[196125] in North American Network Operators' Group
Re: BGP hijack: 64.68.207.0/24 from as133955
daemon@ATHENA.MIT.EDU (Sandra Murphy)
Fri Oct 6 03:12:54 2017
X-Original-To: nanog@nanog.org
From: Sandra Murphy <sandy@tislabs.com>
In-Reply-To: <CAHQ-pOLua8SyWieBbPe7vVpCWGS1xJzrK0mxBJh=4snnB1tAxg@mail.gmail.com>
Date: Wed, 4 Oct 2017 13:45:41 -0400
To: Theodore Baschak <theodore@ciscodude.net>
Cc: NANOG Operators' Group <nanog@nanog.org>, Sandra Murphy <sandy@tislabs.com>
Errors-To: nanog-bounces@nanog.org
> On Oct 4, 2017, at 11:29 AM, Theodore Baschak <theodore@ciscodude.net> =
wrote:
>=20
> I noticed when I looked into both of these leaks 3 hours after =
Clinton's
> message yesterday that I couldn't see them in any of the looking =
glasses I
> was looking in (including the NLNOG looking glass)
>=20
> Looks like things were able to be cleaned up very quickly.
Interesting.
bgp.he.net is still reporting AS133955 as the originator of =
64.68.207.0/24. I don=E2=80=99t know what their refresh cycle is.
And, oh look, bgp.he.net points to an RADB proxy registration for the =
AS133955 origination. RADB no longer reports that route object. But it =
must have been there at some point.
RADB
route: 64.68.207.0/24
descr: Fleg Asia Telecom Ltd
Proxy-registered route object
origin: AS133955
notify: ipbb-apol@aptg.com.tw
mnt-by: MAINT-AS17709
changed: kiayang@aptg.com.tw 20170830 #05:45:57Z
source: RADB
stat.ripe.net (bless you, RIPE!) shows that 64.68.207.0/24 has been =
originated by AS133955 off and on for the last month (since the RADB =
route object=E2=80=99s change date?) in the BGP Update Activity and =
Routing History graphs. And a huge flurry of activity yesterday.
Could I be reading all this wrong? Seems to have been going on for =
quite a while.
=E2=80=94Sandy
P.S. The other three prefixes mentioned below show similar results in =
bgp.he.net, with route objects proxy registered on 9/25, and similar =
results in stats.ripe.net, with off-and-on announcements, more off than =
on for these, closely timed with the route object registration.=20
>=20
>=20
>=20
> Theodore Baschak - AS395089 - Hextet Systems
> https://bgp.guru/ - https://hextet.net/
> http://mbix.ca/ - http://mbnog.ca/
>=20
>=20
>=20
>=20
> On Tue, Oct 3, 2017 at 6:29 PM, Clinton Work <clinton@scripty.com> =
wrote:
>=20
>> TELUS AS852 has three address blocks hijacked by AS133955 as well. =
We
>> have not been able to get in contact with AS24155. It looks like =
they
>> are buying transit from PCCW AS3491 and Taiwan Internet Gateway =
AS9505.
>>=20
>> 68.182.255.0/24
>> 74.49.255.0/24
>> 96.1.255.0/24
>>=20
>>=20
>> On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote:
>>>=20
>>> as133955 is broadcasting bogus BGP announcement for our netblock
>>> 64.68.207.0/24
>>>=20
>>> It's in China, and we're trying to contact as24155 but they are also =
in
>>> China and we're just emailing their whois record address.
>>>=20
>>> If you're nearby and in a position to block/dampen that might be =
helpful.
>>>=20
>>> Thx
>>>=20
>>> - mark
>>>=20
>>> --
>>> Mark Jeftovic <markjr@easydns.com>
>>> Founder & CEO, easyDNS Technologies Inc.
>>> http://www.easyDNS.com
>>>=20
>>>=20
>>=20
