Cisco/Level3 takedown

Blake Hudson blake at ispn.net
Thu Apr 9 15:55:43 UTC 2015


Reading the article, I assumed that perhaps Level 3 was an upstream 
carrier, but RIPE stats shows that the covering prefix (103.41.120.0/22) 
is announced by AS63509, an Indonesian organization. It looks like 
they're fighting back by announcing their own /24 now.

I love the AS's address:
descr:Jl. Marcedes Bens No.258
descr:Gunung Putri, Bogor
descr:Jawa Barat 16964
country:ID

While a Level 3 /24 announcement will certainly have a world wide 
impact, I agree that it seems misguided when the originating AS can 
announce their own /24. It does make one wonder why Cisco or Level 3 is 
involved, why they feel they have the authority to hijack someone else's 
IP space, and why they didn't go through law enforcement. This is 
especially true for the second netblock (43.255.190.0/23), announced by 
a US company (AS26484).

--Blake

Sameer Khosla wrote on 4/9/2015 10:31 AM:
> Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables.
>
> Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary.
>
> It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider.
>
>
> Thanks
>
> Sameer Khosla
> Managing Director
> Neutral Data Centers Corp.
> Twitter: @skhoslaTO
>
>




More information about the NANOG mailing list