Reading the article, I assumed that perhaps Level 3 was an upstream carrier, but RIPE stats shows that the covering prefix (103.41.120.0/22) is announced by AS63509, an Indonesian organization. It looks like they're fighting back by announcing their own /24 now. I love the AS's address: descr:Jl. Marcedes Bens No.258 descr:Gunung Putri, Bogor descr:Jawa Barat 16964 country:ID While a Level 3 /24 announcement will certainly have a world wide impact, I agree that it seems misguided when the originating AS can announce their own /24. It does make one wonder why Cisco or Level 3 is involved, why they feel they have the authority to hijack someone else's IP space, and why they didn't go through law enforcement. This is especially true for the second netblock (43.255.190.0/23), announced by a US company (AS26484). --Blake Sameer Khosla wrote on 4/9/2015 10:31 AM:
Was just reading http://blogs.cisco.com/security/talos/sshpsychos then checking my routing tables.
Looks like the two /23's they mention are now being advertised as /24's, and I'm also not sure why cisco published the ssh attack dictionary.
It seems to me that this is something that if they want to do, they should be working with entire service provider community, not just one provider.
Thanks
Sameer Khosla Managing Director Neutral Data Centers Corp. Twitter: @skhoslaTO