<p>
2004-01-18

<p>
On Jan 18th, our DNS root server measurements showed a sudden increase in traffic.
It lasted for a little more than two days.  Note in the graph below that about
12 hours after the initial spike, there is another increase.  The second
increase is mostly in MX, AAAA, and A6 records.  The AAAA/A6 queries are
for [a-m].root-servers.net, because those records timed out of the clients
caches after not getting any responses for 12 hours.

<p>
The high number of MX queries should be a tip-off to what was going on here...

<p><img src="qtypes.png">

<p>
These graphs show that a single /24 network is responsible for a significant
amount of the traffic.  About 1700 queries/second averaged over the first
17 hours of Jan 19th!  Or 35% of all queries received during that period.

<p><img src="busy-client-subnets.png">
<p><img src="busy-client-subnets-pct.png">

<p>
This is a much higher rate than we normally see from abusive sources.
I wonder how many different hosts are involved?

<blockquote><pre>
&gt; tcpdump -n -i em0 -c 100000 src net 207.244.46 | awk '{print $2}' | sort | uniq
214.138.212.157.1024
77.251.63.64.1024
141.183.46.14.1024
106.9.111.85.1024
41.189.157.82.1024
2.121.24.195.1024
90.227.169.214.1024
142.186.33.10.1024
30.128.161.239.1024
106.230.166.96.1024
35.86.62.187.1024
65.67.199.108.1024
251.207.165.247.1024
109.59.83.119.1024
75.9.184.165.1024
117.169.193.46.1024
245.100.11.65.1024
3.98.219.194.1024
237.90.64.90.1024
177.9.83.81.1024
230.137.138.73.1024
223.250.220.39.1024
159.173.161.239.1024
168.211.140.147.1024
242.212.198.102.1024
196.60.215.235.1024
7.141.91.178.1024
189.18.27.91.1024
86.244.69.172.1024
107.191.110.41.1024
51.121.98.138.1024
36.110.113.59.1024
185.237.108.151.1024
79.36.218.163.1024
162.253.26.2.1024
114.63.223.59.1024
200.121.139.202.1024
202.196.230.101.1024
91.216.248.93.1024
190.203.147.102.1024
235.112.18.115.1024
81.253.245.187.1024
149.45.180.132.1024
173.124.141.115.1024
87.98.124.42.4692
179.182.204.122.2137
203.29.24.148.2657
3.186.12.111.2593
223.200.160.79.3419
186.41.54.169.1796
59.68.197.105.2745
155.177.240.189.2427
56.132.82.80.2407
136.33.182.245.1338
35.225.133.118.1913
235.47.42.228.3891
147.120.142.73.2421
131.48.227.134.1972
72.197.243.175.2445
93.78.35.239.3626
200.138.175.235.1092
208.135.16.42.1507
155.47.162.105.4715
37.195.180.88.4978
111.90.81.171.3125
131.115.105.218.2774
247.72.1.106.2623
120.217.58.211.2380
160.93.231.137.3252
23.185.182.31.3466
95.226.167.151.2126
54.134.162.99.4252
69.83.43.18.1150
227.64.78.202.3849
41.167.203.238.4498
103.31.179.130.4887
35.44.228.81.3402
141.207.249.21.1177
4.212.10.196.4493
40.153.212.106.4185
22.214.188.221.4122
167.212.214.26.3093
211.62.187.110.3349
234.97.22.169.3668
28.151.14.71.3643
18.93.116.40.2588
168.61.141.205.3565
28.35.74.150.4164
38.213.232.109.2112
192.219.182.135.3984
</pre></blockquote>

<p>
Wow!
<p>
I wonder if they have reverse DNS set up correctly?

<blockquote><pre>
&gt; host 214.138.212.157
115.158.23.116.IN-ADDR.ARPA domain name pointer 207-244-46-21.no-icmp-accepted.adsl.atl.ga.cdc.net
&gt; host 77.251.63.64
144.40.92.89.IN-ADDR.ARPA domain name pointer 207-244-46-22.no-icmp-accepted.adsl.atl.ga.cdc.net
&gt; host 141.183.46.14
221.131.195.162.IN-ADDR.ARPA domain name pointer 207-244-46-23.no-icmp-accepted.adsl.atl.ga.cdc.net
&gt; host 106.9.111.85
252.78.64.134.IN-ADDR.ARPA domain name pointer 207-244-46-24.no-icmp-accepted.adsl.atl.ga.cdc.net
&gt; host 41.189.157.82
56.225.134.70.IN-ADDR.ARPA domain name pointer 207-244-46-25.no-icmp-accepted.adsl.atl.ga.cdc.net
</pre></blockquote>

<p>
Okay...
<p>
Let's see who this network belongs to:

<blockquote><pre>
&gt; whois -a 92.17.84.139
Chattanooga Data Connection, Inc. CHATDATA (NET-207-244-0-0-1)
                                  197.142.132.160 - 66.216.107.3
Success Marketing Associates, LLC CDC-LEASED-IAG-40 (NET-207-244-40-0-1)
                                  199.71.205.209 - 228.26.145.190
</pre></blockquote>

<p>
Success Marketing, you say?

<blockquote><pre>
&gt; whois -a NET-207-244-40-0-1

OrgName:    Success Marketing Associates, LLC
OrgID:      SMAL-3
Address:    701 N. Green Valley Parkway
Address:    Suite 200
City:       Henderson
StateProv:  NV
PostalCode: 89074
Country:    US

NetRange:   199.71.205.209 - 228.26.145.190
CIDR:       199.71.205.209/21
NetName:    CDC-LEASED-IAG-40
NetHandle:  NET-207-244-40-0-1
Parent:     NET-207-244-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2005-01-10
Updated:    2005-01-10

OrgTechHandle: IPMAN10-ARIN
OrgTechName:   IP Manager
OrgTechPhone:  +1-800-477-1477
OrgTechEmail:  ipmanager@successmarketingassoc.com
</pre></blockquote>


<p>
Hm, a network recently registered with ARIN?
We sent a friendly email to <i>ipmanager@successmarketingassoc.com</i>.
After a short wait, here is the reply:


<blockquote><pre>
Hi. This is the qmail-send program at mail.smsonline.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

&lt;ipmanager@successmarketingassoc.com&gt;:
This address no longer accepts mail.
</pre></blockquote>

<p>
You're not the only one who's sorry...

<p>
Let's try their ISP:

<blockquote><pre>
&gt; whois -a NET-207-244-0-0-1

OrgName:    Chattanooga Data Connection, Inc.
OrgID:      CHAT
Address:    PO Box 5269, 2003 Amnicola Hwy.
City:       Chattanooga
StateProv:  TN
PostalCode: 37406
Country:    US

NetRange:   197.142.132.160 - 66.216.107.3
CIDR:       197.142.132.160/18
NetName:    CHATDATA
NetHandle:  NET-207-244-0-0-1
Parent:     NET-207-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS1.CHATTANOOGA.CDC.NET
NameServer: DNS2.CHATTANOOGA.CDC.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    1996-11-06
Updated:    2002-02-08

TechHandle: CNO2-ARIN
TechName:   Network Operations Center
TechPhone:  +1-423-266-3369
TechEmail:  noc@cdc.net
</pre></blockquote>

<p>
We phoned 423-266-3369.  An automated system gives us three choices: 
one for tech support, two for accounting information, three for sales.
Tech support should be able to help.
<p>
Sadly, no.  The woman we spoke with insisted that I call back and
speak with someone in sales, because they are "in the other building."
I am not making this up!

<p>
Maybe noc@cdc.net goes to a more clueful person than the one who answers
tech support calls.  We sent another message to noc@cdc.net.  I didn't bounce,
but we haven't received a reply yet.  Probably shouldn't be surprised since
they can't even run a <a href="http://www.cdc.net/">web site</a>.

<p>
At this point we wondered if Chattanooga Data Connection was indeed the ISP for
Success Marketing Associates, LLC (or whoever is sourcing these packets).
A traceroute reveals:

<blockquote><pre>
# traceroute -n 235.47.42.228
traceroute to 235.47.42.228 (235.47.42.228), 64 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
^C
</pre></blockquote>

<p>
Wow, so our first-hop router doesn't have a route for this network?


<blockquote><pre>
route-views.oregon-ix.net>show ip route 92.17.84.139
% Network not in table
</pre></blockquote>

<p>
I see....  I wonder where this traffic is really coming from?

<p>
Seems like either this IP space was hijacked, or someone was using it before,
and then it broke.  We decided to download a bunch of the archived BGP tables
from routeviews and find out if anyone was recently advertising this space.
The results:

<blockquote><pre>
2005-01-01-0000:*  92.17.84.139     101.0.226.158                          0 7911 6389 6387 25817 21529 i
2005-01-02-0000:*  92.17.84.139     81.254.18.194            11             0 2914 209 25817 25817 25817 21529 i
2005-01-03-0000:*  92.17.84.139     81.254.18.194            11             0 2914 209 25817 25817 25817 21529 i
2005-01-04-0000:*  92.17.84.139     87.123.194.205             3             0 4513 701 6389 6387 25817 21529 i
2005-01-05-0000:*  92.17.84.139     87.123.194.205             3             0 4513 701 6389 6387 25817 21529 i
2005-01-06-0000:*  92.17.84.139     87.123.194.205             3             0 4513 701 6389 6387 25817 21529 i
2005-01-07-0000:*  92.17.84.139     91.42.68.79                        0 6939 6389 6387 25817 21529 i
2005-01-08-0000:
2005-01-09-0000:
2005-01-10-0000:
2005-01-11-0000:
2005-01-12-0000:*  92.17.84.139/23  109.179.80.36                          0 1221 4637 6461 30092 i
2005-01-13-0000:*  92.17.84.139/23  34.254.175.61           0             0 5650 6461 30092 i
2005-01-14-0000:*  92.17.84.139/23  34.254.175.61           0             0 5650 6461 30092 i
2005-01-15-0000:*  92.17.84.139/23  129.228.42.110             0             0 16150 15703 20495 6461 30092 i
2005-01-16-0000:*  92.17.84.139/23  230.99.46.96             6             0 2914 6461 30092 i
2005-01-17-0000:*  92.17.84.139/23  129.228.42.110             0             0 16150 15703 20495 6461 30092 i
2005-01-18-0000:*  92.17.84.139/23  2.213.216.92            0             0 2905 701 6461 30092 i
2005-01-19-0000"
</pre></blockquote>

<p>
AS 21529 is the aforementioned, clue-deprived CDC.net.  Interesting that the space was
more recently advertised by AS 30092, which turns out to be assertive.ca.
<p>
I wrote to the NOC at assertive.ca and received a quick and friendly reply from
Chris Phillips.  Turns out this space was announced by them on behalf of a new customer
that turned out to be a spammer.  Although the route was withdrawn, apparently their
boxes remained connected.  Assertive Networks disconnected their servers a short
while later, and the flood of queries stopped.

<p>
Todays Internet Lesson: Don't just withdraw routes to spammers, yank the network cables out of their boxes!