IPv4 and IPv6 hijacking by AS 6

Bjørn Mork bjorn at mork.no
Sat Apr 14 11:26:20 UTC 2018


Randy Bush <randy at psg.com> writes:

>> I believe we've seen bogus low AS number announcements a few times
>> before, and they've usually been caused by attemts to configure
>> AS path prepending without understanding and/or reading the docs.
>> 
>> Someone might have wrongly assumed that
>> 
>>    set as-path prepend 133711 133711
>> 
>> could be written shorter like
>> 
>>    set as-path prepend 133711 2
>> 
>> and there you go...
>
> for someone else's prefix?

No, of course not. At least I have no reason to beliece so.

I briefly looked at a couple of the examples Anurag posted.  And for
those, the next AS number in the path seemed consistent with the prefix
owner:

*   43.227.224.0/24  208.51.134.254           0             0 3549 3356 6453 4755 133711 133711 133711 2 i
*   91.143.144.0/20  208.51.134.254           0             0 3549 3356 12389 41837 41837 2 i


bjorn at miraculix:~$ whois 43.227.224.0/24 |grep origin
origin:         AS133711
origin:         AS58965

bjorn at miraculix:~$ whois 91.143.144.0/20  |grep origin
origin:         AS41837



Bjørn


More information about the NANOG mailing list