BGP hijack: 64.68.207.0/24 from as133955

Sandra Murphy sandy at tislabs.com
Wed Oct 4 18:32:08 UTC 2017


Not to respond to my own post, or anything.  But.

Another interesting thing.

bgp.he.net reports show that AS133955 is/was also announcing 69.172.127.0/24  "WiMore S.r.l.".  bgp.he.net shows a red key icon on that origination, meaning that there’s an RPKI ROA that does not match that origination.  And bgp.he.net reports an RADP route object with a proxy registration for AS133955 to originate 69.172.127.0/24, registered on 9/25 like the three prefixes below.  

RADB still reports that route object (along with a very old one)

route: 69.172.127.0/24
descr: Fleg Asia Telecom Ltd
Proxy-registered route object
origin: AS133955
notify: ipbb-apol at aptg.com.tw
mnt-by: MAINT-AS17709
changed: kiayang at aptg.com.tw 20170925 #00:31:36Z
source: RADB

route: 69.172.64.0/18
descr: Canaca-Com Inc
descr: 1650 Dundas Street East Unit 203
descr: Mississauga, Ontario
descr: CA
origin: AS33139
mnt-by: MNT-CANAC
changed: peering at canaca.com 20100624
source: ARIN

stats.ripe.net shows 69.172.127.0/24 is presently being announced - "Originated by: AS133955 (valid route object in RADB)”, "100% visible (by 157 of 157 RIS full peers)"

The RPKI says that AS34526 (WiMore S.r.l.) is authorized to originate 69.172.96.0/19.  But the aggregate prefix is not being announced.  If the AS133955 origination is valid, they really ought to update their ROA.

Hm. I am curious about that prefix.  Is it being hijacked?  Or am I just reading everything wrong?

—Sandy

> On Oct 4, 2017, at 1:45 PM, Sandra Murphy <sandy at tislabs.com> wrote:
> 
> 
>> On Oct 4, 2017, at 11:29 AM, Theodore Baschak <theodore at ciscodude.net> wrote:
>> 
>> I noticed when I looked into both of these leaks 3 hours after Clinton's
>> message yesterday that I couldn't see them in any of the looking glasses I
>> was looking in (including the NLNOG looking glass)
>> 
>> Looks like things were able to be cleaned up very quickly.
> 
> Interesting.
> 
> bgp.he.net is still reporting AS133955 as the originator of 64.68.207.0/24.  I don’t know what their refresh cycle is.
> 
> And, oh look, bgp.he.net points to an RADB proxy registration for the AS133955 origination.  RADB no longer reports that route object.  But it must have been there at some point.
> 
> RADB
> route:      64.68.207.0/24
> 
> descr:      Fleg Asia Telecom Ltd
>            Proxy-registered route object
> origin:     AS133955
> notify:     ipbb-apol at aptg.com.tw
> mnt-by:     MAINT-AS17709
> changed:    kiayang at aptg.com.tw 20170830  #05:45:57Z
> source:     RADB
> 
> stat.ripe.net (bless you, RIPE!) shows that 64.68.207.0/24 has been originated by AS133955 off and on for the last month (since the RADB route object’s change date?) in the BGP Update Activity and Routing History graphs.  And a huge flurry of activity yesterday.
> 
> Could I be reading all this wrong?  Seems to have been going on for quite a while.
> 
> —Sandy
> 
> P.S.  The other three prefixes mentioned below show similar results in bgp.he.net, with route objects proxy registered on 9/25, and similar results in stats.ripe.net, with off-and-on announcements, more off than on for these, closely timed with the route object registration. 
> 
> 
>> 
>> 
>> 
>> Theodore Baschak - AS395089 - Hextet Systems
>> https://bgp.guru/ - https://hextet.net/
>> http://mbix.ca/ - http://mbnog.ca/
>> 
>> 
>> 
>> 
>> On Tue, Oct 3, 2017 at 6:29 PM, Clinton Work <clinton at scripty.com> wrote:
>> 
>>> TELUS AS852 has three address blocks hijacked by AS133955 as well.   We
>>> have not been able to get in contact with AS24155.  It looks like they
>>> are buying transit from PCCW AS3491 and Taiwan Internet Gateway AS9505.
>>> 
>>> 68.182.255.0/24
>>> 74.49.255.0/24
>>> 96.1.255.0/24
>>> 
>>> 
>>> On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote:
>>>> 
>>>> as133955 is broadcasting bogus BGP announcement for our netblock
>>>> 64.68.207.0/24
>>>> 
>>>> It's in China, and we're trying to contact as24155 but they are also in
>>>> China and we're just emailing their whois record address.
>>>> 
>>>> If you're nearby and in a position to block/dampen that might be helpful.
>>>> 
>>>> Thx
>>>> 
>>>> - mark
>>>> 
>>>> --
>>>> Mark Jeftovic <markjr at easydns.com>
>>>> Founder & CEO, easyDNS Technologies Inc.
>>>> http://www.easyDNS.com
>>>> 
>>>> 
>>> 




More information about the NANOG mailing list