[179357] in North American Network Operators' Group
Re: Cisco/Level3 takedown
daemon@ATHENA.MIT.EDU (Blake Hudson)
Thu Apr 9 11:55:52 2015
X-Original-To: nanog@nanog.org
Date: Thu, 09 Apr 2015 10:55:43 -0500
From: Blake Hudson <blake@ispn.net>
To: nanog@nanog.org
In-Reply-To: <49A81EB09F493442B6D259E36251192C0171991E52@ndcc-exch1.neutraldata.com>
Errors-To: nanog-bounces@nanog.org
Reading the article, I assumed that perhaps Level 3 was an upstream
carrier, but RIPE stats shows that the covering prefix (103.41.120.0/22)
is announced by AS63509, an Indonesian organization. It looks like
they're fighting back by announcing their own /24 now.
I love the AS's address:
descr:Jl. Marcedes Bens No.258
descr:Gunung Putri, Bogor
descr:Jawa Barat 16964
country:ID
While a Level 3 /24 announcement will certainly have a world wide
impact, I agree that it seems misguided when the originating AS can
announce their own /24. It does make one wonder why Cisco or Level 3 is
involved, why they feel they have the authority to hijack someone else's
IP space, and why they didn't go through law enforcement. This is
especially true for the second netblock (43.255.190.0/23), announced by
a US company (AS26484).
--Blake
Sameer Khosla wrote on 4/9/2015 10:31 AM:
> Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables.
>
> Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary.
>
> It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider.
>
>
> Thanks
>
> Sameer Khosla
> Managing Director
> Neutral Data Centers Corp.
> Twitter: @skhoslaTO
>
>
