BGPMON Alert Questions

• Previous message (by thread): BGPMON Alert Questions
• Next message (by thread): BGPMON Alert Questions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Saw this as well on my blocks.

Is this malicious or did someone redistribute all of bgp with bad upstream
filtering?


On Wed, Apr 2, 2014 at 3:16 PM, James Laszko <jamesl at mythostech.com> wrote:

> I have someone from cat.net.th on the phone and he doesn't speak a lot of
> English and I don't speak any Thai.....  He knew what indosat was and their
> AS number.  He further stated he got my email (never told him who I was),
> but he said he would be replying ASAP.  We only had one /24 announced by
> indosat.
>
>
> James Laszko
> Mythos Technology Inc
>
>
> Sent from my iPad
>
> > On Apr 2, 2014, at 1:08 PM, "Bryan Tong" <contact at nullivex.com> wrote:
> >
> > Another 5 of ours just got hit.
> >
> > Anyone have any ideas on what will be done about it?
> >
> >
> >> On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk <frnkblk at iname.com> wrote:
> >>
> >> bgpmon has tweeted that "We're currently observing a large hijack event.
> >> Indosat AS4761 originating many prefixes not assigned to them."
> >>
> >> Let's hope that AS4651 can quickly apply filters.
> >>
> >> Frank
> >>
> >> -----Original Message-----
> >> From: David Hubbard [mailto:dhubbard at dino.hostasaurus.com]
> >> Sent: Wednesday, April 02, 2014 2:03 PM
> >> To: Joseph Jenkins; nanog at nanog.org
> >> Subject: RE: BGPMON Alert Questions
> >>
> >> If you contact bgpmon support you may be able to get some more in-depth
> >> information.  I've contacted them before with alerts like those and they
> >> were able to give me specific date, time, ASN and interface information
> >> about the peering points that received the announcements; that might
> >> help make you present to the suspect party more likely to be acted upon.
> >>
> >> -----Original Message-----
> >> From: Joseph Jenkins [mailto:joe at breathe-underwater.com]
> >> Sent: Wednesday, April 02, 2014 2:52 PM
> >> To: nanog at nanog.org
> >> Subject: BGPMON Alert Questions
> >>
> >> So I setup BGPMON for my prefixes and got an alert about someone in
> >> Thailand announcing my prefix.  Everything looks fine to me and I've
> >> checked a bunch of different Looking Glasses and everything announcing
> >> correctly.
> >>
> >> I am assuming I should be contacting the provider about their
> >> misconfiguration and announcing my prefixes and get them to fix it.  Any
> >> other recommendations?
> >>
> >> Is there a way I can verify what they are announcing just to make sure
> >> they are still doing it?
> >>
> >> Here is the alert for reference:
> >>
> >> Your prefix:          8.37.93.0/24:
> >>
> >> Update time:          2014-04-02 18:26 (UTC)
> >>
> >> Detected by #peers:   2
> >>
> >> Detected prefix:      8.37.93.0/24
> >>
> >> Announced by:         AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
> >> Provider,ID)
> >>
> >> Upstream AS:          AS4651 (THAI-GATEWAY The Communications Authority
> >> of
> >> Thailand(CAT),TH)
> >>
> >> ASpath:               18356 9931 4651 4761
> >
> >
> > --
> > eSited LLC
> > (701) 390-9638
>
>

• Previous message (by thread): BGPMON Alert Questions
• Next message (by thread): BGPMON Alert Questions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]