RPKI can be very useful to mitigate an attempt.
I used to process IP LOAs all the time. I never saw a RR
attached but usually we did a check against the RIR just to make
sure (because we made access-list per interface as well)
Not everyone uses RRs, and there is also the possibility that their upstream would register it. Having an RR doesn’t seem definitive either way. I can see reasons to wait on the RR until ready to receive traffic.
-mel via cell
On Mar 9, 2021, at 11:14 AM, Brian Turnbow <b.turnbow@twt.it> wrote:
If they had a route record that was close, I Would give them the benefit of doubt.They do not however as the only records start with 217. And our IPs are 45.
So It Is very strange. Would you send a LOA without a route record?
Brian Turnbow
Da: Mel Beckman <mel@beckman.org>
Inviato: martedì 9 marzo 2021 19:17
A: Brian Turnbow
Cc: North American Network Operators' Group
Oggetto: Re: an IP hijacking attempt
It could just be a typo on the LOA. It seems unlikely any ISP would approve a forged LOA that could readily be debunked by contacting the IP space owner. The whole point of LOA’s is to facilitate this verification.
-mel via cell
> On Mar 9, 2021, at 10:01 AM, Brian Turnbow via NANOG <nanog@nanog.org> wrote:
>
> Hello everyone,
>
> We received a strange request that I wanted to share.
> An email was sent to us asking to confirm a LOA from a diligent ISP.
> The Loa was a request to open bgp for an AS , that is not ours, to announce a /23 prefix that is ours.
> So basically this entity sent to their upstream a request to announce a prefix from one our allocated ranges.
> We have the allocation correctly registered and ROAs in place , but it is worrisome that someone would attempt this.
> Obviously we have informed the ISP that the LOA is not valid and are trying to contact the originating party.
> Aside from RIRs for the offending AS and our IPs, Is there anywhere to report this type of activity?
> We have dealt with hijacking technically speaking in the past but this is the first time, to my knowledge, of someone forging a LOA with our IPs.
>
> Thanks in advance for any advice
>
> Brian
>
> P.S. a big thanks to Chris for checking the boxes before activating the filter if you are on the list!
>
>
>
>