Something apparently in Brazil is hijacking 128.255.192.0/22, part of 128.255.0.0/16 which is held by the University of Iowa. AS 263971 is announcing 128.255.192.0/22 which Hurricane Electric is accepting & propagating. None of that has any authorization. I can't find any decent contact information for the originating entity, so I have reported it to abuse@he.net, but it'd be fabulous if some HE folks listening here could whack the hijacking faster than the abuse channels will get to it. Also useful would be some functional contact for AS263971. Any help will be appreciated. ________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford@uiowa.edu, phone: 319-335-5555
Hi Jay, Please note that there is Lacnog mailing list.., I will forward your message. Not sure if it will work but worth giving it a try. Regards, Alejandro, El 20/3/18 a las 2:35 p. m., Jay Ford escribió:
Something apparently in Brazil is hijacking 128.255.192.0/22, part of 128.255.0.0/16 which is held by the University of Iowa. AS 263971 is announcing 128.255.192.0/22 which Hurricane Electric is accepting & propagating. None of that has any authorization.
I can't find any decent contact information for the originating entity, so I have reported it to abuse@he.net, but it'd be fabulous if some HE folks listening here could whack the hijacking faster than the abuse channels will get to it. Also useful would be some functional contact for AS263971.
Any help will be appreciated.
________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford@uiowa.edu, phone: 319-335-5555
A reason to de-aggregate down to /24s, to make hijacks more difficult/less effective? /kc On Tue, Mar 20, 2018 at 04:20:47PM -0300, Alejandro Acosta said:
Hi Jay,
?? Please note that there is Lacnog mailing list.., I will forward your message. Not sure if it will work but worth giving it a try.
Regards,
Alejandro,
El 20/3/18 a las 2:35 p. m., Jay Ford escribi??:
Something apparently in Brazil is hijacking 128.255.192.0/22, part of 128.255.0.0/16 which is held by the University of Iowa.?? AS 263971 is announcing 128.255.192.0/22 which Hurricane Electric is accepting & propagating.?? None of that has any authorization.
I can't find any decent contact information for the originating entity, so I have reported it to abuse@he.net, but it'd be fabulous if some HE folks listening here could whack the hijacking faster than the abuse channels will get to it.?? Also useful would be some functional contact for AS263971.
Any help will be appreciated.
________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford@uiowa.edu, phone: 319-335-5555
-- Ken Chase - math@sizone.org
On Tue, 20 Mar 2018 at 19:26, Ken Chase <math@sizone.org> wrote:
A reason to de-aggregate down to /24s, to make hijacks more difficult/less effective?
Or perhaps something less costly for everyone: a reason for HE to implement prefix-based EBGP filters? At any given moment there appear to be roughly 5500 prefixes in HE’s customer cone for which no attestation can be found in any of IRR, RPKI or WHOIS. I find this deeply concerning. Kind regards, Job
I contacted the company and forwarded this email to them. Best regards, João Butzke. Em 20/03/2018 16:32, Job Snijders escreveu:
On Tue, 20 Mar 2018 at 19:26, Ken Chase <math@sizone.org> wrote:
A reason to de-aggregate down to /24s, to make hijacks more difficult/less effective?
Or perhaps something less costly for everyone: a reason for HE to implement prefix-based EBGP filters?
At any given moment there appear to be roughly 5500 prefixes in HE’s customer cone for which no attestation can be found in any of IRR, RPKI or WHOIS. I find this deeply concerning.
Kind regards,
Job
Hello, Someone in Lacnog privately told me this: aut-num: AS263971 owner: FaleMais Comunicações LTDA responsible: Paulo Henrique Mem Pereira owner-c: LEVAL5 routing-c: LEVAL5 abuse-c: LEVAL5 created: 20150831 changed: 20150831 inetnum: 138.255.192.0/22 inetnum: 2804:28a0::/32 inetnum: 170.254.76.0/22 <http://170.254.76.0/22> Regards, Alejandro, El 20/3/18 a las 2:35 p. m., Jay Ford escribió:
Something apparently in Brazil is hijacking 128.255.192.0/22, part of 128.255.0.0/16 which is held by the University of Iowa. AS 263971 is announcing 128.255.192.0/22 which Hurricane Electric is accepting & propagating. None of that has any authorization.
I can't find any decent contact information for the originating entity, so I have reported it to abuse@he.net, but it'd be fabulous if some HE folks listening here could whack the hijacking faster than the abuse channels will get to it. Also useful would be some functional contact for AS263971.
Any help will be appreciated.
________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford@uiowa.edu, phone: 319-335-5555
You are pointing out that 138.255.192.0/22 is the likely cause of the hijack of 128.255.192.0/22, right? (No need to be privately told - that’s straight from the LACNIC Whois) —Sandy
On Mar 20, 2018, at 3:40 PM, Alejandro Acosta <alejandroacostaalamo@gmail.com> wrote:
Hello,
Someone in Lacnog privately told me this:
aut-num: AS263971 owner: FaleMais Comunicações LTDA responsible: Paulo Henrique Mem Pereira owner-c: LEVAL5 routing-c: LEVAL5 abuse-c: LEVAL5 created: 20150831 changed: 20150831 inetnum: 138.255.192.0/22 inetnum: 2804:28a0::/32 inetnum: 170.254.76.0/22 <http://170.254.76.0/22> Regards, Alejandro,
El 20/3/18 a las 2:35 p. m., Jay Ford escribió:
Something apparently in Brazil is hijacking 128.255.192.0/22, part of 128.255.0.0/16 which is held by the University of Iowa. AS 263971 is announcing 128.255.192.0/22 which Hurricane Electric is accepting & propagating. None of that has any authorization.
I can't find any decent contact information for the originating entity, so I have reported it to abuse@he.net, but it'd be fabulous if some HE folks listening here could whack the hijacking faster than the abuse channels will get to it. Also useful would be some functional contact for AS263971.
Any help will be appreciated.
________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford@uiowa.edu, phone: 319-335-5555
Looks like this incident didn't start today. I show it starting back on 2/22 at 00:31:38 UTC. It then persisted till 3/19 where it started to get withdrawn by most peers. It wasn't until 3/20 at 19:10:10 UTC when it was globally withdrawn from all peers that were advertising it. I'll be like Job and plug monitoring. Had FaleMais and/or University of Iowa been monitoring their own prefixes as well as what they advertised (originate in this case), this could have been stopped when it started almost a month ago. --Tim On 20.03.2018 13:32, Sandra Murphy wrote:
You are pointing out that 138.255.192.0/22 is the likely cause of the hijack of 128.255.192.0/22, right?
(No need to be privately told - that's straight from the LACNIC Whois)
--Sandy On Mar 20, 2018, at 3:40 PM, Alejandro Acosta <alejandroacostaalamo@gmail.com> wrote: Hello, Someone in Lacnog privately told me this: aut-num: AS263971 owner: FaleMais Comunicações LTDA responsible: Paulo Henrique Mem Pereira owner-c: LEVAL5 routing-c: LEVAL5 abuse-c: LEVAL5 created: 20150831 changed: 20150831 inetnum: 138.255.192.0/22 inetnum: 2804:28a0::/32 inetnum: 170.254.76.0/22 <http://170.254.76.0/22 [1]> Regards, Alejandro, El 20/3/18 a las 2:35 p. m., Jay Ford escribió: Something apparently in Brazil is hijacking 128.255.192.0/22, part of 128.255.0.0/16 which is held by the University of Iowa. AS 263971 is announcing 128.255.192.0/22 which Hurricane Electric is accepting & propagating. None of that has any authorization. I can't find any decent contact information for the originating entity, so I have reported it to abuse@he.net, but it'd be fabulous if some HE folks listening here could whack the hijacking faster than the abuse channels will get to it. Also useful would be some functional contact for AS263971. Any help will be appreciated. ________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford@uiowa.edu, phone: 319-335-5555
Links: ------ [1] http://170.254.76.0/22
Can someone from HE comment on how they are doing their filtering? We often see our routes leaked by them or their customers and it’s quite the problem and significantly contributes to the pollution in the routing table. Often friends and smaller providers come to me for help and the lack of filtering as well as BGP communities poses significant operational issues for networks. Jared Mauch
On Mar 20, 2018, at 5:35 PM, Jay Ford <jnford@uiowa.net> wrote:
Something apparently in Brazil is hijacking 128.255.192.0/22, part of 128.255.0.0/16 which is held by the University of Iowa. AS 263971 is announcing 128.255.192.0/22 which Hurricane Electric is accepting & propagating. None of that has any authorization.
I can't find any decent contact information for the originating entity, so I have reported it to abuse@he.net, but it'd be fabulous if some HE folks listening here could whack the hijacking faster than the abuse channels will get to it. Also useful would be some functional contact for AS263971.
Any help will be appreciated.
________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford@uiowa.edu, phone: 319-335-5555
participants (8)
-
Alejandro Acosta -
Jared Mauch -
Jay Ford -
Job Snijders -
João Butzke -
Ken Chase -
Sandra Murphy -
Tim Evens