IP Route Hijacking Bad Actor: AS57129/RU-SERVERSGET-KRSK, RU/Optibit LLC

Owen DeLong owen at delong.com
Tue Aug 27 01:27:12 UTC 2019


Have no history/background that I can share.

In terms of actions, this seems obvious, but…

Look at the AS Paths fo the hijacked prefixes announced from 57129 and start with the
second to last AS and work backwards asking that at least those prefixes from 57129 be
rejected/filtered.

Most legitimate providers faced with appropriate documentation of prefix registration in the
relevant RIR will do the following:
	1.	Contact their customer/peer and ask them to stop announcing.
	2.	Install the necessary filters.
	3.	If 1 is not successful in a reasonable amount of time, potentially escalate to
		disconnection/depeering.

Owen


> On Aug 25, 2019, at 12:23 , Paul Ferguson <fergdawgster at mykolab.com> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Howdy,
> 
> I'm soliciting any background information, anecdotes, shared
> experiences, previous evidence, etc. of bad behavior and/or IP route
> hijacking for this 'hijack factory', as I've heard it called privately.
> 
> They are actively -- and illegitimately -- announcing prefixes which
> are (legitimately) allocated to other organizations, a couple of them
> are very large & well-known U.S. healthcare providers.
> 
> I'd also be interesting in hearing suggestion on the course of action
> one of these organizations might take to make this stop....
> 
> Thanks in advance,
> 
> - - ferg
> 
> 
> - -- 
> Paul Ferguson
> Seattle, WA  USA
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iF4EAREIAAYFAl1i4CEACgkQKJasdVTchbJVHAEA0s7Ej73VPQth2Rho4xwTnv8e
> qQFJ6SB+qulM1HFHoUgA/RXAL1BFJC3wq9GsXYJ4sqLSrje/gPm1JzVMeEJMTGlQ
> =r3mY
> -----END PGP SIGNATURE-----




More information about the NANOG mailing list