[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BGP hijack of Spamhaus?

Hi Nicolai,

It really happened, here are my notes. 


Renesys also confirmed seeing the /32 from that direction, but they could
not share the data because of an NDA. 

Because it was a /32, it was a hyperlocal event, if you can read Dutch and
read the comments on the greenhost.nl blog, you'll see that Kamphuis is
not denying, but rather elaborates on what he did:

	"wijst er ook maar even op dat onze uiteraard in-house developed
	dns code die we voor dit project ingezet hebben ook keurig op
	stdout liet zien WAT er door WIE werdt opgevraagd?"

Roughly translates to:

	"Let me emphasize that our in-house developed dns code, which was
	used for this project very nicely logged to stdout WHO was requesting

Kind regards,


On Mar 29, 2013, at 7:05 PM, Nicolai <nicolai-nanog at chocolatine.org> wrote:

> Hi all,
> Regarding the Spamhaus DDoS attack, there's a Cisco article [0]
> detailing its chronology, which cites greenhost.nl [1] claiming a BGP
> hijack by AS34109 (CB3ROB).  Here, a /32 was announced (and accepted...)
> for 0.ns.spamhaus.org, and the fraudulent server returned for
> *all* DNSBL queries, with the intent to undermine confidence in
> Spamhaus.
> Are there any confirmations of this claim?  This needs to be
> investigated and proven/disproven.
> Nicolai
> 0. http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/
> 1. https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/

AS5580 - Atrato IP Networks