems to provide data
going back about one week, while the latter pair of links only seems
to provide current data as of today.

I am hoping to be able to find a list of all route announcements
made by ASAS201640 going all the way back to its creation, which
appears to possibly have occured on or about 2014-08-27.

Regards,
rfg

5

While it's not a thorough list of all announcements, here are nightly snapshots courtesy of http://bgp.he.net

AS201640: http://pastebin.com/nvuVbnpn
AS200002: http://pastebin.com/1JZnWadD

6

Routing-history shows the prefixes which were observed in the 8-hourly RIB dumps from our collective of 13 RIS route collectors. Any short lived announcements which started after and ended before a full dump was taken will be missed by this widget.

We do have a full record of all the BGP announcements observed with origin AS201640 in the last 90 days, but it requires some clicking and digging to extract the prefixes. See: https://stat.ripe.net/widget/bgp-update-activity#w.starttime=2014-08-03T00%3A00%3A00&w.endtime=2014-11-01T00%3A00%3A00&w.resource=AS201640

-- Rene

7

You have to parse the UPDATES data, eg: located at
archive.routeviews.org or something else, not the rib snapshots.

  - Jared

8

BGPlay found at https://stat.ripe.net/ is back and I find easier to look
back at bgp tables and find events like another AS or more specific route
appearing.

Also if you never looked, bgpmon.net is a decent service to monitor import
announcements and AS numbers to get near real time alerts of routing
changes. Doesn't help this situation but can help you get alerted when it
happens next.

Bryan Socha
Network Engineer
DigitalOcean
646-450-0472