AS205869, AS57166: Featured Hijacker of the Month, July, 2018
Ronald F. Guilmette
rfg at tristatelogic.com
Tue Jul 24 19:01:56 UTC 2018
In message <20180724.090316.47077931.sthaug at nethelp.no>,
sthaug at nethelp.no wrote:
>All prefixes still visible here (Oslo, Norway), through HE. Here's your
>original table augmented with the AS paths I see on our border routers:
>ASN Route AS path
>10510 188.8.131.52/18 6939 205869 32226 10510
>10737 184.108.40.206/20 6939 205869 7827 10737
>10800 220.127.116.11/19 6939 205869 11717 10800
>19529 18.104.22.168/20 6939 205869 11324 19529
>19529 22.214.171.124/20 6939 205869 7827 19529
>19529 126.96.36.199/20 6939 205869 7827 19529
>19529 188.8.131.52/20 6939 205869 11324 19529
>30237 184.108.40.206/20 6939 205869 11717 30237
>30237 220.127.116.11/20 6939 205869 11717 30237
>30237 18.104.22.168/20 6939 205869 11717 30237
>30237 22.214.171.124/20 6939 205869 11717 30237
Thanks for checking this. I gather from the other posts in this thread
that this has already been rectified, and that the above CIDRs are no
longer reachable via HE.NET, correct?
Even if that's the case, I'm still left scratching my head. There's a
bit of a mystery here, or at least something that I don't quite understand.
(NOTE: I've never laid claim to being anything like an "expert" when it
comes to all this routing stuff. I just muddle along and try to do the
best I can with the limited knowledge and understanding that I have.)
So, here's what's perplexing me. You reported that all eleven of the
routes in the table above had AS paths that directly connected
Universal IP Solution Corp. (AS205869) to Hurricane Electric (AS6939).
And yet, when I looked at the following page, both yesterday and today,
I see no reported connection between those two ASNs:
I already knew before now that each of the alleged peerings reported on
similar pages on the bgp.he.net web site had to be taken with a grain of
salt, mostly or entirely because of the kinds of hanky panky and path
forgery being undertaken by various bad guys. In at least some cases,
these screwy games appear to have caused bgp.he.net to list peerings that
didn't actually exist.
But this is a rather entirely different case. In this case, it seems
that one very notable peering that -did- in fact exist, between AS205869
and AS6939, was not reported at all on the bgp.he.net page linked to above.
To be clear, I most definitely am *not* suggeting any sort of deliberate
obfsucation here, on anybody's part. Rather, I just suspect that some
of the algorithms that are used to produce the peers lists on bgp.he.net
could use some... ah... fine tuning. It certainly seems to be true that
in this case, one very important peering was utterly missed by the algorithms
that power bgp.he.net.
More information about the NANOG