[170621] in North American Network Operators' Group
RE: BGPMON Alert Questions
daemon@ATHENA.MIT.EDU (Lee Johnston)
Wed Apr 2 15:56:14 2014
From: Lee Johnston <lee@wildcard.net.uk>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 2 Apr 2014 19:27:54 +0000
In-Reply-To: <533C5F64.8020401@ramapo.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Snap, announcing a few of our /21s and a /23. Seems they did something simi=
lar a few year ago: http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-=
report/
I can't make any contact with Indosat (website non responsive / email queui=
ng). This is what I have back from Aware Corp. AS18356 (first AS in the pat=
h):
I can confirm that we are seeing your prefixes as advertised by AS4761, via=
one of our upstreams CAT AS4651 (THAI-GATEWAY The Communications Authority=
of Thailand(CAT),TH)
We (Aware Corporation - AS18356) operate a BGPMon PeerMon node which is pro=
bably why you are seeing this alert from our AS.
It is likely that your highjacked prefixes are being advertised to all of C=
AT's customers.=20
I suggest contacting AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provi=
der,ID) directly for resolution as there is little we can do as a stub AS.
Regards,
Lee.
-----Original Message-----
From: Vlade Ristevski [mailto:vristevs@ramapo.edu]=20
Sent: 02 April 2014 20:05
To: nanog@nanog.org
Subject: Re: BGPMON Alert Questions
I just got the same alert for one of my prefixes one minute ago.
On 4/2/2014 2:59 PM, Frank Bulk wrote:
> I received a similar notification about one of our prefixes also a few=20
> minutes ago. I couldn't find a looking glass for AS4761 or AS4651. =20
> But I also couldn't hit the websites for either AS, either.
>
> Frank
>
> -----Original Message-----
> From: Joseph Jenkins [mailto:joe@breathe-underwater.com]
> Sent: Wednesday, April 02, 2014 1:52 PM
> To: nanog@nanog.org
> Subject: BGPMON Alert Questions
>
> So I setup BGPMON for my prefixes and got an alert about someone in=20
> Thailand announcing my prefix. Everything looks fine to me and I've=20
> checked a bunch of different Looking Glasses and everything announcing=20
> correctly.
>
> I am assuming I should be contacting the provider about their=20
> misconfiguration and announcing my prefixes and get them to fix it. =20
> Any other recommendations?
>
> Is there a way I can verify what they are announcing just to make sure=20
> they are still doing it?
>
> Here is the alert for reference:
>
> Your prefix: 8.37.93.0/24:
>
> Update time: 2014-04-02 18:26 (UTC)
>
> Detected by #peers: 2
>
> Detected prefix: 8.37.93.0/24
>
> Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
> Provider,ID)
>
> Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority o=
f
> Thailand(CAT),TH)
>
> ASpath: 18356 9931 4651 4761
>
>
>
--
Vlad
