Howdy, We were hijacked aswell, by 27664 16735 Our affected prefixes were: 94.46.0.0/16 194.88.142.0/23 194.11.23.0/24 82.102.0.0/18 195.246.238.0/23 194.107.127.0/24 81.92.192.0/19 193.227.238.0/23 We are trying to contact them in order to get some feedback, and some good explanation for this. In the meanwhile, there are lots of evidence spread around (thanks to RIS RIPE, Routeviews, BGPmon and others) http://www.ris.ripe.net/dashboard/27664 http://www.ris.ripe.net/dashboard/16735 In the meanwhile we are sending notices to the Upstreams of those ASN's, in order for them to apply proper filtering to their downstream customers to avoid situations like this. On the List i was able to found: AS8167 - TELESC AS6762 - SEABONE AS12956 - TELEFONICA AS3549 - GLOBAL CROSSING AS17379 - Interlig I welcome others to do the same, in order to avoid replicas for this situation. Regards, --- Nuno Vieira nfsi telecom, lda. nuno.vieira@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ ----- "Network Fortius" <netfortius@gmail.com> wrote:
Same problems here, for AS26028 Stefan
On Mon, Nov 10, 2008 at 8:54 PM, Mark Tinka <mtinka@globaltransit.net>wrote:
Hi all.
Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
e.g.,
==================== Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix 61.11.208.0/20: Update details: 2008-11-11 02:24 (UTC) 61.11.208.0/20 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit AS: 27664 (CTBC MultimÃdia) ASpath: 27664 16735 =====================
RIPE's RIS BGPlay confirms the same, for about the last hour.
E-mails to them won't get there (of course), so our NOC are contacting them via Gmail/Yahoo.
All help appreciated.
Cheers,
Mark.
Hi!
We were hijacked aswell, by 27664 16735
Our affected prefixes were:
94.46.0.0/16 194.88.142.0/23 194.11.23.0/24 82.102.0.0/18 195.246.238.0/23 194.107.127.0/24 81.92.192.0/19 193.227.238.0/23
We are trying to contact them in order to get some feedback, and some good explanation for this.
The obviously were leaking full routing, are we all gonna annnounce 'my prefix was in there also?' Bye, Raymond.
Possibly silly question: If a small ISP is leaking a full table and you cannot reach them, why not contact their upstreams? Can't really check a router from here, but I saw (for instance) Verio mentioned. I am certain as2914 runs a 24/7 NOC and is responsive. -- TTFN, patrick
Hi!
We were hijacked aswell, by 27664 16735
Our affected prefixes were:
94.46.0.0/16 194.88.142.0/23 194.11.23.0/24 82.102.0.0/18 195.246.238.0/23 194.107.127.0/24 81.92.192.0/19 193.227.238.0/23
We are trying to contact them in order to get some feedback, and some good explanation for this.
The obviously were leaking full routing, are we all gonna annnounce 'my prefix was in there also?'
ACTUALLY............ They didn't hijack ALL my netblocks... I have 3. One was completely untouched, 1 was only hijacked by 1 site, and the last was hijacked by 2 different sites. :) Tuc
Hi!
94.46.0.0/16 194.88.142.0/23 194.11.23.0/24 82.102.0.0/18 195.246.238.0/23 194.107.127.0/24 81.92.192.0/19 193.227.238.0/23
We are trying to contact them in order to get some feedback, and some good explanation for this.
The obviously were leaking full routing, are we all gonna annnounce 'my prefix was in there also?'
ACTUALLY............ They didn't hijack ALL my netblocks... I have 3. One was completely untouched, 1 was only hijacked by 1 site, and the last was hijacked by 2 different sites. :)
So their router had most likely a hard time and stuff was flapping, i see something like that in the BGPLay output also. Bye, Raymond.
That's not true, as not all our prefixes were hijacked nor leaked, since they were originating them. If they were leaking them you might be able to see further AS's on the AS-PATH, incluiding the legitimate AS for originating those prefixes. My point here is also about peers and upstreams to set properly filter or max-prefix settings to avoid those nasty things. Am i seeing things in a blur way ? or this is supposed to happen as wind flows ? regards, --- Nuno Vieira nfsi telecom, lda. nuno.vieira@nfsi.pt Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301 http://www.nfsi.pt/ ----- "Raymond Dijkxhoorn" <raymond@prolocation.net> wrote:
Hi!
We were hijacked aswell, by 27664 16735
Our affected prefixes were:
94.46.0.0/16 194.88.142.0/23 194.11.23.0/24 82.102.0.0/18 195.246.238.0/23 194.107.127.0/24 81.92.192.0/19 193.227.238.0/23
We are trying to contact them in order to get some feedback, and some good explanation for this.
The obviously were leaking full routing, are we all gonna annnounce 'my prefix was in there also?'
Bye, Raymond.
Hi!
That's not true, as not all our prefixes were hijacked nor leaked, since they were originating them. If they were leaking them you might be able to see further AS's on the AS-PATH, incluiding the legitimate AS for originating those prefixes.
We have seen issues like this also when a customer was leaking full routes, and his router ws not able to coop with the BGP tables. This gave really really strange things, simmilar like here, some prefixes were there and some not. Completely random.
Am i seeing things in a blur way ? or this is supposed to happen as wind flows ?
Upstreams should filter things properly. Thats a sure thing. OR max prefix limit customers like that.... Bye, Raymond.
participants (4)
-
Nuno Vieira - nfsi telecom
-
Patrick W. Gilmore
-
Raymond Dijkxhoorn
-
Tuc at T-B-O-H.NET