As of this morning, I am seeing BGP from AS 54271 *> 62.77.196.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 62.77.254.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.184.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.190.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.196.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.198.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.248.0/21 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.64.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.70.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.72.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.78.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.82.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.96.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.99.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i This ASN has not been assigned to any RIR. Is this a bogon, or does anyone know of a legitimate reason for this ? Regards Marshall
On Jul 13, 2008, at 1:01 PM, Marshall Eubanks wrote:
As of this morning, I am seeing BGP from AS 54271
Maybe someone mistyped "65271"? Which is still bad, but not at bad (IMHO). -- TTFN, patrick
*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 62.77.254.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.184.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.190.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.196.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.198.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.248.0/21 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.64.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.70.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.72.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.78.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.82.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.96.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.99.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
This ASN has not been assigned to any RIR. Is this a bogon, or does anyone know of a legitimate reason for this ?
Regards Marshall
Patrick W. Gilmore schrieb:
On Jul 13, 2008, at 1:01 PM, Marshall Eubanks wrote:
As of this morning, I am seeing BGP from AS 54271
Maybe someone mistyped "65271"? Which is still bad, but not at bad (IMHO).
Interestingly, AS54271 is the last # of an unassigned block:
46080-47103 Assigned by ARIN whois.arin.net 2008-03-27 47104-48127 Assigned by RIPE NCC whois.ripe.net 2008-04-07 48128-54271 Unassigned 54272-64511 Reserved by the IANA 64512-65534 Designated for private use (Allocated to the IANA) 65535 Reserved
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marshall Eubanks wrote:
As of this morning, I am seeing BGP from AS 54271
*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
I would be willing to bet that the IP netblocks being advertised are unallocated (or, unused within an allocated block). In the past, before botnets were so common, spammers would often hijack unused netblocks, advertise routes to them, flood spam from them, then the routes would disappear, making it impossible to track the spammers. Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkh6PNcACgkQUVxQRc85QlNYcACfWKl/jxJNlt3xcSmK3A1B5/kq QF0An31R/cHv0U0/u+E7mU/0RvjN+evW =2AIk -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
those prefixes all have ripe route object with origin AS 20922 all the routes I see for a given prefix look like the following: 2914 1299 12301 8696 20922 54271 129.250.0.171 from 129.250.0.171 (129.250.0.12) Origin IGP, metric 1, localpref 100, valid, external Community: 2914:420 2914:2000 2914:3000 65504:1299 2497 3257 12301 8696 20922 54271 202.232.0.2 from 202.232.0.2 (202.232.0.2) Origin IGP, localpref 100, valid, external 7660 2516 3257 12301 8696 20922 54271 203.181.248.168 from 203.181.248.168 (203.181.248.168) Origin IGP, localpref 100, valid, external Community: 2516:1030 etc... Marshall Eubanks wrote:
As of this morning, I am seeing BGP from AS 54271
*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 62.77.254.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.184.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.190.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.196.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.198.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.248.0/21 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.64.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.70.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.72.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.78.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.82.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.96.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.99.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
This ASN has not been assigned to any RIR. Is this a bogon, or does anyone know of a legitimate reason for this ?
Regards Marshall
This ip space is from Bahrain 89.148.0.0/19 but some how has ended up in Hungary from an unknown owner. Definitely looks suspicious in my book. Manolo Joel Jaeggli wrote:
those prefixes all have ripe route object with origin AS 20922
all the routes I see for a given prefix look like the following:
2914 1299 12301 8696 20922 54271 129.250.0.171 from 129.250.0.171 (129.250.0.12) Origin IGP, metric 1, localpref 100, valid, external Community: 2914:420 2914:2000 2914:3000 65504:1299
2497 3257 12301 8696 20922 54271 202.232.0.2 from 202.232.0.2 (202.232.0.2) Origin IGP, localpref 100, valid, external
7660 2516 3257 12301 8696 20922 54271 203.181.248.168 from 203.181.248.168 (203.181.248.168) Origin IGP, localpref 100, valid, external Community: 2516:1030
etc...
Marshall Eubanks wrote:
As of this morning, I am seeing BGP from AS 54271
*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 62.77.254.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.184.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.190.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.196.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.198.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.248.0/21 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.64.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.70.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.72.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.78.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.82.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.96.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.99.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
This ASN has not been assigned to any RIR. Is this a bogon, or does anyone know of a legitimate reason for this ?
Regards Marshall
Wouldn't it be better to ask the folks in Hungary (AS20922) who are peering with this site? One side, I'd buy the typo. Both sides, mutual typos are a little more difficult. Not that conspiracy theories are all that much fun, but I'm finding the one-sided mistake hard to believe. Either that or the folks at AS20922 haven't figured out that an open bgp peer isn't a great idea! :) Scott -----Original Message----- From: Joel Jaeggli [mailto:joelja@bogus.com] Sent: Sunday, July 13, 2008 1:36 PM To: Marshall Eubanks Cc: NANOG list Subject: Re: AS 54271 those prefixes all have ripe route object with origin AS 20922 all the routes I see for a given prefix look like the following: 2914 1299 12301 8696 20922 54271 129.250.0.171 from 129.250.0.171 (129.250.0.12) Origin IGP, metric 1, localpref 100, valid, external Community: 2914:420 2914:2000 2914:3000 65504:1299 2497 3257 12301 8696 20922 54271 202.232.0.2 from 202.232.0.2 (202.232.0.2) Origin IGP, localpref 100, valid, external 7660 2516 3257 12301 8696 20922 54271 203.181.248.168 from 203.181.248.168 (203.181.248.168) Origin IGP, localpref 100, valid, external Community: 2516:1030 etc... Marshall Eubanks wrote:
As of this morning, I am seeing BGP from AS 54271
*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 62.77.254.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.184.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.190.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.196.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.198.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.248.0/21 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.64.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.70.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.72.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.78.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.82.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.96.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.99.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
This ASN has not been assigned to any RIR. Is this a bogon, or does anyone know of a legitimate reason for this ?
Regards Marshall
Scott Morris wrote:
Wouldn't it be better to ask the folks in Hungary (AS20922) who are peering with this site?
These are or appear to be all 20922's prefixes... 54271 is a stub from my vantage points that only appears from behind 20992.
One side, I'd buy the typo. Both sides, mutual typos are a little more difficult.
looks more like a lack of clue. off-hand I'd hazard that only one party is involved.
Not that conspiracy theories are all that much fun, but I'm finding the one-sided mistake hard to believe. Either that or the folks at AS20922 haven't figured out that an open bgp peer isn't a great idea! :)
Scott
-----Original Message----- From: Joel Jaeggli [mailto:joelja@bogus.com] Sent: Sunday, July 13, 2008 1:36 PM To: Marshall Eubanks Cc: NANOG list Subject: Re: AS 54271
those prefixes all have ripe route object with origin AS 20922
all the routes I see for a given prefix look like the following:
2914 1299 12301 8696 20922 54271 129.250.0.171 from 129.250.0.171 (129.250.0.12) Origin IGP, metric 1, localpref 100, valid, external Community: 2914:420 2914:2000 2914:3000 65504:1299
2497 3257 12301 8696 20922 54271 202.232.0.2 from 202.232.0.2 (202.232.0.2) Origin IGP, localpref 100, valid, external
7660 2516 3257 12301 8696 20922 54271 203.181.248.168 from 203.181.248.168 (203.181.248.168) Origin IGP, localpref 100, valid, external Community: 2516:1030
etc...
Marshall Eubanks wrote:
As of this morning, I am seeing BGP from AS 54271
*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 62.77.254.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.184.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.190.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.196.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.198.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.248.0/21 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.64.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.70.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.72.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.78.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.82.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.96.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.99.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
This ASN has not been assigned to any RIR. Is this a bogon, or does anyone know of a legitimate reason for this ?
Regards Marshall
interestingly, before july 7th these prefixes were originating from another private as - 65501, until sometime that day routes were withdrawn from 65501 and began being announced from 54271... On Sun, Jul 13, 2008 at 4:10 PM, Joel Jaeggli <joelja@bogus.com> wrote:
Scott Morris wrote:
Wouldn't it be better to ask the folks in Hungary (AS20922) who are peering with this site?
These are or appear to be all 20922's prefixes...
54271 is a stub from my vantage points that only appears from behind 20992.
One side, I'd buy the typo. Both sides, mutual typos are a little more
difficult.
looks more like a lack of clue. off-hand I'd hazard that only one party is involved.
Not that conspiracy theories are all that much fun, but I'm finding the
one-sided mistake hard to believe. Either that or the folks at AS20922 haven't figured out that an open bgp peer isn't a great idea! :)
Scott -----Original Message----- From: Joel Jaeggli [mailto:joelja@bogus.com] Sent: Sunday, July 13, 2008 1:36 PM To: Marshall Eubanks Cc: NANOG list Subject: Re: AS 54271
those prefixes all have ripe route object with origin AS 20922
all the routes I see for a given prefix look like the following:
2914 1299 12301 8696 20922 54271 129.250.0.171 from 129.250.0.171 (129.250.0.12) Origin IGP, metric 1, localpref 100, valid, external Community: 2914:420 2914:2000 2914:3000 65504:1299
2497 3257 12301 8696 20922 54271 202.232.0.2 from 202.232.0.2 (202.232.0.2) Origin IGP, localpref 100, valid, external
7660 2516 3257 12301 8696 20922 54271 203.181.248.168 from 203.181.248.168 (203.181.248.168) Origin IGP, localpref 100, valid, external Community: 2516:1030
etc...
Marshall Eubanks wrote:
As of this morning, I am seeing BGP from AS 54271
*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 62.77.254.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.184.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 81.17.190.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.196.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.198.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 82.131.248.0/21 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.64.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.70.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.72.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.78.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.82.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.96.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i *> 89.148.99.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
This ASN has not been assigned to any RIR. Is this a bogon, or does anyone know of a legitimate reason for this ?
Regards Marshall
-- ^christian$
participants (8)
-
Christian Koch
-
Fredy Kuenzler
-
Joel Jaeggli
-
Jon Kibler
-
manolo
-
Marshall Eubanks
-
Patrick W. Gilmore
-
Scott Morris