Hijacked Network Ranges - paging Cogent and GBLX/L3

Manish Karir mkarir at merit.edu
Tue Jan 31 20:30:57 UTC 2012


You can take a closer look at the aspaths (lengths) to various global locations by looking at the following:

http://bgptables.merit.edu/prefix.php?z=&z=&prefixcw=208.110.48.0/20&view=all&count=1000
http://bgptables.merit.edu/prefix.php?z=&z=&prefixcw=63.246.112.0/20&view=all&count=1000
http://bgptables.merit.edu/prefix.php?z=&z=&prefixcw=68.66.112.0/20&view=all&count=1000

Hope that helps.

-manish



> Message: 7
> Date: Tue, 31 Jan 2012 22:06:03 +0200
> From: Ido Szargel <ido at oasis-tech.net>
> To: "Schiller, Heather A" <heather.schiller at verizon.com>, Kelvin
> 	Williams <kwilliams at altuscgi.com>, "nanog at nanog.org" <nanog at nanog.org>
> Subject: RE: Hijacked Network Ranges  - paging Cogent and GBLX/L3
> Message-ID:
> 	<7A848D4888ADA94B8A46A17296740133B38D3E5473 at DEXTER.oasis-tech.local>
> Content-Type: text/plain; charset="us-ascii"
> 
> I would go at first by advertising your prefixes as a /24 as well, just
> randomly checked 2 different locations and the as-path to 11325 is shorter
> than to 33611
> This seems to be the case for customers of Tiscali and L3, so this will
> probably get most of your traffic back to you...
> 
> Regards,
> Ido
>> 
>> -----Original Message-----
>> From: Kelvin Williams [mailto:kwilliams at altuscgi.com]
>> Sent: Tuesday, January 31, 2012 1:01 PM
>> To: nanog at nanog.org
>> Subject: Hijacked Network Ranges
>> 
>> Greetings all.
>> 
>> We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet
>> Exchange) immediately filter out network blocks that are being advertised by
>> ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA.
>> 
>> The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and
>> 68.66.112.0/20 are registered in various IRRs all as having an origin AS
>> 11325 (ours), and are directly allocated to us.
>> 
>> The malicious hijacking is being announced as /24s therefore making route
>> selection pick them.
>> 
>> Our customers and services have been impaired.  Does anyone have any
>> contacts for anyone at Cavecreek that would actually take a look at ARINs
>> WHOIS, and IRRs so the networks can be restored and our services back in
>> operation?
>> 
>> Additionally, does anyone have any suggestion for mitigating in the interim?
>> Since we can't announce as /25s and IRRs are apparently a pipe dream.
>> 
>> --
>> Kelvin Williams
>> Sr. Service Delivery Engineer
>> Broadband & Carrier Services
>> Altus Communications Group, Inc.
>> 
> 
> "If you only have a hammer, you tend to see every problem as a nail." --
> Abraham Maslow




More information about the NANOG mailing list