Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)
Hello there, Seems there is some people in Ukraine that love to use IP and AS that doesn't belong to them. See : #sh ip bgp 91.220.85.0/24 BGP routing table entry for 91.220.85.0/24, version 6661169 Paths: (2 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 1 174 8359 8359 13249 57954 42989 51888, (received & used) 149.11.xx.xx from 149.11.xxx.xxx (38.28.xx.xx) Origin IGP, metric 14050, localpref 100, valid, external, best Community: 11424365 11425269 24990 21371 8359 13249 57954 42989 51888, (received & used) 185.3.25.1 (metric 10) from 185.17.xxx.xxx (185.17.xxx.xxx) Origin IGP, metric 0, localpref 100, valid, internal, not synchronized According to RIPE database : aut-num: AS51888 as-name: PILOTSYSTEMS-AS descr: Pilot Systems consulting SARL org: ORG-PS74-RIPE import: from AS16128 accept ANY import: from AS29075 accept ANY import: from AS35189 accept ANY export: to AS16128 announce AS51888 export: to AS29075 announce AS51888 export: to AS35189 announce AS51888 admin-c: DS7922-RIPE tech-c: GLM89-RIPE tech-c: XB80-RIPE mnt-by: RIPE-NCC-END-MNT mnt-by: MNT-KAZAR mnt-by: MNT-PILOTSYSTEMS mnt-routes: MNT-KAZAR mnt-routes: MNT-PILOTSYSTEMS source: RIPE #Filtered Seems that there is no AS42989 as upstream.... So we can consider that AS42989 is handle illicit activities, and does not filter prefixes (same also for AS57954). That's cool but those people in UA, use that prefix to send spam, as LIR member I got thousands of mails from people that get thoses IP as spam source. Needs really that rpki and other stuff to be deployed massively. If some people from those UA AS can do their job instead of getting the honeypot of spammers, this should be better for everyone. I have already tried to contact abuse / email from ripe data base : no MX, mailbox doesn't exist, even the domain doesn't exist... Maybe AS-MTU doesn't lookaround the quality of their customers ? So bad... People there that have some PI and unused AS, have a look if your ressources are not used by someone that should not use them. Xavier
On 03/05/2013 18:49, Xavier Beaudouin wrote:
People there that have some PI and unused AS, have a look if your ressources are not used by someone that should not use them.
ripe policy 2007-01 will help with this problem by ensuring that anyone who has got PI address space will be traceable and will be paying for it (i.e. it will appear on the holder's payment radar). RPKI could potentially help with this problem, but only if unknown and invalid prefixes are dropped by policy (to deal with the cases where the there are no ROAs or else there are ROAs but they are e.g. revoked). If they are simply depreffed, rpki will not help. It will be a brave person who drops both unknown and invalid prefixes. Nick
On Fri, May 3, 2013 at 2:01 PM, Nick Hilliard <nick@foobar.org> wrote:
It will be a brave person who drops both unknown and invalid prefixes.
hopefully it won't involve people being brave :) hopefully good measurement and metrics lead us to a position where things 'just work' and we can do it with confidence! :)
On 03/05/2013 19:08, Christopher Morrow wrote:
hopefully it won't involve people being brave :) hopefully good measurement and metrics lead us to a position where things 'just work' and we can do it with confidence! :)
dropping prefixes means that you're ok about not having reachability to a prefix if its roa pops up as "unknown". This could be because the prefix holder hasn't bothered to register their prefix in the rpki (i.e. sloppiness), or it could be because the ROA has been revoked for some reason (e.g. because of hijacking). For sure, a router can't tell the difference.
From a deployment point of view, there's a pretty big gap between poking around with rpki and actually dropping prefixes on your routers. I don't see that the rpki data will be good enough for the latter any time soon, but maybe one day.
Nick
On Fri, May 3, 2013 at 2:21 PM, Nick Hilliard <nick@foobar.org> wrote:
On 03/05/2013 19:08, Christopher Morrow wrote:
hopefully it won't involve people being brave :) hopefully good measurement and metrics lead us to a position where things 'just work' and we can do it with confidence! :)
dropping prefixes means that you're ok about not having reachability to a prefix if its roa pops up as "unknown". This could be because the prefix holder hasn't bothered to register their prefix in the rpki (i.e. sloppiness), or it could be because the ROA has been revoked for some reason (e.g. because of hijacking). For sure, a router can't tell the difference.
right, in the ideal tomorrow-tomorrow-land ... this all is part of turnup and the timelines associated with propogation/etc are all known and accounted for. Additionally, the systems involved are all well understood and redundant/resilient/etc. in short, in the tomorrow-tomorrow-land... this all just works as we expect/want, and the only 'unknown' are actually 'invalid'.
From a deployment point of view, there's a pretty big gap between poking around with rpki and actually dropping prefixes on your routers. I don't see that the rpki dat a will be good enough for the latter any time soon, but maybe one day.
right, no problem with this.
Nick
-----Original Message----- From: Nick Hilliard [mailto:nick@foobar.org] Sent: Friday, May 03, 2013 8:21 PM
From a deployment point of view, there's a pretty big gap between poking around with rpki and actually dropping prefixes on your routers. I don't see that the rpki data will be good enough for the latter any time soon, but maybe one day.
Well you can always jus lower the preference for a particular prefix based on the roa state or roa missing. Than it is solely up to your customers whether they bother to register their prefixes to avoid hijacks or not, as you'll be ready on your part. adam
Illegal or undesired? Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: Adam Vitkovsky <adam.vitkovsky@swan.sk> Date: 05/06/2013 12:33 AM (GMT-08:00) To: 'Nick Hilliard' <nick@foobar.org>,'Christopher Morrow' <morrowc.lists@gmail.com> Cc: 'NANOG' <nanog@nanog.org> Subject: RE: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine) -----Original Message----- From: Nick Hilliard [mailto:nick@foobar.org] Sent: Friday, May 03, 2013 8:21 PM
From a deployment point of view, there's a pretty big gap between poking around with rpki and actually dropping prefixes on your routers. I don't see that the rpki data will be good enough for the latter any time soon, but maybe one day.
Well you can always jus lower the preference for a particular prefix based on the roa state or roa missing. Than it is solely up to your customers whether they bother to register their prefixes to avoid hijacks or not, as you'll be ready on your part. adam
On Mon, 06 May 2013 15:27:35 -0000, Warren Bailey said:
Illegal or undesired?
This sort of stuff comes in two flavors: "typo" and "intentionally done in furtherance of criminal activities". The fact that an AS number and matching IP range are involved tends to say it's not a typo.
On Mon, May 6, 2013 at 12:23 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Mon, 06 May 2013 15:27:35 -0000, Warren Bailey said:
Illegal or undesired?
This sort of stuff comes in two flavors: "typo" and "intentionally done in furtherance of criminal activities".
The fact that an AS number and matching IP range are involved tends to say it's not a typo.
maybe warren's question is better stated: "Please point to relevant legal code in the jurisdiction(s) which are relevant." (if you feel this is 'illegal', showing where in the relevant code(s) where this would be classified as such would help) -chris
+1 Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: Christopher Morrow <morrowc.lists@gmail.com> Date: 05/06/2013 9:29 AM (GMT-08:00) To: Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Cc: Warren Bailey <wbailey@satelliteintelligencegroup.com>,Adam Vitkovsky <adam.vitkovsky@swan.sk>,Nick Hilliard <nick@foobar.org>,NANOG <nanog@nanog.org> Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine) On Mon, May 6, 2013 at 12:23 PM, <Valdis.Kletnieks@vt.edu<mailto:Valdis.Kletnieks@vt.edu>> wrote: On Mon, 06 May 2013 15:27:35 -0000, Warren Bailey said:
Illegal or undesired?
This sort of stuff comes in two flavors: "typo" and "intentionally done in furtherance of criminal activities". The fact that an AS number and matching IP range are involved tends to say it's not a typo. maybe warren's question is better stated: "Please point to relevant legal code in the jurisdiction(s) which are relevant." (if you feel this is 'illegal', showing where in the relevant code(s) where this would be classified as such would help) -chris
if anyone wondered why abuse goes unchecked, wonder no longer. -Dan On Mon, 6 May 2013, Warren Bailey wrote:
+1
Sent from my T-Mobile 4G LTE Device
-------- Original message -------- From: Christopher Morrow <morrowc.lists@gmail.com> Date: 05/06/2013 9:29 AM (GMT-08:00) To: Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Cc: Warren Bailey <wbailey@satelliteintelligencegroup.com>,Adam Vitkovsky <adam.vitkovsky@swan.sk>,Nick Hilliard <nick@foobar.org>,NANOG <nanog@nanog.org> Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)
On Mon, May 6, 2013 at 12:23 PM, <Valdis.Kletnieks@vt.edu<mailto:Valdis.Kletnieks@vt.edu>> wrote: On Mon, 06 May 2013 15:27:35 -0000, Warren Bailey said:
Illegal or undesired?
This sort of stuff comes in two flavors: "typo" and "intentionally done in furtherance of criminal activities".
The fact that an AS number and matching IP range are involved tends to say it's not a typo.
maybe warren's question is better stated: "Please point to relevant legal code in the jurisdiction(s) which are relevant." (if you feel this is 'illegal', showing where in the relevant code(s) where this would be classified as such would help)
-chris
Abuse is abuse.. People are going to do bad things, even when you call them illegal (in some cases, as a result of calling them illegal). It's not illegal to be a tool, but it is illegal to break a law. In my opinikn Laws need to be written and passed, not thought about and argued over. If we are going to arbitrarily make our own laws, why don't we start at something cooler than preventing a guy announcing someone's Internet addresses? I understand the magnitude of these actions, but at some point we need to pay attention to things outside of /dev/internet. Again.. I'm not saying these hijackers aren't pricks, I'm saying that stealing an AS number shouldn't be illegal - committing a crime with information gained should be (and is). It's not that I don't care, I just don't care that MUCH. Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: goemon@anime.net Date: 05/06/2013 11:31 AM (GMT-08:00) To: Warren Bailey <wbailey@satelliteintelligencegroup.com> Cc: Christopher Morrow <morrowc.lists@gmail.com>,Valdis Kletnieks <Valdis.Kletnieks@vt.edu>,NANOG <nanog@nanog.org> Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine) if anyone wondered why abuse goes unchecked, wonder no longer. -Dan On Mon, 6 May 2013, Warren Bailey wrote:
+1
Sent from my T-Mobile 4G LTE Device
-------- Original message -------- From: Christopher Morrow <morrowc.lists@gmail.com> Date: 05/06/2013 9:29 AM (GMT-08:00) To: Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Cc: Warren Bailey <wbailey@satelliteintelligencegroup.com>,Adam Vitkovsky <adam.vitkovsky@swan.sk>,Nick Hilliard <nick@foobar.org>,NANOG <nanog@nanog.org> Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)
On Mon, May 6, 2013 at 12:23 PM, <Valdis.Kletnieks@vt.edu<mailto:Valdis.Kletnieks@vt.edu>> wrote: On Mon, 06 May 2013 15:27:35 -0000, Warren Bailey said:
Illegal or undesired?
This sort of stuff comes in two flavors: "typo" and "intentionally done in furtherance of criminal activities".
The fact that an AS number and matching IP range are involved tends to say it's not a typo.
maybe warren's question is better stated: "Please point to relevant legal code in the jurisdiction(s) which are relevant." (if you feel this is 'illegal', showing where in the relevant code(s) where this would be classified as such would help)
-chris
On Mon, May 6, 2013 at 2:39 PM, Warren Bailey <wbailey@satelliteintelligencegroup.com> wrote:
Abuse is abuse.. People are going to do bad things, even when you call them illegal (in some cases, as a result of calling them illegal). It's not illegal to be a tool, but it is illegal to break a law. In my opinikn Laws need to be written and passed, not thought about and argued over. If we are going to arbitrarily make our own laws, why don't we start at something cooler than preventing a guy announcing someone's Internet addresses? I understand the magnitude of these actions, but at some point we need to pay attention to things outside of /dev/internet. Again.. I'm not saying these hijackers aren't pricks, I'm saying that stealing an AS number shouldn't be illegal - committing a crime with information gained should be (and is). It's not that I don't care, I just don't care that MUCH.
agreed, I wasn't of the opinion that the action was 'right', just that calling it 'illegal' was quite a leap. I do think that putting effort into making it significantly harder to 'hijack prefixes' is a good thing, which is the reason I put effort into: tools.ietf.org/wg/sidr pitching a fit from the sidelines isn't helpful, finding a way to keep it from happening again/again/again at least tries to move the ball forward. -chris
Sent from my T-Mobile 4G LTE Device
-------- Original message -------- From: goemon@anime.net Date: 05/06/2013 11:31 AM (GMT-08:00) To: Warren Bailey <wbailey@satelliteintelligencegroup.com> Cc: Christopher Morrow <morrowc.lists@gmail.com>,Valdis Kletnieks <Valdis.Kletnieks@vt.edu>,NANOG <nanog@nanog.org> Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)
if anyone wondered why abuse goes unchecked, wonder no longer.
-Dan
On Mon, 6 May 2013, Warren Bailey wrote:
+1
Sent from my T-Mobile 4G LTE Device
-------- Original message -------- From: Christopher Morrow <morrowc.lists@gmail.com> Date: 05/06/2013 9:29 AM (GMT-08:00) To: Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Cc: Warren Bailey <wbailey@satelliteintelligencegroup.com>,Adam Vitkovsky <adam.vitkovsky@swan.sk>,Nick Hilliard <nick@foobar.org>,NANOG <nanog@nanog.org> Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)
On Mon, May 6, 2013 at 12:23 PM, <Valdis.Kletnieks@vt.edu<mailto:Valdis.Kletnieks@vt.edu>> wrote: On Mon, 06 May 2013 15:27:35 -0000, Warren Bailey said:
Illegal or undesired?
This sort of stuff comes in two flavors: "typo" and "intentionally done in furtherance of criminal activities".
The fact that an AS number and matching IP range are involved tends to say it's not a typo.
maybe warren's question is better stated: "Please point to relevant legal code in the jurisdiction(s) which are relevant." (if you feel this is 'illegal', showing where in the relevant code(s) where this would be classified as such would help)
-chris
And then you end up on RBLs. That seems to help the caring aspect PDQ. -Dan On Mon, 6 May 2013, Warren Bailey wrote:
Abuse is abuse.. People are going to do bad things, even when you call them illegal (in some cases, as a result of calling them illegal). It's not illegal to be a tool, but it is illegal to break a law. In my opinikn Laws need to be written and passed, not thought about and argued over. If we are going to arbitrarily make our own laws, why don't we start at something cooler than preventing a guy announcing someone's Internet addresses? I understand the magnitude of these actions, but at some point we need to pay attention to things outside of /dev/internet. Again.. I'm not saying these hijackers aren't pricks, I'm saying that stealing an AS number shouldn't be illegal - committing a crime with information gained should be (and is). It's not that I don't care, I just don't care that MUCH.
Sent from my T-Mobile 4G LTE Device
-------- Original message -------- From: goemon@anime.net Date: 05/06/2013 11:31 AM (GMT-08:00) To: Warren Bailey <wbailey@satelliteintelligencegroup.com> Cc: Christopher Morrow <morrowc.lists@gmail.com>,Valdis Kletnieks <Valdis.Kletnieks@vt.edu>,NANOG <nanog@nanog.org> Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)
if anyone wondered why abuse goes unchecked, wonder no longer.
-Dan
On Mon, 6 May 2013, Warren Bailey wrote:
+1
Sent from my T-Mobile 4G LTE Device
-------- Original message -------- From: Christopher Morrow <morrowc.lists@gmail.com> Date: 05/06/2013 9:29 AM (GMT-08:00) To: Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Cc: Warren Bailey <wbailey@satelliteintelligencegroup.com>,Adam Vitkovsky <adam.vitkovsky@swan.sk>,Nick Hilliard <nick@foobar.org>,NANOG <nanog@nanog.org> Subject: Re: Illegal usage of AS51888 (and PI 91.220.85.0/24) from AS42989 and AS57954 (in ukraine)
On Mon, May 6, 2013 at 12:23 PM, <Valdis.Kletnieks@vt.edu<mailto:Valdis.Kletnieks@vt.edu>> wrote: On Mon, 06 May 2013 15:27:35 -0000, Warren Bailey said:
Illegal or undesired?
This sort of stuff comes in two flavors: "typo" and "intentionally done in furtherance of criminal activities".
The fact that an AS number and matching IP range are involved tends to say it's not a typo.
maybe warren's question is better stated: "Please point to relevant legal code in the jurisdiction(s) which are relevant." (if you feel this is 'illegal', showing where in the relevant code(s) where this would be classified as such would help)
-chris
On 06/05/2013 08:31, Adam Vitkovsky wrote:
Well you can always jus lower the preference for a particular prefix based on the roa state or roa missing. Than it is solely up to your customers whether they bother to register their prefixes to avoid hijacks or not, as you'll be ready on your part.
yep, you can depref stuff but it won't necessarily do what you want. E.g. if someone in Iran decides to announce a more-specific for some prefix in germany: https://twitter.com/bgpmon/status/330777020395040768 then the roa validation process would return "invalid". If you depref this, the more-specific will still provide the best path, so it's pretty useless. The only way to handle this is to drop roa-invalid paths completely, but it's not going to be possible to implement that as a general routing policy until the rpki data is pretty good quality overall. Nick
The only way to handle this is to drop roa-invalid paths completely, but it's not going to be possible to implement that as a general routing policy until the rpki data is pretty good quality overall.
ssshhhh. my routers might hear you and think there was something wrong about themselves. randy
* Nick Hilliard:
ripe policy 2007-01 will help with this problem by ensuring that anyone who has got PI address space will be traceable and will be paying for it (i.e. it will appear on the holder's payment radar).
I don't think there are plans to publish this information in the WHOIS database, though.
On Fri, May 3, 2013 at 1:49 PM, Xavier Beaudouin <kiwi@oav.net> wrote:
Hello there,
I'm not sure I'd have lead with 'illegal', certainly 'not friendly' fits though :( also, I'm so glad we're doing well with: 1) provider filters 2) verification of address/number-holder validity 3) route origin authorization
Needs really that rpki and other stuff to be deployed massively.
I agree, thanks for the up vote! (or do we call them 'likes' these days?) good luck in your quest to have this squelched. -chris
participants (9)
-
Adam Vitkovsky
-
Christopher Morrow
-
Florian Weimer
-
goemon@anime.net
-
Nick Hilliard
-
Randy Bush
-
Valdis.Kletnieks@vt.edu
-
Warren Bailey
-
Xavier Beaudouin