AS3266: BitCanal hijack factory, courtesy of many connectivity providers

Tue Jul 10 20:00:41 UTC 2018

On 2018-07-09 17:24, Fredrik Korsbäck wrote:
> On 2018-07-06 21:18, Tom Paseka via NANOG wrote:
>> Hi,
>>
>> I've been casually observing the connectivity to Bitcanal / AS3266 /
>> AS197426 since the thread started.
>>
>> After GTT shared that bitcanal had been disconnected, bitcanal was only
>> visible behind Cogent. But the Cogent path now also seems to have been
>> disconnected. After Cogent they popped up behind BICS (but just for a few
>> days), that circuit seems to have been disconnected too.
>>
>> On the IX front: I noticed that Bitcanal's IP addresses on LINX (since
>> yesterday) and FranceIX (since today) are no longer responding.
>>
>> It is good to see that discussing BGP hijacking abuse complaints actually
>> results in clean up activities. I hope the remaining IX's they're still
>> connected to can act too.
>>
>> Thanks!
>> -Tom
>>
> 
> And it also seems that they are now no longer reachable over the AMS-IX fabric (and is no longer listed as a member).
> 
> I also noticed that hey are not reachable over the Megaport/ECIX fabric in Frankfurt either (no arp or ping-reply) but
> is listed as member on the megaport website, so not sure whats going on there.
> 
> The only routes i can see now for 3266/197426 is two /24 v4 and one /29 v6 that jumps on over to portugal through 1299
> (telia) -> 174 (cogent) -> 29003 (refertelecom / iptelecom).
> 
> 

And now it also seems that NANOG-contributor Doug over at Dyn has done a complete wrap-up of the thing and he has
hilighted all the important aspects of this incident in a very educative manner.

https://dyn.com/blog/shutting-down-the-bgp-hijack-factory/

Thanks for this Doug!

I will bring this post up with my NOC and L2-teams since i think these type of incidents will become as common as
regular spam in the future...

-- 
hugge