AS205869, AS57166: Featured Hijacker of the Month, July, 2018

Ronald F. Guilmette rfg at
Tue Jul 24 19:01:56 UTC 2018

In message <20180724.090316.47077931.sthaug at>, 
sthaug at wrote:

>All prefixes still visible here (Oslo, Norway), through HE. Here's your
>original table augmented with the AS paths I see on our border routers:
>ASN   Route		AS path
>10510	6939 205869 32226 10510
>10737	6939 205869 7827 10737
>10800	6939 205869 11717 10800
>19529	6939 205869 11324 19529
>19529	6939 205869 7827 19529
>19529	6939 205869 7827 19529
>19529	6939 205869 11324 19529
>30237	6939 205869 11717 30237
>30237	6939 205869 11717 30237
>30237	6939 205869 11717 30237
>30237	6939 205869 11717 30237

Thanks for checking this.  I gather from the other posts in this thread
that this has already been rectified, and that the above CIDRs are no
longer reachable via HE.NET, correct?

Even if that's the case, I'm still left scratching my head.  There's a
bit of a mystery here, or at least something that I don't quite understand.
(NOTE: I've never laid claim to being anything like an "expert" when it
comes to all this routing stuff.  I just muddle along and try to do the
best I can with the limited knowledge and understanding that I have.)

So, here's what's perplexing me.  You reported that all eleven of the
routes in the table above had AS paths that directly connected
Universal IP Solution Corp. (AS205869) to Hurricane Electric (AS6939).
And yet, when I looked at the following page, both yesterday and today,
I see no reported connection between those two ASNs:

I already knew before now that each of the alleged peerings reported on
similar pages on the web site had to be taken with a grain of
salt, mostly or entirely because of the kinds of hanky panky and path
forgery being undertaken by various bad guys.  In at least some cases,
these screwy games appear to have caused to list peerings that
didn't actually exist.

But this is a rather entirely different case.  In this case, it seems
that one very notable peering that -did- in fact exist, between AS205869
and AS6939, was not reported at all on the page linked to above.

To be clear, I most definitely am *not* suggeting any sort of deliberate
obfsucation here, on anybody's part.  Rather, I just suspect that some
of the algorithms that are used to produce the peers lists on
could use some... ah... fine tuning.  It certainly seems to be  true that
in this case, one very important peering was utterly missed by the algorithms
that power


More information about the NANOG mailing list