BGP hijack: 64.68.207.0/24 from as133955

Sandra Murphy sandy at tislabs.com
Wed Oct 4 17:45:41 CST 2017


> On Oct 4, 2017, at 11:29 AM, Theodore Baschak <theodore at ciscodude.net> wrote:
> 
> I noticed when I looked into both of these leaks 3 hours after Clinton's
> message yesterday that I couldn't see them in any of the looking glasses I
> was looking in (including the NLNOG looking glass)
> 
> Looks like things were able to be cleaned up very quickly.

Interesting.

bgp.he.net is still reporting AS133955 as the originator of 64.68.207.0/24.  I don’t know what their refresh cycle is.

And, oh look, bgp.he.net points to an RADB proxy registration for the AS133955 origination.  RADB no longer reports that route object.  But it must have been there at some point.

RADB
route:      64.68.207.0/24

descr:      Fleg Asia Telecom Ltd
            Proxy-registered route object
origin:     AS133955
notify:     ipbb-apol at aptg.com.tw
mnt-by:     MAINT-AS17709
changed:    kiayang at aptg.com.tw 20170830  #05:45:57Z
source:     RADB

stat.ripe.net (bless you, RIPE!) shows that 64.68.207.0/24 has been originated by AS133955 off and on for the last month (since the RADB route object’s change date?) in the BGP Update Activity and Routing History graphs.  And a huge flurry of activity yesterday.

Could I be reading all this wrong?  Seems to have been going on for quite a while.

—Sandy

P.S.  The other three prefixes mentioned below show similar results in bgp.he.net, with route objects proxy registered on 9/25, and similar results in stats.ripe.net, with off-and-on announcements, more off than on for these, closely timed with the route object registration. 


> 
> 
> 
> Theodore Baschak - AS395089 - Hextet Systems
> https://bgp.guru/ - https://hextet.net/
> http://mbix.ca/ - http://mbnog.ca/
> 
> 
> 
> 
> On Tue, Oct 3, 2017 at 6:29 PM, Clinton Work <clinton at scripty.com> wrote:
> 
>> TELUS AS852 has three address blocks hijacked by AS133955 as well.   We
>> have not been able to get in contact with AS24155.  It looks like they
>> are buying transit from PCCW AS3491 and Taiwan Internet Gateway AS9505.
>> 
>> 68.182.255.0/24
>> 74.49.255.0/24
>> 96.1.255.0/24
>> 
>> 
>> On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote:
>>> 
>>> as133955 is broadcasting bogus BGP announcement for our netblock
>>> 64.68.207.0/24
>>> 
>>> It's in China, and we're trying to contact as24155 but they are also in
>>> China and we're just emailing their whois record address.
>>> 
>>> If you're nearby and in a position to block/dampen that might be helpful.
>>> 
>>> Thx
>>> 
>>> - mark
>>> 
>>> --
>>> Mark Jeftovic <markjr at easydns.com>
>>> Founder & CEO, easyDNS Technologies Inc.
>>> http://www.easyDNS.com
>>> 
>>> 
>> 



More information about the NANOG mailing list