Re: AS3.196 [91.213.29.0/24] IM-AS Info-Media Ltd

From: Ricardo Oliveira (no email)
Date: Tue Oct 13 2009 - 02:44:42 EDT

  • Next message: Stephane Bortzmeyer: "Re: .se disappeared?"

    It seems Team Cymru needs to update its whois db to use 4-byte ASNs
    and remove AS_TRANS (23456)

    --Ricardo

    On Oct 12, 2009, at 11:41 PM, Paul Ferguson wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > I'm a bit confused (nothing really new here) with this BGP
    > announcement,
    > but following up on some cyber crime activity I stumbled on this:
    >
    > [Querying v4.whois.cymru.com]
    > [v4.whois.cymru.com]
    > AS | IP | AS Name
    > 23456 | 91.213.29.250 | -Reserved AS-
    >
    > Is this legitimate?
    >
    > route-views2.routeviews.org> sho ip bgp 91.213.29.250
    > BGP routing table entry for 91.213.29.0/24
    > Paths: (42 available, best #33, table Default-IP-Routing-Table)
    > Not advertised to any peer
    > 6939 9002 40965 196804
    > 216.218.252.164 from 216.218.252.164 (216.218.252.164)
    > Origin IGP, localpref 100, valid, external
    > Last update: Mon Oct 12 17:18:08 2009
    >
    > 13030 9002 40965 196804
    > 213.144.128.203 from 213.144.128.203 (213.144.128.203)
    > Origin IGP, metric 1, localpref 100, valid, external
    > Community: 13030:1 13030:1016
    > Last update: Mon Oct 12 13:10:14 2009
    >
    > 14608 4323 9002 40965 196804
    > 209.161.175.4 from 209.161.175.4 (209.161.175.4)
    > Origin IGP, localpref 100, valid, external
    > Community: no-export
    > Last update: Mon Oct 12 08:06:19 2009
    >
    > 286 9002 40965 196804
    > 134.222.87.3 from 134.222.87.3 (134.222.85.108)
    > Origin IGP, metric 0, localpref 100, valid, external
    > Community: 286:18 286:19 286:28 286:29 286:800 286:888 286:3044
    > 286:4019
    > Last update: Sat Oct 10 22:44:50 2009
    >
    > 1299 3549 9002 40965 196804
    > 213.248.83.252 from 213.248.83.252 (213.248.83.252)
    > Origin IGP, localpref 100, valid, external
    > Last update: Thu Oct 8 15:43:18 2009
    >
    > 3303 9002 40965 196804
    > 164.128.32.11 from 164.128.32.11 (164.128.32.11)
    > Origin IGP, localpref 100, valid, external
    > Community: 1120:2 3303:1004 3303:1006 3303:3056
    > Last update: Thu Oct 8 15:06:42 2009
    >
    > 2905 702 9002 40965 196804
    > 196.7.106.245 from 196.7.106.245 (196.7.106.245)
    > Origin IGP, metric 0, localpref 100, valid, external
    > Last update: Thu Oct 8 15:42:42 2009
    >
    > 31500 3267 9002 40965 196804
    > 95.140.80.254 from 95.140.80.254 (1.0.0.10)
    > Origin IGP, metric 0, localpref 100, valid, external
    > Last update: Tue Oct 13 00:33:35 2009
    >
    > 1221 4637 3549 9002 40965 196804
    > 203.62.252.186 from 203.62.252.186 (203.62.252.186)
    > Origin IGP, localpref 100, valid, external
    > Last update: Thu Oct 8 14:43:32 2009
    >
    > 5056 1239 3549 9002 40965 196804
    > 167.142.3.6 from 167.142.3.6 (167.142.225.101)
    > Origin IGP, localpref 100, valid, external
    > Last update: Thu Oct 8 15:10:31 2009
    >
    > 7660 2516 3549 9002 40965 196804
    > 203.181.248.168 from 203.181.248.168 (203.181.248.168)
    > Origin IGP, localpref 100, valid, external
    > Community: 2516:1030
    > Last update: Thu Oct 8 14:44:01 2009
    >
    > 6762 3549 9002 40965 196804
    > 195.22.216.188 from 195.22.216.188 (195.22.216.188)
    > Origin IGP, metric 100, localpref 100, valid, external
    > Community: 6762:31
    > Last update: Thu Oct 8 14:43:28 2009
    >
    > 16150 9002 40965 196804
    > 217.75.96.60 from 217.75.96.60 (217.75.96.60)
    > Origin IGP, metric 0, localpref 100, valid, external
    > Community: 16150:63392 16150:65215 16150:65320
    > Last update: Thu Oct 8 14:43:26 2009
    >
    > 6453 3549 9002 40965 196804
    > 207.45.223.244 from 207.45.223.244 (66.110.0.124)
    > Origin IGP, localpref 100, valid, external
    > Last update: Thu Oct 8 14:43:25 2009
    >
    > 2152 11164 9002 40965 196804
    > 137.164.16.12 from 137.164.16.12 (137.164.16.196)
    > Origin IGP, localpref 100, valid, external
    > Community: 2152:65299 2152:65506 11164:1130 11164:7880
    > Last update: Sat Oct 10 13:52:50 2009
    >
    > 6453 3549 9002 40965 196804
    > 195.219.96.239 from 195.219.96.239 (195.219.96.239)
    > Origin IGP, localpref 100, valid, external
    > Last update: Thu Oct 8 14:43:22 2009
    >
    > 3277 3267 9002 40965 196804
    > 194.85.4.55 from 194.85.4.55 (194.85.4.16)
    > Origin IGP, localpref 100, valid, external
    > Community: 3277:3267 3277:65321 3277:65323
    > Last update: Thu Oct 8 14:43:51 2009
    >
    > 852 3561 9002 40965 196804
    > 154.11.98.225 from 154.11.98.225 (154.11.98.225)
    > Origin IGP, metric 0, localpref 100, valid, external
    > Community: 852:180
    > Last update: Thu Oct 8 14:43:21 2009
    >
    > 3356 9002 40965 40965 196804
    > 4.69.184.193 from 4.69.184.193 (4.68.3.50)
    > Origin IGP, metric 0, localpref 100, valid, external
    > Community: 3356:2 3356:22 3356:100 3356:123 3356:507 3356:2076
    > 65000:0
    > Last update: Tue Oct 13 06:09:59 2009
    >
    > 701 3549 9002 40965 196804
    > 157.130.10.233 from 157.130.10.233 (137.39.3.60)
    > Origin IGP, localpref 100, valid, external
    > Last update: Thu Oct 8 14:43:48 2009
    >
    > 8492 9002 40965 196804
    > 85.114.0.217 from 85.114.0.217 (85.114.0.2)
    > Origin IGP, localpref 100, valid, external
    > Community: 8492:1101 9002:0 9002:64677
    > Last update: Thu Oct 8 14:43:16 2009
    >
    > 5413 9002 40965 196804
    > 62.72.136.2 from 62.72.136.2 (62.72.136.2)
    > Origin IGP, metric 47, localpref 100, valid, external
    > Last update: Thu Oct 8 14:43:15 2009
    >
    > 1239 3549 9002 40965 196804
    > 144.228.241.130 from 144.228.241.130 (144.228.241.130)
    > Origin IGP, localpref 100, valid, external
    > Last update: Thu Oct 8 14:43:45 2009
    >
    > 286 9002 40965 196804
    > 134.222.87.1 from 134.222.87.1 (134.222.86.1)
    > Origin IGP, localpref 100, valid, external
    > Community: 286:18 286:19 286:28 286:29 286:800 286:888 286:3044
    > 286:4019
    > Last update: Sat Oct 10 22:44:29 2009
    >
    > 6539 9002 40965 196804
    > 216.18.31.102 from 216.18.31.102 (216.18.31.102)
    > Origin IGP, localpref 100, valid, external
    > Last update: Thu Oct 8 14:43:12 2009
    >
    > 3130 2914 3549 9002 40965 196804
    > 147.28.7.1 from 147.28.7.1 (147.28.7.1)
    > Origin IGP, localpref 100, valid, external
    > Community: 2914:420 2914:2000 2914:3000 3130:380
    > Last update: Thu Oct 8 14:43:11 2009
    >
    > 11686 11164 9002 40965 196804
    > 96.4.0.55 from 96.4.0.55 (96.4.0.55)
    > Origin IGP, localpref 100, valid, external
    > Last update: Sat Oct 10 13:53:11 2009
    >
    > 1668 3549 9002 40965 196804
    > 66.185.128.1 from 66.185.128.1 (66.185.128.3)
    > Origin IGP, metric 502, localpref 100, valid, external
    > Last update: Thu Oct 8 14:43:36 2009
    >
    > 3549 9002 40965 196804
    > 67.17.82.114 from 67.17.82.114 (67.17.82.114)
    > Origin IGP, metric 14124, localpref 100, valid, external
    > Last update: Fri Oct 9 06:56:29 2009
    >
    > 3130 1239 3549 9002 40965 196804
    > 147.28.7.2 from 147.28.7.2 (147.28.7.2)
    > Origin IGP, metric 0, localpref 100, valid, external
    > Community: 3130:370 3130:380
    > Last update: Thu Oct 8 14:43:21 2009
    >
    > 2914 3549 9002 40965 196804
    > 129.250.0.11 from 129.250.0.11 (129.250.0.51)
    > Origin IGP, metric 10, localpref 100, valid, external
    > Community: 2914:420 2914:2000 2914:3000 65504:3549
    > Last update: Thu Oct 8 14:43:21 2009
    >
    > 2914 3549 9002 40965 196804
    > 129.250.0.171 from 129.250.0.171 (129.250.0.79)
    > Origin IGP, metric 5, localpref 100, valid, external
    > Community: 2914:420 2914:2000 2914:3000 65504:3549
    > Last update: Thu Oct 8 14:43:23 2009
    >
    > 2497 9002 40965 196804
    > 202.232.0.3 from 202.232.0.3 (58.138.96.149)
    > Origin IGP, localpref 100, valid, external, best
    > Last update: Thu Oct 8 14:43:02 2009
    >
    > 852 3561 9002 40965 196804
    > 154.11.11.113 from 154.11.11.113 (154.11.11.113)
    > Origin IGP, metric 0, localpref 100, valid, external
    > Community: 852:180
    > Last update: Sun Oct 11 01:25:14 2009
    >
    > 3257 3549 9002 40965 196804
    > 89.149.178.10 from 89.149.178.10 (213.200.87.91)
    > Origin IGP, metric 10, localpref 100, valid, external
    > Community: 3257:8012 3257:30070 3257:50001 3257:54900 3257:54901
    > Last update: Thu Oct 8 14:43:09 2009
    >
    > 7018 3549 9002 40965 196804
    > 12.0.1.63 from 12.0.1.63 (12.0.1.63)
    > Origin IGP, localpref 100, valid, external
    > Community: 7018:5000
    > Last update: Thu Oct 8 15:14:46 2009
    >
    > 13237 9002 40965 196804
    > 81.209.156.1 from 81.209.156.1 (81.209.156.1)
    > Origin IGP, localpref 100, valid, external
    > Community: 13237:40044 13237:46441
    > Last update: Thu Oct 8 14:42:58 2009
    >
    > 8001 9002 40965 196804
    > 209.123.12.51 from 209.123.12.51 (209.123.12.51)
    > Origin IGP, localpref 100, valid, external
    > Community: 8001:2000 8001:2001
    > Last update: Thu Oct 8 14:42:58 2009
    >
    > 3549 9002 40965 196804
    > 208.51.134.246 from 208.51.134.246 (67.17.80.153)
    > Origin IGP, metric 2633, localpref 100, valid, external
    > Community: 3549:350 3549:4721 3549:31276
    > Last update: Thu Oct 8 14:42:58 2009
    >
    > 3561 9002 40965 196804
    > 206.24.210.102 from 206.24.210.102 (206.24.210.102)
    > Origin IGP, localpref 100, valid, external
    > Last update: Thu Oct 8 14:42:58 2009
    >
    > 293 9002 40965 196804
    > 198.129.33.85 from 198.129.33.85 (134.55.200.25)
    > Origin IGP, localpref 100, valid, external
    > Community: 293:14
    > Last update: Sat Oct 10 19:41:35 2009
    >
    > 812 3549 9002 40965 196804
    > 64.71.255.61 from 64.71.255.61 (64.71.255.61)
    > Origin IGP, localpref 100, valid, external
    > Last update: Thu Oct 8 14:43:56 2009
    >
    > route-views2.routeviews.org>
    >
    >
    > See also:
    >
    > http://www.cidr-report.org/cgi-bin/as-report?as=196804
    >
    >
    > There's been some major criminal activity in this prefix and I was
    > just
    > following up on some research...
    >
    > http://www.malwareurl.com/search.php?domain=&s=91.213.29&match=0&rp=200&url
    > s=on&redirs=on&ip=on&reverse=on&as=on
    >
    > Thanks,
    >
    > - - ferg
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP Desktop 9.5.3 (Build 5003)
    >
    > wj8DBQFK1CD9q1pz9mNUZTMRAlfUAJ9u05ha1WP1RBnpW9ZpI5l5BLNERgCg8htQ
    > UTeIoSWYUG8rBOTFltiWn9M=
    > =1hHh
    > -----END PGP SIGNATURE-----
    >
    >
    >
    > --
    > "Fergie", a.k.a. Paul Ferguson
    > Engineering Architecture for the Internet
    > fergdawgster(at)gmail.com
    > ferg's tech blog: http://fergdawg.blogspot.com/
    >


  • Next message: Stephane Bortzmeyer: "Re: .se disappeared?"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD