Hi All, I have been pulling more information, and right now I've identified active BGP hijacking/conflicts visible on route-views.ny.routeviews.org involving AS30058 (FDCservers.net) with RPKI invalid announcements. 1. Confirmed Hijack - 45.138.210[.]0/24 * Legitimate Origin: AS2914 (NTT) - RPKI Valid * Invalid Origin: AS30058 (FDCservers) - RPKI Invalid * Both announcements actively visible in global routing table 2. Route Conflict - 103.155.8[.]0/23 * AS3491 (PCCW Global) - RPKI Valid * AS4637 (Telstra/Reach) - RPKI Valid * Dual origination requiring investigation Verification: telnet route-views.ny.routeviews.org show rpki as-number 30058 show rpki as-number 2914 show rpki as-number 3491 show rpki as-number 4637 Pulled at: 2025-11-02T18:41:44Z Additional Concerns: Multiple prefixes showing AS30058 with RPKI invalid status, suggesting a systemic issue: * 216.227.132[.]0/24 * 50.7.104[.]0/22 * 23.237.254[.]0/23 I think there are potentially more conflicts visible from this router, but this is a place to start. ________________________________ From: Terry Keeling <tkeeling@infranetworks.com> Sent: Thursday, October 30, 2025 8:00 AM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Tim Burke <tim@mid.net> Subject: BGP Route Leak Observed on October 29, 2025 — Multi-AS Propagation Involving Tier 1s Quick correction: In my earlier message, I mistakenly linked to the wrong BGP event. I meant to draw attention to a different incident, which was part of a broader pattern of route leaks and propagation anomalies observed globally throughout October 29. With that clarified, I wanted to raise awareness of a substantial BGP route leak that occurred on October 29, 2025, with indications of broad propagation and potential global impact. The event appears to have originated from AS23470 (ReliableSite) and propagated through several Tier 1 providers, including AS174 (Cogent), AS6453 (Tata), AS2914 (NTT), AS3257 (GTT), and AS3356 (Lumen). Based on timeline analysis and route anomaly logs, the incident persisted for over 10 hours, affecting routing paths across North America, Latin America, Europe, and Asia. I've compiled a timeline of 100+ BGP events, including: * Timestamps (UTC) * Originating and propagating ASNs * Regional context * BGP message volume * Notes on Tier 1 and critical infrastructure involvement Some notable paths observed: * AS23470 → AS30058 → AS2914 / AS3257 (ReliableSite → NTT / GTT) * AS174 → AS38040 → AS4637 (Cogent → Asia → HK) * AS6939 → AS9318 (KR) → AS6461 (HE.net → Korea → Zayo) * Various Brazilian and Indonesian ASNs leaking routes back into Tier 1s like Cogent, Lumen, and Tata These anomalies were observed from multiple vantage points, suggesting wide propagation. However, the extent to which these reached end-user routing tables or caused visible service impact remains unclear. If anyone observed reachability issues, path changes, or control plane anomalies related to this event, I'd appreciate any insights or correlation. The full event timeline was compiled using Cloudflare Radar's BGP route leak data can be viewed here [https://res.public.onecdn.static.microsoft/assets/mail/file-icon/v2/xlsx_16x16.png]BGP_10_29_25.xlsx<https://isdsi-my.sharepoint.com/:x:/g/personal/tkeeling_infranetworks_com/EW8OYwt0PR1IgiC2kOW7MlYBmMKdJdOsQ-tZU-AOuwzt7Q?e=F6U0kE> Respectfully, ________________________________ From: Tim Burke via NANOG <nanog@lists.nanog.org> Sent: Wednesday, October 29, 2025 10:16 PM To: North American Network Operators Group <nanog@lists.nanog.org> Cc: Terry Keeling <tkeeling@infranetworks.com>; Tim Burke <tim@mid.net> Subject: Re: US Impact - October 29 2025 Looks like a small time WISP that may be trying to implement BGP. 3 /24’s and a /22 — not really much of an “event”… nor would it have any impact leading to the Azure situation today. On Oct 29, 2025, at 3:05 PM, Terry Keeling via NANOG <nanog@lists.nanog.org<mailto:nanog@lists.nanog.org>> wrote: Has anyone noticed this BGP event? BGP Origin Hijack event: 121786 | Cloudflare Radar<https://radar.cloudflare.com/routing/anomalies/hijack-121786> BGP Origin Hijack: 121786Copy link Details of the BGP hijack eventShare this... Hijacker ASN AS400320 - Valley Center Wireless (US) Victim ASNs AS2386 - AT&T Data Communications Services (US) Prefixes 12.13.233[.]0/24, 12.144.222[.]0/24, 12.221.212[.]0/22, 12.229.22[.]0/24 Messages 192 Earliest message time 10/29/2025, 15:46 Latest message time 10/29/2025, 19:08 Peers observed 17% Confidence Low Tags * IRR Invalid * RPKI Unknown * RPKI Old Origin Unknown * IRR Old Origin Invalid ________________________________ From: John Stuppi (jstuppi) via NANOG <nanog@lists.nanog.org<mailto:nanog@lists.nanog.org>> Sent: Wednesday, October 29, 2025 1:39 PM To: North American Network Operators Group <nanog@lists.nanog.org<mailto:nanog@lists.nanog.org>> Cc: John Stuppi (jstuppi) <jstuppi@cisco.com<mailto:jstuppi@cisco.com>> Subject: Re: US Impact - October 29 2025 I believe it’s related to the Azure outage: https://www.bleepingcomputer.com/news/microsoft/microsoft-dns-outage-impacts... Microsoft is investigating an ongoing DNS out [cid:inky-injection-inliner-03755809cc10337ec572b1f12a6beedf] Caution: External (nanog@lists.nanog.org<mailto:nanog@lists.nanog.org<mailto:nanog@lists.nanog.org>>) Graymail Details<removed-link> [cid:inky-injection-inliner-023b0474c934d83d8d52155624827a68] Report This Email<removed-link> I believe it’s related to the Azure outage: https://www.bleepingcomputer.com/news/microsoft/microsoft-dns-outage-impacts-azure-and-microsoft-365-services/<https://www.bleepingcomputer.com/news/microsoft/microsoft-dns-outage-impacts-azure-and-microsoft-365-services/> Microsoft is investigating an ongoing DNS outage affecting customers worldwide, preventing them from accessing Microsoft Azure and Microsoft 365 services. According to reports on DownDetector and social networks, this incident began impacting Microsoft's services almost 1 hour ago and is currently causing server and website connection issues for tens of thousands of users. Some of those affected are having issues accessing the Intune and Azure portals, as well as the Exchange admin center, while others report that Microsoft's Azure Front Door Content Delivery Network (CDN) service is also down. Thanks, John "Life is good when you are happy; but much better when others are happy because of you." ~ Pope Francis [signature_1786569038] John Stuppi Engineering Program Manager – Incident Response CISSP #25525 CCIE, Security #11154 [signature_773777294] Security & Trust Organization Cisco Systems, Inc. jstuppi@cisco.com<mailto:jstuppi@cisco.com<mailto:jstuppi@cisco.com<mailto:jstuppi@cisco.com>>> Mobile: +1 732 319 3886<tel:+17323193886> Cisco.com<http://www.cisco.com/<http://www.cisco.com/>> [cidimage003.gif@01D977FE.D040DA90] Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please click here<http://www.cisco.com/c/en/us/about/legal/terms-sale-software-license-agreement/company-registration-information.html<http://www.cisco.com/c/en/us/about/legal/terms-sale-software-license-agreement/company-registration-information.html>> for Company Registration Information. From: Victor Kuarsingh via NANOG <nanog@lists.nanog.org<mailto:nanog@lists.nanog.org<mailto:nanog@lists.nanog.org>>> Date: Wednesday, October 29, 2025 at 13:38 To: nanog@lists.nanog.org<mailto:nanog@lists.nanog.org<mailto:nanog@lists.nanog.org>> <nanog@lists.nanog.org<mailto:nanog@lists.nanog.org<mailto:nanog@lists.nanog.org>>> Cc: Victor Kuarsingh <victor@jvknet.com<mailto:victor@jvknet.com<mailto:victor@jvknet.com>>> Subject: US Impact - October 29 2025 All, Anyone know what caused the large impact in the US at around noon ET today? regards, Vector K _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SS3LCXZU4D43YYJOX5CUDIQNCA7HKW6B/<https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SS3LCXZU4D43YYJOX5CUDIQNCA7HKW6B/> _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/2V2N65DY5VJUM3MGDL77MWSC2DP3GXAJ/<https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/2V2N65DY5VJUM3MGDL77MWSC2DP3GXAJ/> _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/NJ34QFKZ... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/HGR7CUM2... [Logo image] Terry Keeling CISSP, CySA+, OSCP IT Security & Infrastructure InfraNet Solutions Inc. <https://www.infranetworks.com/> | Email Support<mailto:%20support@infranetworks.com> W: 781-356-5858 x236<tel:781-356-5858%20x236> | D: 617-729-3070<tel:617-729-3070> tkeeling@infranetworks.com<mailto:tkeeling@infranetworks.com> | Book time to meet with me!<https://outlook.office.com/bookwithme/user/8ec238638d8943799bb9f23989cf7f02%40infranetworks.com/meetingtype/ae33aefe-04f0-4560-a188-a86e8182f1b7?anonymous> [Facebook: infranetworks]<https://www.facebook.com/infranetworks> [X: infranetworks] <https://twitter.com/infranetworks> [Instagram: infranetfriends] <https://www.instagram.com/infranetfriends> [LinkedIn: infranet-solutions] <https://www.linkedin.com/company/infranet-solutions>