AS202746 Hijacks: Is Telia (a) stupid, or (b) lazy, or (c) complicit?
The annotations in the RIPE WHOIS record for AS202746 seem pretty clear to me. This thing is B-O-G-U-S! Even RIPE, which is always reticent to say any bad things about any of its crooked customers... even after they have kicked them out of RIPE altogether, e.g. for being just toooooo obviously and blatantly crooked... was able to determine that this particular AS is rubbish, and said so, right in the WHOIS record: remarks: this object has been locked by the RIPE NCC pending deregistration So, you know, what's up with Telia (AS1299) which is the one and only peer of this stupid thing (AS202746)? I only ask because AS202746 is currently blatantly and obviously hijacking the following four separate Brazillian /22 blocks: 200.220.160.0/22 200.220.164.0/22 200.220.168.0/22 200.220.172.0/22 Unlike a lot of other cases I've seen of late, Telia can't even fall back on the lame excuse that "Oh! Gosh! We are only passing those routes through for our customer because they have corresponding route objects properly registered in the RIPE IRR telling us that it's A-OK for them to route this stuff." Whoever the actual hijacker is in this case, he/she/it didn't even bother to create bogus route objects in the RIPE data base, even though it is trivially easy for any criminal who can fog a mirror to do that. So, as the Subject line above says, I'd like to hear opinions on the following pertinent question: Is Telia (a) stupid, or (b) lazy, or (c) complicit? Vote early! Vote often! (I wouldn't even mind about these blatant hijackings if it were not for the fact that all of those hijacked /22 blocks have, quite predictably, been filed to the brim with outbound mail servers belonging to some snowshoe spammer... which is par for the course these days when it comes to IPv4 space hijackings.) Regards, rfg P.S. Over on some of the RIPE mailing lists, they've recently been discussing whether or not to continue allowing Joe Random Criminal to create totally unauthorized and totally unchecked/unverified (and typically bogus) route objects in the RIPE data base for so-called "out of region" IP address block resources. Of course, if anybody had any brains or any backbone over on that side of the pond, they would have done this already ten years ago. But such is the pace of change in the Old World, where even the most obvious things can't be implemented until everybody and his brother agrees, including even the stupid kid. My point, of course, is that even when and if those crazy europeans get around to doing the obviously rational thing... like locking the door to the bank before you leave at night... even that won't and wouldn't have made one wit of difference to this case of Telia's passing of the bogus/hijacked routes being announced by AS202746, which is ongoing, as we speak. There's no authority anywhere that I am aware of that is telling the Telia folks that it is OK for either them or their customer to pass out those routes. They are just doing it, because, quite obviously, they are being -paid- to do it, and screw everybody else. We can all just shut up and eat our spam, I guess.
On Wed, Aug 2, 2017 at 3:36 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
P.S. Over on some of the RIPE mailing lists, they've recently been discussing whether or not to continue allowing Joe Random Criminal to create totally unauthorized and totally unchecked/unverified (and typically bogus) route objects in the RIPE data base for so-called "out of region" IP address block resources. Of course, if anybody had any brains or any backbone over on that side of the pond, they would have done this already ten years ago. But such is the pace of change in the Old World, where even the most obvious things can't be implemented until everybody and his brother agrees, including even the stupid kid.
There are/were providers which required RIPE-IRR registration to accept routes, I don't know that this is still the case, but it might account for unwillingness to remove 'out of region' content. As well, there are folk with space from more than just one RIR, who may have chosen (for a myriad of resaons) to centralize their IRR content on a single IRR. Sometimes your message is lost in the emotive editorializing :(
* Ronald F. Guilmette <rfg@tristatelogic.com> [2017-08-02 09:37]:
The annotations in the RIPE WHOIS record for AS202746 seem pretty clear to me. This thing is B-O-G-U-S!
You know, people might be more willing to listen to you when you express your points in a less emotional and aggressive tone. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
On Wed, Aug 02, 2017 at 05:51:43PM +0200, Sebastian Wiesinger wrote:
You know, people might be more willing to listen to you when you express your points in a less emotional and aggressive tone.
You know, lots of us tried that for the first ten or twenty years. But snark aside, I care a lot more about the actionable intelligence being provided than the manner of its presentation. Ron has been doing valuable, useful research for years and has been kind enough to share the results with us. For free. I'm grateful for that. ---rsk
It seems that his emails are accomplishing something! http://bgp.he.net/AS202746 On Wed, Aug 2, 2017 at 11:51 AM, Sebastian Wiesinger <sebastian@karotte.org> wrote:
* Ronald F. Guilmette <rfg@tristatelogic.com> [2017-08-02 09:37]:
The annotations in the RIPE WHOIS record for AS202746 seem pretty clear
to me.
This thing is B-O-G-U-S!
You know, people might be more willing to listen to you when you express your points in a less emotional and aggressive tone.
Regards
Sebastian
-- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
On Sun, Aug 13, 2017 at 8:53 AM Dovid Bender <dovid@telecurve.com> wrote:
It seems that his emails are accomplishing something!
Name and shame does work sometimes The tier 1s like Telia need to be the “grownups” and not let hijacks invade the DFZ CB
On Wed, Aug 2, 2017 at 11:51 AM, Sebastian Wiesinger < sebastian@karotte.org> wrote:
* Ronald F. Guilmette <rfg@tristatelogic.com> [2017-08-02 09:37]:
The annotations in the RIPE WHOIS record for AS202746 seem pretty clear
to me.
This thing is B-O-G-U-S!
You know, people might be more willing to listen to you when you express your points in a less emotional and aggressive tone.
Regards
Sebastian
-- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
On 2017-08-13 10:05, Ca By wrote:
On Sun, Aug 13, 2017 at 8:53 AM Dovid Bender <dovid@telecurve.com> wrote:
It seems that his emails are accomplishing something!
Name and shame does work sometimes
IMO, this works better than most name-and-shame efforts because the behavior being called out is fairly universally indefensible. I think we can all agree to hate prefix hijackers (when we all pay for our IP assets) and spammers (because they cause most of us varying levels of grief), whereas "I personally don't like $x" (e.g., slow IPv6/BCP adoption) is often met with "I don't care about this, so fooey on your initiative." There may be a pointed statement in there -- thanks. ;-) Jima
participants (7)
-
Ca By
-
Christopher Morrow
-
Dovid Bender
-
Jima
-
Rich Kulawiec
-
Ronald F. Guilmette
-
Sebastian Wiesinger