BGP hijack: 64.68.207.0/24 from as133955
Sandra Murphy
sandy at tislabs.com
Wed Oct 4 18:32:08 UTC 2017
Not to respond to my own post, or anything. But.
Another interesting thing.
bgp.he.net reports show that AS133955 is/was also announcing 69.172.127.0/24 "WiMore S.r.l.". bgp.he.net shows a red key icon on that origination, meaning that there’s an RPKI ROA that does not match that origination. And bgp.he.net reports an RADP route object with a proxy registration for AS133955 to originate 69.172.127.0/24, registered on 9/25 like the three prefixes below.
RADB still reports that route object (along with a very old one)
route: 69.172.127.0/24
descr: Fleg Asia Telecom Ltd
Proxy-registered route object
origin: AS133955
notify: ipbb-apol at aptg.com.tw
mnt-by: MAINT-AS17709
changed: kiayang at aptg.com.tw 20170925 #00:31:36Z
source: RADB
route: 69.172.64.0/18
descr: Canaca-Com Inc
descr: 1650 Dundas Street East Unit 203
descr: Mississauga, Ontario
descr: CA
origin: AS33139
mnt-by: MNT-CANAC
changed: peering at canaca.com 20100624
source: ARIN
stats.ripe.net shows 69.172.127.0/24 is presently being announced - "Originated by: AS133955 (valid route object in RADB)”, "100% visible (by 157 of 157 RIS full peers)"
The RPKI says that AS34526 (WiMore S.r.l.) is authorized to originate 69.172.96.0/19. But the aggregate prefix is not being announced. If the AS133955 origination is valid, they really ought to update their ROA.
Hm. I am curious about that prefix. Is it being hijacked? Or am I just reading everything wrong?
—Sandy
> On Oct 4, 2017, at 1:45 PM, Sandra Murphy <sandy at tislabs.com> wrote:
>
>
>> On Oct 4, 2017, at 11:29 AM, Theodore Baschak <theodore at ciscodude.net> wrote:
>>
>> I noticed when I looked into both of these leaks 3 hours after Clinton's
>> message yesterday that I couldn't see them in any of the looking glasses I
>> was looking in (including the NLNOG looking glass)
>>
>> Looks like things were able to be cleaned up very quickly.
>
> Interesting.
>
> bgp.he.net is still reporting AS133955 as the originator of 64.68.207.0/24. I don’t know what their refresh cycle is.
>
> And, oh look, bgp.he.net points to an RADB proxy registration for the AS133955 origination. RADB no longer reports that route object. But it must have been there at some point.
>
> RADB
> route: 64.68.207.0/24
>
> descr: Fleg Asia Telecom Ltd
> Proxy-registered route object
> origin: AS133955
> notify: ipbb-apol at aptg.com.tw
> mnt-by: MAINT-AS17709
> changed: kiayang at aptg.com.tw 20170830 #05:45:57Z
> source: RADB
>
> stat.ripe.net (bless you, RIPE!) shows that 64.68.207.0/24 has been originated by AS133955 off and on for the last month (since the RADB route object’s change date?) in the BGP Update Activity and Routing History graphs. And a huge flurry of activity yesterday.
>
> Could I be reading all this wrong? Seems to have been going on for quite a while.
>
> —Sandy
>
> P.S. The other three prefixes mentioned below show similar results in bgp.he.net, with route objects proxy registered on 9/25, and similar results in stats.ripe.net, with off-and-on announcements, more off than on for these, closely timed with the route object registration.
>
>
>>
>>
>>
>> Theodore Baschak - AS395089 - Hextet Systems
>> https://bgp.guru/ - https://hextet.net/
>> http://mbix.ca/ - http://mbnog.ca/
>>
>>
>>
>>
>> On Tue, Oct 3, 2017 at 6:29 PM, Clinton Work <clinton at scripty.com> wrote:
>>
>>> TELUS AS852 has three address blocks hijacked by AS133955 as well. We
>>> have not been able to get in contact with AS24155. It looks like they
>>> are buying transit from PCCW AS3491 and Taiwan Internet Gateway AS9505.
>>>
>>> 68.182.255.0/24
>>> 74.49.255.0/24
>>> 96.1.255.0/24
>>>
>>>
>>> On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote:
>>>>
>>>> as133955 is broadcasting bogus BGP announcement for our netblock
>>>> 64.68.207.0/24
>>>>
>>>> It's in China, and we're trying to contact as24155 but they are also in
>>>> China and we're just emailing their whois record address.
>>>>
>>>> If you're nearby and in a position to block/dampen that might be helpful.
>>>>
>>>> Thx
>>>>
>>>> - mark
>>>>
>>>> --
>>>> Mark Jeftovic <markjr at easydns.com>
>>>> Founder & CEO, easyDNS Technologies Inc.
>>>> http://www.easyDNS.com
>>>>
>>>>
>>>
More information about the NANOG
mailing list