Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ISC Feature of the Week: About the Internet Storm Center

Published: 2012-06-28
Last Updated: 2012-06-28 18:15:23 UTC
by Adam Swanger (Version: 1)
2 comment(s)


Ever wondered when, how or why the Internet Storm Center started? Want to know what we do, why we do it and how you can help! We'll summarize the information from in this feature and you can click through to read the specific sections in full.


About the Internet Storm Center -
Links to participate in the DShield program and a link to details on the INFOCON threat alert

ISC History and Overview -
Learn about what event prompted the formation of the ISC, how it went down and why.

Behind the Internet Storm Center -
Tells about the people that make up ISC and the sensors that make DShield. The who, what and how of the Internet Storm Center and DShield sensor.

Early Warning -
How the ISC Handlers determine the significance of an event and if/how a warning is disseminated

Participating with the Internet Storm Center -
We strongly encourange anyone who is able to contribute logs for analysis, including running a DShield sensor of your own that submits automatically. This section goes into detail of the how and benefits of submitting logs as a registered user. You can get started by visiting

The work is supported by the SANS Institute from tuition paid by students attending SANS security education programs. You can view all the SANS Site Network websites at or hold your mouse over the up/down arrows to the right of the ISC logo.


Post suggestions or comments in the section below or send us any questions or comments in the contact form on
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center


Keywords: ISC Feature
2 comment(s)

Massive spike in BGP traffic - Possible BGP poisoning?

Published: 2012-06-28
Last Updated: 2012-06-28 11:03:40 UTC
by Chris Mohan (Version: 1)
4 comment(s)

Reader Yin wrote in after noticing a huge spike in unsolicited border gateway protocol (BGP) traffic. This same spike in BGP connections has also been noted on DShield's sensors [1].  Thankfully he provided a packet capture which contained numerous BGP OPEN [2] messages.

 Here is a snippet of the BGP packet with the relevant details:

These messages all originated from the same system, based in Korea.

The Korean system IP is part of: 

 AS Number          : AS9848

 AS Name            : SEJONGTELECOM-AS


From my understanding of BGP, this system is attempting to pass itself off as AS 65333, a private ASN [3] and poison the router with false details.

Whether misconfiguration or a malicious act is unknown at this point. Most, if not all routers should have basic protections in place to protect against this type of event having an effect [4].

Please let us know if you're seeing the same thing, can added anything further or if my analysis needs correcting.

UPDATE: Thank you to Reader Job for the clarification on private ASNs  






Chris Mohan --- Internet Storm Center Handler on Duty

4 comment(s)
ISC StormCast for Thursday, June 28th 2012
Diary Archives