IPv4 and IPv6 hijacking by AS 6

Anurag Bhatia me at anuragbhatia.com
Fri Apr 13 02:25:36 UTC 2018


Similar for AS2.


A view from Oregon Route-views for AS2 related paths:



*   43.227.224.0/24  208.51.134.254           0             0 3549 3356
6453 4755 133711 133711 133711 2 i
 *                    103.197.104.1                          0 134708 6453
4755 133711 133711 133711 2 i
 *                    212.66.96.126                          0 20912 174
6453 4755 133711 133711 133711 2 i
 *                    217.192.89.50                          0 3303 6453
4755 133711 133711 133711 2 i
 *                    203.62.252.83                          0 1221 4637
6453 4755 133711 133711 133711 2 i

 *   43.227.225.0/24  208.51.134.254           0             0 3549 3356
6453 4755 133711 133711 133711 2 i
 *                    103.197.104.1                          0 134708 6453
4755 133711 133711 133711 2 i
 *                    212.66.96.126                          0 20912 174
6453 4755 133711 133711 133711 2 i
 *                    217.192.89.50                          0 3303 6453
4755 133711 133711 133711 2 i
 *                    203.62.252.83                          0 1221 4637
6453 4755 133711 133711 133711 2 i
*   91.143.144.0/20  208.51.134.254           0             0 3549 3356
12389 41837 41837 2 i
 *                    212.66.96.126                          0 20912 1267
12389 41837 41837 2 i
 *                    37.139.139.0                           0 57866 6762
12389 41837 41837 2 i
 *                    195.208.112.161                        0 3277 3267
12389 41837 41837 2 i
 *                    93.104.209.174                         0 58901 51167
3356 12389 41837 41837 2 i
 *                    193.0.0.56                             0 3333 1103
12389 41837 41837 2 i

*   103.63.234.0/24  208.51.134.254           0             0 3549 3356
2914 132602 58715 55406 2 134403 i
 *                    212.66.96.126                          0 20912 174
132602 58715 55406 2 65501 134403 i
 *                    134.222.87.1           650             0 286 6762
132602 58715 55406 2 134403 i
 *                    194.85.40.15             0             0 3267 174
132602 58715 55406 2 65501 134403 i
 *                    12.0.1.63                              0 7018 2914
132602 58715 55406 2 134403 i
 *                    37.139.139.0                           0 57866 6762
132602 58715 55406 2 134403 i



(and lot more!)





On Fri, Apr 13, 2018 at 12:31 AM, Job Snijders <job at instituut.net> wrote:

> On Thu, 12 Apr 2018 at 11:52, Matt Harris <matt at netfire.net> wrote:
>
> > On Thu, Apr 12, 2018 at 12:05 PM, <lists at as23738.net> wrote:
> >
> > > Have you tried their IRR entries? Bull appears to redirect to Atos now
> > > (site-wise).
> > >
> > > notify:     ed.gienko at atos.net
> > > notify:     charlie.molnar at atos.net
> > > changed:    christophe.fraule at atos.net 20180117  #18:47:40Z
> > >
> >
> > I'm now in touch with Christophe; it looks as though perhaps there's a
> > separate, rogue AS 6 running around with a different set of
> peers/transits,
> > as he was able to confirm that none of his gear is advertising these
> > prefixes.
>
>
>
> That is what I feared as well. It appears the single digit ASNs often fall
> victim of other people’s misconfigurations or malicious activities. Hard to
> separate the impersonator from the real autonomous system.
>
> Job
>



-- 


Anurag Bhatia
anuragbhatia.com


More information about the NANOG mailing list