[170628] in North American Network Operators' Group
Re: BGPMON Alert Questions
daemon@ATHENA.MIT.EDU (James Laszko)
Wed Apr 2 16:23:57 2014
From: James Laszko <jamesl@mythostech.com>
To: Bryan Tong <contact@nullivex.com>
Date: Wed, 2 Apr 2014 20:17:23 +0000
In-Reply-To: <CAAARkvJr8j0QupPLxnodG77Eq86T=dg8EhDY+YmrYCq7=o-KJw@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I called into +66 2104-2374=20
James Laszko
Mythos Technology Inc
Sent from my iPad
> On Apr 2, 2014, at 1:08 PM, "Bryan Tong" <contact@nullivex.com> wrote:
>=20
> Another 5 of ours just got hit.
>=20
> Anyone have any ideas on what will be done about it?
>=20
>=20
>> On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk <frnkblk@iname.com> wrote:
>>=20
>> bgpmon has tweeted that "We're currently observing a large hijack event.
>> Indosat AS4761 originating many prefixes not assigned to them."
>>=20
>> Let's hope that AS4651 can quickly apply filters.
>>=20
>> Frank
>>=20
>> -----Original Message-----
>> From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com]
>> Sent: Wednesday, April 02, 2014 2:03 PM
>> To: Joseph Jenkins; nanog@nanog.org
>> Subject: RE: BGPMON Alert Questions
>>=20
>> If you contact bgpmon support you may be able to get some more in-depth
>> information. I've contacted them before with alerts like those and they
>> were able to give me specific date, time, ASN and interface information
>> about the peering points that received the announcements; that might
>> help make you present to the suspect party more likely to be acted upon.
>>=20
>> -----Original Message-----
>> From: Joseph Jenkins [mailto:joe@breathe-underwater.com]
>> Sent: Wednesday, April 02, 2014 2:52 PM
>> To: nanog@nanog.org
>> Subject: BGPMON Alert Questions
>>=20
>> So I setup BGPMON for my prefixes and got an alert about someone in
>> Thailand announcing my prefix. Everything looks fine to me and I've
>> checked a bunch of different Looking Glasses and everything announcing
>> correctly.
>>=20
>> I am assuming I should be contacting the provider about their
>> misconfiguration and announcing my prefixes and get them to fix it. Any
>> other recommendations?
>>=20
>> Is there a way I can verify what they are announcing just to make sure
>> they are still doing it?
>>=20
>> Here is the alert for reference:
>>=20
>> Your prefix: 8.37.93.0/24:
>>=20
>> Update time: 2014-04-02 18:26 (UTC)
>>=20
>> Detected by #peers: 2
>>=20
>> Detected prefix: 8.37.93.0/24
>>=20
>> Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
>> Provider,ID)
>>=20
>> Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority
>> of
>> Thailand(CAT),TH)
>>=20
>> ASpath: 18356 9931 4651 4761
>=20
>=20
> --=20
> eSited LLC
> (701) 390-9638
