Spectrum prefix hijacks

Christopher Morrow morrowc.lists at gmail.com
Wed Jan 3 02:30:47 UTC 2018


it looks like 203040 is a pure transit as (no originated prefixes) and 1103
- surfnet could squish what is your view anyway.

On Tue, Jan 2, 2018 at 9:29 PM, Christopher Morrow <morrowc.lists at gmail.com>
wrote:

>
>
> On Tue, Jan 2, 2018 at 8:50 PM, James Milko <jmilko at gmail.com> wrote:
>
>> Not sure if anyone from Spectrum is looking here at this hour, but someone
>> is hijacking a few of your prefixes.  It's causing problems in my area
>> (NC)
>> with reaching Google services.  I'm sure there are other impacts, but
>> that's what people are noticing.
>>
>> Sorry if this hits the list twice, I sent it from the wrong e-mail address
>> the first go round.
>>
>>  *   107.12.0.0/16    193.0.0.56                             0 3333 1103
>> 203040 10512 i
>>  *>                   103.247.3.45                           0 58511
>> 203040
>> 10512 i
>>  *   107.13.0.0/16    193.0.0.56                             0 3333 1103
>> 203040 10512 i
>>  *>                   103.247.3.45                           0 58511
>> 203040
>> 10512 i
>>  *   107.14.0.0/16    193.0.0.56                             0 3333 1103
>> 203040 10512 i
>>      Network          Next Hop            Metric LocPrf Weight Path
>>  *>                   103.247.3.45                           0 58511
>> 203040
>> 10512 i
>>  *   107.15.0.0/16    193.0.0.56                             0 3333 1103
>> 203040 10512 i
>>  *                    103.247.3.45                           0 58511
>> 203040
>> 10512 i
>>
>
> E-Forex you say? shocker:
>
> AS      | BGP IPv4 Prefix     | AS Name
> 10512   | 102.164.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 102.194.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 103.116.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 106.128.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 106.129.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 106.130.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 106.131.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 107.12.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 107.13.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 107.14.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 107.15.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 14.5.0.0/16         | EFOREX-AS - E-FOREX, US
> 10512   | 147.17.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 180.237.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 42.183.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.185.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.186.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.187.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.188.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.189.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.190.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.191.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.192.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.193.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.194.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.195.0.0/16       | EFOREX-AS - E-FOREX, US
>
> I'm going to guess they are hijacking a bunch of space and sending spam?
> (the 42/8 space is variously telecom malaysia and china unicom)
> the 102 space is un-allocated afrnic space... probably no good these folk
> are up to.
>
>



More information about the NANOG mailing list