[159467] in North American Network Operators' Group
Re: Dreamhost hijacking my prefix...
daemon@ATHENA.MIT.EDU (Andree Toonk)
Fri Jan 11 11:47:11 2013
Date: Fri, 11 Jan 2013 08:46:57 -0800
From: Andree Toonk <andree+nanog@toonk.nl>
To: nanog@nanog.org
In-Reply-To: <50F02E65.20601@utc.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
Here's a quick summary of what we saw at BGPMon.net.
At 2013-01-11 14:14:13 we saw announcements (seemingly) originated by
26347, for prefixes normally announced by other ASn's (origin change /
hijack).
This seems to have affected 112 prefixes for 110 ASn's [1], including
Rogers, Tata, Sprint, Ziggo, Verizon, KPN, Vodafone, CloudFlare, XS4ALL,
AT&T, Bell Canada and many more.
Most of these were new more specific(!) announcements.
With regards to next-hop ASN's (peers). It seems this hijack was
propagated via 12 unique (AS26347) peers [1]
A quick look at the prefix that was mentioned by Jeff, 150.182.208.0/20
(more specific of 50.182.192.0/18)
The first announcement for this prefix was seen at 2013-01-11 14:14:28
and withdrawn at 2013-01-11 15:20:57. It was detected by 42 unique peers.
some example paths:
271 6939 26347
5580 26347|
37312 5713 6939 26347
1126 24785 12989 26347
[1] I've posted some details (Unique next-hop ASN's and affected origin
ASN's), check if your AS was affected here:
http://portal.bgpmon.net/data/hijack20130111.txt
Cheers,
Andree
.-- My secret spy satellite informs me that at 2013-01-11 7:23 AM Jeff
Kell wrote:
> Not sure how widespread their "leakage" may be, but Dreamhost just
> hijacked one of my prefixes...
>
>> ====================================================================
>> Possible Prefix Hijack (Code: 10)
>> ====================================================================
>> Your prefix: 150.182.192.0/18:
>> Update time: 2013-01-11 14:14 (UTC)
>> Detected by #peers: 11
>> Detected prefix: 150.182.208.0/20
>> Announced by: AS26347 (DREAMHOST-AS - New Dream Network, LLC)
>> Upstream AS: AS42861 (PRIME-LINE-AS JSC "Prime-Line")
>> ASpath: 8331 42861 42861 42861 26347
>
> Anyone have a contact there? ASinfo gives netops@dreamhost.com where I
> have submitted a report, but so far no joy...
>
> Jeff
>
>
>
