HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

Christopher Morrow morrowc.lists at gmail.com
Thu Mar 31 11:18:08 CDT 2011


On Thu, Mar 31, 2011 at 5:33 PM, Tony Tauber <ttauber at 1-4-5.net> wrote:
> I don't believe this record indicates that Level3 proxy registered the route
> object.
> It means that someone used the DBANK-MNT maintainer ID in the Level3 RR to
> enter a route object 18 months ago.
>

possibly...

> It looks like Level3 is originating the route in AS3356, not accepting it
> from AS13767 (which is what the object would suggest to do.)
>
> Oops, looks like the route is now gone.  Guess it got cleaned.
>

l3 ams router says:
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i148.163.0.0/20   4.69.181.3               0    100      0 i
* i                 4.69.181.3               0    100      0 i
*>i148.163.64.0/20  4.69.181.3               0    100      0 i
* i                 4.69.181.3               0    100      0 i
*  148.163.178.0/24 213.206.131.45      100000     86      0 1239 13767 i
* i                 4.69.185.185                  100      0 13767 i
*>i                 4.69.185.185                  100      0 13767 i
*  148.163.179.0/24 213.206.131.45      100000     86      0 1239 13767 i
* i                 4.69.185.185                  100      0 13767 i
*>i                 4.69.185.185                  100      0 13767 i
* i148.163.224.0/19 4.69.181.3               0    100      0 i
*>i                 4.69.181.3               0    100      0 i

there's a possibility that, in this case, L3 is simply holding up the
/16 for their customer, sinking junk traffic and permitting more
specifics by the customer? (it's not clear here, though the above
seems to show sprint propogating databank's prefixes while L3 is
originating some parts of the /16 still.

<http://www.robtex.com/as/as13767.html>

indicates that the 2 upstreams for databank are apparently L3 and sprint.

-Chris

> Tony
>
> On Thu, Mar 31, 2011 at 5:49 AM, Christopher Morrow
> <morrowc.lists at gmail.com> wrote:
>>
>> I forgot:
>> $ whois -h whois.radb.net 148.163.0.0
>> route:         148.163.0.0/16
>> descr:         /16 for Celanese
>> origin:        AS13767
>> mnt-by:        DBANK-MNT
>> changed:       jpope at databank.com 20090818
>> source:        LEVEL3
>>
>> (this means l3 proxy'd in the record, I think... maybe an L3 person
>> can speak to this bit?)
>>
>> > -chris
>> > (being able to validate 'ownership', really authorization to route,
>> > automatically will sure be nice, eh?)
>> >
>>
>
>




More information about the NANOG mailing list