an IP hijacking attempt

Paul Emmons paul at emmons.mx
Tue Mar 9 21:17:25 UTC 2021 

RPKI can be very useful to mitigate an attempt.

I used to process IP LOAs all the time.  I never saw a RR attached but 
usually we did a check against the RIR just to make sure (because we 
made access-list per interface as well)

On 3/9/2021 1:42 PM, Mel Beckman wrote:
> Not everyone uses RRs, and there is also the possibility that their 
> upstream would register it. Having an RR doesn’t seem definitive 
> either way. I can see reasons to wait on the RR until  ready to 
> receive traffic.
>
> -mel via cell
>
>> On Mar 9, 2021, at 11:14 AM, Brian Turnbow <b.turnbow at twt.it> wrote:
>>
>> 
>> If they had a route record that was close, I Would give them the 
>> benefit of doubt.
>> They do not however as the only records start with 217. And our IPs 
>> are 45.
>>
>> So It Is very strange. Would you send a LOA without a route record?
>>
>> Brian Turnbow
>> ------------------------------------------------------------------------
>> *Da:* Mel Beckman <mel at beckman.org>
>> *Inviato:* martedì 9 marzo 2021 19:17
>> *A:* Brian Turnbow
>> *Cc:* North American Network Operators' Group
>> *Oggetto:* Re: an IP hijacking attempt
>>
>> It could just be a typo on the LOA. It seems unlikely any ISP would 
>> approve a forged LOA that could readily be debunked by contacting the 
>> IP space owner. The whole point of LOA’s is to facilitate this 
>> verification.
>>
>> -mel via cell
>>
>> > On Mar 9, 2021, at 10:01 AM, Brian Turnbow via NANOG 
>> <nanog at nanog.org> wrote:
>> >
>> > Hello everyone,
>> >
>> > We received a strange request that I wanted to share.
>> > An email was sent to us asking to confirm a LOA from a diligent ISP.
>> > The Loa was a request to open bgp for an AS , that is not ours, to 
>> announce a /23 prefix that is ours.
>> > So basically this entity sent to their upstream a request to 
>> announce a prefix from one our allocated ranges.
>> > We have the allocation correctly registered and ROAs in place , but 
>> it is worrisome that someone would attempt this.
>> > Obviously we have informed the ISP that the LOA is not valid and 
>> are trying to contact the originating party.
>> > Aside from RIRs for the offending AS and our IPs,  Is there 
>> anywhere to report this type of activity?
>> > We have dealt with hijacking technically speaking in the past but 
>> this is the first time, to my knowledge, of someone forging a LOA 
>> with our IPs.
>> >
>> > Thanks in advance for any advice
>> >
>> > Brian
>> >
>> > P.S. a big thanks to Chris for checking the boxes before activating 
>> the filter if you are on the list!
>> >
>> >
>> >
>> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210309/3fdb3dbb/attachment.html>

More information about the NANOG mailing list