Illegal usage of AS51888 (and PI 220.127.116.11/24) from AS42989 and AS57954 (in ukraine)
kiwi at oav.net
Fri May 3 17:49:20 UTC 2013
Seems there is some people in Ukraine that love to use IP and AS that doesn't belong to them.
#sh ip bgp 18.104.22.168/24
BGP routing table entry for 22.214.171.124/24, version 6661169
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Advertised to update-groups:
174 8359 8359 13249 57954 42989 51888, (received & used)
149.11.xx.xx from 149.11.xxx.xxx (38.28.xx.xx)
Origin IGP, metric 14050, localpref 100, valid, external, best
Community: 11424365 11425269
24990 21371 8359 13249 57954 42989 51888, (received & used)
126.96.36.199 (metric 10) from 185.17.xxx.xxx (185.17.xxx.xxx)
Origin IGP, metric 0, localpref 100, valid, internal, not synchronized
According to RIPE database :
descr: Pilot Systems consulting SARL
import: from AS16128 accept ANY
import: from AS29075 accept ANY
import: from AS35189 accept ANY
export: to AS16128 announce AS51888
export: to AS29075 announce AS51888
export: to AS35189 announce AS51888
source: RIPE #Filtered
Seems that there is no AS42989 as upstream.... So we can consider that AS42989 is handle illicit activities, and does not filter prefixes (same also for AS57954).
That's cool but those people in UA, use that prefix to send spam, as LIR member I got thousands of mails from people that get thoses IP as spam source.
Needs really that rpki and other stuff to be deployed massively.
If some people from those UA AS can do their job instead of getting the honeypot of spammers, this should be better for everyone.
I have already tried to contact abuse / email from ripe data base : no MX, mailbox doesn't exist, even the domain doesn't exist...
Maybe AS-MTU doesn't lookaround the quality of their customers ? So bad...
People there that have some PI and unused AS, have a look if your ressources are not used by someone that should not use them.
More information about the NANOG