Hi all. Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon: e.g., ==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 61.11.208.0/20: Update details: 2008-11-11 02:24 (UTC) 61.11.208.0/20 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC Multim�dia) ASpath: 27664 16735 ===================== RIPE's RIS BGPlay confirms the same, for about the last hour. E-mails to them won't get there (of course), so our NOC are contacting them via Gmail/Yahoo. All help appreciated. Cheers, Mark.
On Tue, 11 Nov 2008, Mark Tinka wrote: > Anyone know how we can contact AS16735 and their upstream > AS27664. We think they are hijacking a number of our > prefixes (AS24218- and AS17992-originated). Have you tried CERT-BR? Uh... I was about to say "they're usually very responsive, and good at coordinating this sort of thing." And then their web site failed to load, because the prefix it's in is flapping. Hm. Fred, you still awake? -Bill
On Tue, 11 Nov 2008, Mark Tinka wrote: > Anyone know how we can contact AS16735 and their upstream > AS27664. We think they are hijacking a number of our > prefixes (AS24218- and AS17992-originated).
Have you tried CERT-BR? Uh... I was about to say "they're usually very responsive, and good at coordinating this sort of thing." And then their web site failed to load, because the prefix it's in is flapping. Hm.
Fred, you still awake?
-Bill
Odd, we were just hijacked too, one match to the same AS: Prefix: 64.193.164.0/24 AS Path: 27664 16735 Seen by Route Collector: 15 Peer IP: 200.219.130.21 Peer AS Number: 27664 Timestamp (GMT): 1:56, Nov 11 2008 And a match from other AS's Prefix: 192.136.64.0/24 AS Path: 22548 16735 Seen by Route Collector: 15 Peer IP: 200.160.0.130 Peer AS Number: 22548 Timestamp (GMT): 1:59, Nov 11 2008 Prefix: 64.193.164.0/24 AS Path: 22548 16735 Seen by Route Collector: 15 Peer IP: 200.160.0.130 Peer AS Number: 22548 Timestamp (GMT): 1:56, Nov 11 2008 Tuc
Hi Bill, On Mon, Nov 10, 2008 at 07:00:47PM -0800, Bill Woodcock wrote:
On Tue, 11 Nov 2008, Mark Tinka wrote: > Anyone know how we can contact AS16735 and their upstream > AS27664. We think they are hijacking a number of our > prefixes (AS24218- and AS17992-originated).
Have you tried CERT-BR? Uh... I was about to say "they're usually very responsive, and good at coordinating this sort of thing." And then their web site failed to load, because the prefix it's in is flapping. Hm.
Fred, you still awake?
Not at the time of the event :-( AFAIK the event was local to CTBC (AS16735) and their customers. This is our case and as we host RRC15 at PTTMetro São Paulo, and feed it with a full routing BGP feed it triggered the reports from bgpmon [1]. CTBC is still pending to explain the event,
-Bill
Fred [1] http://bgpmon.net/blog/?p=80
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, As several people have already observed here, AS 16735 announced almost the whole Internet last night to two of its peers (AS 27664, 174213 routes and AS 22548, 111231 routes). These routes were not propagated to the global Internet--and as Frederico A C Neves has confirmed, it was a localized event. For more detail on what happened, see Frederico's post [0] and the BGPMon site's summary [1]. We also have a slightly more detailed analysis here [2]. - -Martin [0] http://www.merit.edu/mail.archives/nanog/msg12813.html [1] http://bgpmon.net/blog/?p=80 [2] http://www.renesys.com/blog/2008/11/brazil-leak-if-a-tree-falls-in.shtml - -- Martin A. Brown --- Renesys Corporation --- mabrown@renesys.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFJGdmkdXQGngQsWbkRAkEQAKCNUj6C6B0fVf3JOpp3nHnfyBGMYgCg1t6q xAGn9T2yn9FuFeXGXCaBDnU= =2kVx -----END PGP SIGNATURE-----
Dear Fellows, I would like to add some information to this thread from AS27664 perspective. Both AS27664 (CTBC Multimídia) and AS22548 (Nic.br) share two common points: 1. They are IP transit customers from AS16735 (CTBC Telecom). 2. They feed with full BGP routing table the RIS/RIPE project located at PTTMetro-SP, Brazil (rrc15). I checked all BGP updates of 2008111[01] from Route Views Archive Project [1] and looked for prefixes originated by AS16735. I compared those with the prefixes officially allocated by Registro.br to AS16735 [2] and did not find any case o prefixes from different AS. This analyses confirms that yesterday AS16735 issue of IP prefixes Hijacking was not globally propagated. It seems that only some AS16735's Internet customers (like AS27664 and AS22548) were affect by this problem. Regards, -- Eduardo Ascenço Reis [1] http://archive.routeviews.org/ [2] https://registro.br/cgi-bin/whois/
Mark Tinka wrote:
Hi all.
Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
All 19 of my prefixes for AS57, AS217 and AS1998 are being hijacked by the same ASN. I sent a note to the ASN contact adrianamr@CTBCTELECOM.NET.BR. I can't seem to contact lacnic for more than a few queries without being blacked out. Tim Peiffer Network Support Engineer Office of Information Technology University of Minnesota/NorthernLights GigaPOP % Joint Whois - whois.lacnic.net % This server accepts single ASN, IPv4 or IPv6 queries % LACNIC resource: whois.lacnic.net % Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2008-11-11 00:51:09 (BRST -02:00) aut-num: AS16735 owner: Companhia de Telecomunicacoes do Brasil Central ownerid: BR-CTBC1-LACNIC responsible: Adriana Maria Rocha Paula address: Av Jo�o Pinheiro, 620, Centro address: 38400-126 - Uberl�ndia - MG country: BR phone: +34 3256 2575 [2575] owner-c: AMP routing-c: AMP abuse-c: AMP created: 20000605 changed: 20040415 nic-hdl: AMP person: Adriana Maria Rocha Paula e-mail: adrianamr@CTBCTELECOM.NET.BR address: Rua Jos� Alves Garcia, 415, address: 38400710 - Uberl�ndia - country: BR phone: +34 3256 2575 [2575] created: 20040628 changed: 20040628 % whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers.
e.g.,
==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 61.11.208.0/20: Update details: 2008-11-11 02:24 (UTC) 61.11.208.0/20 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC Multim�dia) ASpath: 27664 16735 =====================
RIPE's RIS BGPlay confirms the same, for about the last hour.
E-mails to them won't get there (of course), so our NOC are contacting them via Gmail/Yahoo.
All help appreciated.
Cheers,
Mark.
More contact people here: http://www.bovespa.com.br/Companies/FormConsultaImpressao.asp?CodCVM=21032 If I knew someone (readily available) who spoke Portuguese I would call them, but alas, they are sleeping and not technical. Frank -----Original Message----- From: Tim Peiffer [mailto:peiffer@umn.edu] Sent: Monday, November 10, 2008 9:04 PM To: mtinka@globaltransit.net Cc: nanog@nanog.org Subject: Re: Potential Prefix Hijack Mark Tinka wrote:
Hi all.
Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
All 19 of my prefixes for AS57, AS217 and AS1998 are being hijacked by the same ASN. I sent a note to the ASN contact adrianamr@CTBCTELECOM.NET.BR. I can't seem to contact lacnic for more than a few queries without being blacked out. Tim Peiffer Network Support Engineer Office of Information Technology University of Minnesota/NorthernLights GigaPOP % Joint Whois - whois.lacnic.net % This server accepts single ASN, IPv4 or IPv6 queries % LACNIC resource: whois.lacnic.net % Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2008-11-11 00:51:09 (BRST -02:00) aut-num: AS16735 owner: Companhia de Telecomunicacoes do Brasil Central ownerid: BR-CTBC1-LACNIC responsible: Adriana Maria Rocha Paula address: Av Jo�o Pinheiro, 620, Centro address: 38400-126 - Uberl�ndia - MG country: BR phone: +34 3256 2575 [2575] owner-c: AMP routing-c: AMP abuse-c: AMP created: 20000605 changed: 20040415 nic-hdl: AMP person: Adriana Maria Rocha Paula e-mail: adrianamr@CTBCTELECOM.NET.BR address: Rua Jos� Alves Garcia, 415, address: 38400710 - Uberl�ndia - country: BR phone: +34 3256 2575 [2575] created: 20040628 changed: 20040628 % whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers.
e.g.,
==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 61.11.208.0/20: Update details: 2008-11-11 02:24 (UTC) 61.11.208.0/20 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC Multim�dia) ASpath: 27664 16735 =====================
RIPE's RIS BGPlay confirms the same, for about the last hour.
E-mails to them won't get there (of course), so our NOC are contacting them via Gmail/Yahoo.
All help appreciated.
Cheers,
Mark.
I've just contacted (after three looong hours waiting...) and forward those e-mails to them. Hope that helps ... Can someone confirm that the issue is still happening? Maybe a show bgp something would help me talk to them. On Tue, Nov 11, 2008 at 4:12 AM, Frank Bulk <frnkblk@iname.com> wrote:
More contact people here: http://www.bovespa.com.br/Companies/FormConsultaImpressao.asp?CodCVM=21032
If I knew someone (readily available) who spoke Portuguese I would call them, but alas, they are sleeping and not technical.
Frank
-----Original Message----- From: Tim Peiffer [mailto:peiffer@umn.edu] Sent: Monday, November 10, 2008 9:04 PM To: mtinka@globaltransit.net Cc: nanog@nanog.org Subject: Re: Potential Prefix Hijack
Mark Tinka wrote:
Hi all.
Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
All 19 of my prefixes for AS57, AS217 and AS1998 are being hijacked by the same ASN. I sent a note to the ASN contact adrianamr@CTBCTELECOM.NET.BR. I can't seem to contact lacnic for more than a few queries without being blacked out.
Tim Peiffer Network Support Engineer Office of Information Technology University of Minnesota/NorthernLights GigaPOP
% Joint Whois - whois.lacnic.net % This server accepts single ASN, IPv4 or IPv6 queries
% LACNIC resource: whois.lacnic.net
% Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2008-11-11 00:51:09 (BRST -02:00)
aut-num: AS16735 owner: Companhia de Telecomunicacoes do Brasil Central ownerid: BR-CTBC1-LACNIC responsible: Adriana Maria Rocha Paula address: Av Jo�o Pinheiro, 620, Centro address: 38400-126 - Uberl�ndia - MG country: BR phone: +34 3256 2575 [2575] owner-c: AMP routing-c: AMP abuse-c: AMP created: 20000605 changed: 20040415
nic-hdl: AMP person: Adriana Maria Rocha Paula e-mail: adrianamr@CTBCTELECOM.NET.BR address: Rua Jos� Alves Garcia, 415, address: 38400710 - Uberl�ndia - country: BR phone: +34 3256 2575 [2575] created: 20040628 changed: 20040628
% whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers.
e.g.,
==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 61.11.208.0/20: Update details: 2008-11-11 02:24 (UTC) 61.11.208.0/20 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC Multim�dia) ASpath: 27664 16735 =====================
RIPE's RIS BGPlay confirms the same, for about the last hour.
E-mails to them won't get there (of course), so our NOC are contacting them via Gmail/Yahoo.
All help appreciated.
Cheers,
Mark.
On Tue, Nov 11, 2008 at 10:54:01AM +0800, Mark Tinka wrote:
Hi all.
Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
Mine too - 94.228.64.0/20 89.200.216.0/21 193.34.28.0/23 Except I see it as AS16735: (47998 is me) BGP routing table entry for 94.228.64.0/20 Paths: (3 available, best #3, table Default-IP-Routing-Table) Advertised to non peer-group peers: 193.0.0.71 27664 16735 200.219.130.21 from 200.219.130.21 (200.160.127.255) Origin IGP, localpref 100, valid, external Last update: Tue Nov 11 02:54:12 2008 19089 12956 5511 8928 47998 200.219.130.10 from 200.219.130.10 (200.225.95.3) Origin IGP, localpref 100, valid, external Community: 12956:65535 Last update: Mon Nov 10 18:40:54 2008 22548 16735 200.160.0.130 from 200.160.0.130 (200.160.0.137) Origin IGP, localpref 100, valid, external, best Last update: Tue Nov 11 02:51:57 2008
RIPE's RIS BGPlay confirms the same, for about the last hour.
yep since 2am GMT. C. -- 020 7729 4797 http://blog.playlouder.com/
Same problems here, for AS26028 Stefan On Mon, Nov 10, 2008 at 8:54 PM, Mark Tinka <mtinka@globaltransit.net>wrote:
Hi all.
Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
e.g.,
==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 61.11.208.0/20: Update details: 2008-11-11 02:24 (UTC) 61.11.208.0/20 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC Multimídia) ASpath: 27664 16735 =====================
RIPE's RIS BGPlay confirms the same, for about the last hour.
E-mails to them won't get there (of course), so our NOC are contacting them via Gmail/Yahoo.
All help appreciated.
Cheers,
Mark.
Obvious, since I posted about it earlier, but confirmed here as well. Has anyone made contact with these guys? I have yet to... On Mon, Nov 10, 2008 at 9:32 PM, Network Fortius <netfortius@gmail.com>wrote:
Same problems here, for AS26028 Stefan
On Mon, Nov 10, 2008 at 8:54 PM, Mark Tinka <mtinka@globaltransit.net
wrote:
Hi all.
Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
e.g.,
==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 61.11.208.0/20: Update details: 2008-11-11 02:24 (UTC) 61.11.208.0/20 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC Multimídia) ASpath: 27664 16735 =====================
RIPE's RIS BGPlay confirms the same, for about the last hour.
E-mails to them won't get there (of course), so our NOC are contacting them via Gmail/Yahoo.
All help appreciated.
Cheers,
Mark.
I sent e-mails to the AS contacts, but don't expect that to do much in the middle of the night. No live person at the phone numbers. I can't even get their web site to come up, although if they're re-routing the entire BGP table internally, go figure. :) BGPMon's a great thing though! Somebody's been bad tonight. Scott -----Original Message----- From: jamie [mailto:j@arpa.com] Sent: Monday, November 10, 2008 10:37 PM To: Network Fortius Cc: nanog@nanog.org Subject: Re: Potential Prefix Hijack Obvious, since I posted about it earlier, but confirmed here as well. Has anyone made contact with these guys? I have yet to... On Mon, Nov 10, 2008 at 9:32 PM, Network Fortius <netfortius@gmail.com>wrote:
Same problems here, for AS26028 Stefan
On Mon, Nov 10, 2008 at 8:54 PM, Mark Tinka <mtinka@globaltransit.net
wrote:
Hi all.
Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
e.g.,
==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 61.11.208.0/20: Update details: 2008-11-11 02:24 (UTC) 61.11.208.0/20 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC Multimídia) ASpath: 27664 16735 =====================
RIPE's RIS BGPlay confirms the same, for about the last hour.
E-mails to them won't get there (of course), so our NOC are contacting them via Gmail/Yahoo.
All help appreciated.
Cheers,
Mark.
We too saw this issue. 2008-11-11 01:56:36 GMT they took over one of our /20's ... Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers IP Transit Services Tel: +353 (0) 59 9183072 Lo-call: 1850 929 929 DDI: +353 (0) 59 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845
-----Original Message----- From: Mark Tinka [mailto:mtinka@globaltransit.net] Sent: Tuesday, November 11, 2008 2:54 AM To: nanog@nanog.org Subject: Potential Prefix Hijack
Hi all.
Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
e.g.,
==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 61.11.208.0/20: Update details: 2008-11-11 02:24 (UTC) 61.11.208.0/20 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC Multimdia) ASpath: 27664 16735 =====================
RIPE's RIS BGPlay confirms the same, for about the last hour.
E-mails to them won't get there (of course), so our NOC are contacting them via Gmail/Yahoo.
All help appreciated.
Cheers,
Mark.
participants (14)
-
Bill Woodcock -
Charlie Allom -
Eduardo Ascenço Reis -
Frank Bulk -
Frederico A C Neves -
Gustavo Rodrigues Ramos -
jamie -
Mark Tinka -
Martin A. Brown -
Network Fortius -
Paul Kelly :: Blacknight -
Scott Morris -
Tim Peiffer -
Tuc at T-B-O-H.NET