Anyone notice strange announcements for 174.128.31.0/24

Tue Jan 13 15:52:49 UTC 2009

Hi Jim...

We treated it with P1 until we realized it was a total waste of our
time.  It was the point of it too...

About 6 months ago we had a similar alarm (on the surface) where someone
in Europe was advertising our AS number.  After some careful checking it
seemed to be simply a typo error but after about 20 minutes of it
showing up in a path it disappeared and they started actually
advertising one of our IP blocks and were able to do so due to lack of
proper filtering on their upstream.  If we had not been paying attention
to this "little detail" it would have taken us more time to react and
trace down what we going on - by paying attention we had several details
already accounted for.  The whole issue lasted about 30 minutes at which
point their upstream provider had been notified and cut off their
customer until proper filtering was put back into place.

I'll admit that was the only time we've ever had an issue or until this
new incident an alarm condition.  So, now for "academic purposes" we see
another alarm and fear the worst.

Yes, treating it as a P1 makes sense for us so far - we're batting 50/50
for legit problems with this stuff.

Paul

-----Original Message-----
From: jim deleskie [mailto:deleskie at gmail.com] 
Sent: Tuesday, January 13, 2009 10:34 AM
To: Jared Mauch
Cc: NANOG list
Subject: Re: Anyone notice strange announcements for 174.128.31.0/24

Jared,

 Fine which makes it an interesting data point and something to look
at after lunch when I'm not doing something else kinda issue. Not
something I'm going to treat as a P1 and drop everything work or real
life related for.  I'm not say it shouldn't be looked it, just that in
the grand scheme of the thing its not a huge issue.  Kinda like when
people feel the need to tune IGP time sub second convergence but do
impactful maint on routers or circuits 3-4 times a yr.  If you lock
the doggie door but leave the front door open the bad guys can walk
right in. :)

-jim

On Tue, Jan 13, 2009 at 11:06 AM, Jared Mauch <jared at puck.nether.net>
wrote:
> On Tue, Jan 13, 2009 at 07:00:34AM -0800, David Barak wrote:
>> If the concern was a Pilosov/Kapela style hijack, wouldn't the first
thing you'd check be what the address range was?  That would lead you
straight to Randy, and that should have cleared up the matter
straightaway.  Remember: the owner of the IP space is the victim, not
the ASN which gets prepended into the path...
>>
>
>        No, they are both victims.  If I inject a path that purports
> there is an edge between two networks which are engaged in a bitter
> dispute, (i'll use cogent & sprint as an example) - _1239_174_ that
may
> create a situation where someone asserts that their routes are
> being filtered when infact no connectivity exists.
>
>        Does that mean that I hijacked their identiy and forged it?
What
> level of trust do you place in the AS_PATH for your routing, debugging
and
> decision making process?
>
>        Personally, I would be upset if someone injected a route with
my
> ASN in the AS_PATH without my permission.
>
>        - Jared
>
> --
> Jared Mauch  | pgp key available via finger from jared at puck.nether.net
> clue++;      | http://puck.nether.net/~jared/  My statements are only
mine.
>
>

----------------------------------------------------------------------------

"The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."