[196144] in North American Network Operators' Group
Re: BGP hijack: 64.68.207.0/24 from as133955
daemon@ATHENA.MIT.EDU (Sandra Murphy)
Fri Oct 6 06:57:54 2017
X-Original-To: nanog@nanog.org
From: Sandra Murphy <sandy@tislabs.com>
In-Reply-To: <C1C13430-106B-4B15-B581-9FE4999FAFC3@tislabs.com>
Date: Wed, 4 Oct 2017 14:32:08 -0400
To: Theodore Baschak <theodore@ciscodude.net>
Cc: NANOG Operators' Group <nanog@nanog.org>, Sandra Murphy <sandy@tislabs.com>
Errors-To: nanog-bounces@nanog.org
Not to respond to my own post, or anything. But.
Another interesting thing.
bgp.he.net reports show that AS133955 is/was also announcing =
69.172.127.0/24 "WiMore S.r.l.". bgp.he.net shows a red key icon on =
that origination, meaning that there=E2=80=99s an RPKI ROA that does not =
match that origination. And bgp.he.net reports an RADP route object =
with a proxy registration for AS133955 to originate 69.172.127.0/24, =
registered on 9/25 like the three prefixes below. =20
RADB still reports that route object (along with a very old one)
route: 69.172.127.0/24
descr: Fleg Asia Telecom Ltd
Proxy-registered route object
origin: AS133955
notify: ipbb-apol@aptg.com.tw
mnt-by: MAINT-AS17709
changed: kiayang@aptg.com.tw 20170925 #00:31:36Z
source: RADB
route: 69.172.64.0/18
descr: Canaca-Com Inc
descr: 1650 Dundas Street East Unit 203
descr: Mississauga, Ontario
descr: CA
origin: AS33139
mnt-by: MNT-CANAC
changed: peering@canaca.com 20100624
source: ARIN
stats.ripe.net shows 69.172.127.0/24 is presently being announced - =
"Originated by: AS133955 (valid route object in RADB)=E2=80=9D, "100% =
visible (by 157 of 157 RIS full peers)"
The RPKI says that AS34526 (WiMore S.r.l.) is authorized to originate =
69.172.96.0/19. But the aggregate prefix is not being announced. If =
the AS133955 origination is valid, they really ought to update their =
ROA.
Hm. I am curious about that prefix. Is it being hijacked? Or am I just =
reading everything wrong?
=E2=80=94Sandy
> On Oct 4, 2017, at 1:45 PM, Sandra Murphy <sandy@tislabs.com> wrote:
>=20
>=20
>> On Oct 4, 2017, at 11:29 AM, Theodore Baschak =
<theodore@ciscodude.net> wrote:
>>=20
>> I noticed when I looked into both of these leaks 3 hours after =
Clinton's
>> message yesterday that I couldn't see them in any of the looking =
glasses I
>> was looking in (including the NLNOG looking glass)
>>=20
>> Looks like things were able to be cleaned up very quickly.
>=20
> Interesting.
>=20
> bgp.he.net is still reporting AS133955 as the originator of =
64.68.207.0/24. I don=E2=80=99t know what their refresh cycle is.
>=20
> And, oh look, bgp.he.net points to an RADB proxy registration for the =
AS133955 origination. RADB no longer reports that route object. But it =
must have been there at some point.
>=20
> RADB
> route: 64.68.207.0/24
>=20
> descr: Fleg Asia Telecom Ltd
> Proxy-registered route object
> origin: AS133955
> notify: ipbb-apol@aptg.com.tw
> mnt-by: MAINT-AS17709
> changed: kiayang@aptg.com.tw 20170830 #05:45:57Z
> source: RADB
>=20
> stat.ripe.net (bless you, RIPE!) shows that 64.68.207.0/24 has been =
originated by AS133955 off and on for the last month (since the RADB =
route object=E2=80=99s change date?) in the BGP Update Activity and =
Routing History graphs. And a huge flurry of activity yesterday.
>=20
> Could I be reading all this wrong? Seems to have been going on for =
quite a while.
>=20
> =E2=80=94Sandy
>=20
> P.S. The other three prefixes mentioned below show similar results in =
bgp.he.net, with route objects proxy registered on 9/25, and similar =
results in stats.ripe.net, with off-and-on announcements, more off than =
on for these, closely timed with the route object registration.=20
>=20
>=20
>>=20
>>=20
>>=20
>> Theodore Baschak - AS395089 - Hextet Systems
>> https://bgp.guru/ - https://hextet.net/
>> http://mbix.ca/ - http://mbnog.ca/
>>=20
>>=20
>>=20
>>=20
>> On Tue, Oct 3, 2017 at 6:29 PM, Clinton Work <clinton@scripty.com> =
wrote:
>>=20
>>> TELUS AS852 has three address blocks hijacked by AS133955 as well. =
We
>>> have not been able to get in contact with AS24155. It looks like =
they
>>> are buying transit from PCCW AS3491 and Taiwan Internet Gateway =
AS9505.
>>>=20
>>> 68.182.255.0/24
>>> 74.49.255.0/24
>>> 96.1.255.0/24
>>>=20
>>>=20
>>> On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote:
>>>>=20
>>>> as133955 is broadcasting bogus BGP announcement for our netblock
>>>> 64.68.207.0/24
>>>>=20
>>>> It's in China, and we're trying to contact as24155 but they are =
also in
>>>> China and we're just emailing their whois record address.
>>>>=20
>>>> If you're nearby and in a position to block/dampen that might be =
helpful.
>>>>=20
>>>> Thx
>>>>=20
>>>> - mark
>>>>=20
>>>> --
>>>> Mark Jeftovic <markjr@easydns.com>
>>>> Founder & CEO, easyDNS Technologies Inc.
>>>> http://www.easyDNS.com
>>>>=20
>>>>=20
>>>=20
