Reader Yin wrote in after noticing a huge spike in unsolicited border gateway protocol (BGP) traffic. This same spike in BGP connections has also been noted on DShield's sensors [1]. Thankfully he provided a packet capture which contained numerous BGP OPEN [2] messages. Here is a snippet of the BGP packet with the relevant details: These messages all originated from the same system, based in Korea. The Korean system IP is part of: AS Number : AS9848 AS Name : SEJONGTELECOM-AS From my understanding of BGP, this system is attempting to pass itself off as AS 65333, a private ASN [3] and poison the router with false details. Whether misconfiguration or a malicious act is unknown at this point. Most, if not all routers should have basic protections in place to protect against this type of event having an effect [4]. Please let us know if you're seeing the same thing, can added anything further or if my analysis needs correcting. UPDATE: Thank you to Reader Job for the clarification on private ASNs [1] https://isc.sans.edu/port.html?port=179 [2] http://www.inetdaemon.com/tutorials/internet/ip/routing/bgp/operation/messages/open.shtml [3] http://www.apnic.net/services/services-apnic-provides/helpdesk/faqs/asn-faqs#UsePrivateASN [4] http://www.inetdaemon.com/tutorials/internet/ip/routing/bgp/security/index.shtml
Chris Mohan --- Internet Storm Center Handler on Duty |
Chris 105 Posts ISC Handler Jun 28th 2012 |
Thread locked Subscribe |
Jun 28th 2012 1 decade ago |
Hi Chris,
AS65333 is a so called 'private autonomous system', which are free to be used by anybody. can you explain why you correlate AS65333 with Cymru's Bogon Service? Is there data you left out of this post that supports this claim? There are many organisations that use AS65333. |
Job 3 Posts |
Quote |
Jun 28th 2012 1 decade ago |
Hello Job,
I've only seen AS 65333 used for Cymru's Bogon Service, so thanks for the clarification. I'll update the diary. |
Chris 105 Posts ISC Handler |
Quote |
Jun 28th 2012 1 decade ago |
Unless it is seen in more than one destination, it is most likely just a lab environment with a typo.
|
Chris 42 Posts |
Quote |
Jun 28th 2012 1 decade ago |
I first noticed this traffic yesterday after reading about the spike in tcp/79 traffic. From a random 4 minute window yesterday we saw almost 800 unique source IPs that were essentially scanning our IP ranges (not sequentially though of course). This has very significantly tapered off today.
|
Chris 7 Posts |
Quote |
Jun 28th 2012 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!