ThreatSTOP Blog

AS10392 -- Hijacked?

Written by francisturner | September 29, 2010

An entire BGP AS appears to have been hijacked by cybercriminals who are now using it as a source of spam. ThreatSTOP has therefore added the IP netblocks in this AS* to our emergency feed which will block these addresses for 24 hours. It seems likely that during this time the AS and associated netblocks will be returned to proper control but if not we will either maintain them in the emergency feed or place them in one of our standard lists.

The ability of ThreatSTOP to add these sorts of blocks dynamically on a temporary basis is a major benefit to our subscribers because their networks are automatically protected without them needing to touch their firewalls at all. In addition to the direct protection afforded by the automatic application of new blocks by ThreatSTOP, this ability also helps in configuration management. One of the most common reasons for firewalls to end up becoming accidentally vulnerable is the constant updating of rules that is required if one is attemtping to manually keep up with current threats, as every time the configuration is changed there is the chance that a mistake will be made that is not noticed but which breaks things subtly. Because ThreatSTOP applies no more than four additional rules to the firewall and these rules are applied just once the chances of misconfiguration are significantly reduced.

*The IPv4 space AS10392 is currently announcing routes for, i.e.:

192.171.64.0/19
204.137.224.0/19
205.164.0.0/20
205.164.16.0/20
205.164.32.0/20
205.164.48.0/20