Re: [anti-abuse-wg] Romanian Spam Network with curious effetcs
Lutz Petersen <lp@shlink.de> wrote:
it's a mysterious for me, sorry. Maybe I did not made it clearly enough what irritates me.. Viewing BGP tables one don't see a single accouncement for this netblock. Traces all ends obvious at default null route in core routers. Seems to be one of the cases where nets are only announced when spinning out short time spam waves - one can see this comparing older logs.
But: Reverse delegation from RIPE for this nets has been done to two nameservers - 176.121.32.2 + 176.121.32.3. But even if there does not exit an BGP entry, these nameservers can be asked and give an answer: ... What may be the trick with that ?
Just because a traceroute ends at a certain point, that most definitely DOES NOT mean that other (non-traceroute) types of packets will have any trouble at all getting through to the final destination and/or back again. There are quite a lot of networks on the Internet that are blocking traceroute packets, due to either incompetence or malevolence. Networks that know that they are harboring criminals and criminal activity will almost always be found to be blocking ordinary traceroute packets. tinet.net, in parcticular, does not have the best reputation when it comes to who they are willing to connect with. They and their dodgy customer probably don't want you to know even what little you can learn from the following... % traceroute 176.121.32.2 traceroute to 176.121.32.2 (176.121.32.2), 64 hops max, 52 byte packets 1 3.255-62-69.res.dyn.surewest.net (69.62.255.3) 44.516 ms 44.805 ms 43.774 ms 2 172.21.2.57 (172.21.2.57) 45.517 ms 46.255 ms 46.922 ms 3 172.21.0.250 (172.21.0.250) 45.977 ms 45.436 ms 45.825 ms 4 sjo-bb1-link.telia.net (213.248.88.73) 49.417 ms 49.347 ms 49.497 ms 5 xe-1-3-0.sjc10.ip4.tinet.net (173.241.128.109) 49.521 ms 50.778 ms 49.954 ms 6 xe-10-1-1.fra60.ip4.tinet.net (141.136.109.253) 214.637 ms xe-5-1-0.fra60.ip4.tinet.net (141.136.108.41) 253.992 ms xe-10-1-1.fra60.ip4.tinet.net (141.136.109.253) 210.634 ms 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 *^C Regards, rfg
tinet.net, in parcticular, does not have the best reputation when it comes to who they are willing to connect with. They and their dodgy customer probably don't want you to know even what little you can learn from the following...
Yes - coming from different ways here it always seems to end in Frankfurt at one of Tinet Border Router interfaces. In fact we could realize that the router directly connected with Tinets has the full bgp table (a personal known admin just checked) but even he could not trace more than one hop. Seems indeed they filter at border gateways..
Ronald F. Guilmette wrote:
Lutz Petersen <lp@shlink.de> wrote: [...] There are quite a lot of networks on the Internet that are blocking traceroute packets, due to either incompetence or malevolence.
Assuming that a TCP-based service is available on the subnet of interest, then `tcptraceroute´ is helpful in many cases :-)
Networks that know that they are harboring criminals and criminal activity will almost always be found to be blocking ordinary traceroute packets. [...] Regards, rfg
hth, -wilfried
participants (3)
-
Lutz Petersen -
Ronald F. Guilmette -
Wilfried Woeber