BGPMon.net has alerted me to /32 hijacks. Does anyone have thoughts on what this might be and if it's malicious or misconfiguration? Date OriginAS Prefix Type ASPath 2013.07.24 25459 72.52.11.117/32 A 286 25459 25459 25459 2013.07.24 25459 72.52.11.117/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 74.120.64.17/32 A 286 25459 25459 25459 2013.07.24 25459 74.120.64.17/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 77.243.235.57/32 A 286 25459 25459 25459 2013.07.24 25459 77.243.235.57/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 79.110.92.75/32 A 286 25459 25459 25459 2013.07.24 25459 79.110.92.75/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 79.170.88.67/32 A 286 25459 25459 25459 2013.07.24 25459 79.170.88.67/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 83.84.194.112/32 A 286 25459 25459 25459 2013.07.24 25459 83.84.194.112/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 89.33.242.99/32 A 286 25459 25459 25459 2013.07.24 25459 89.33.242.99/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 91.121.183.228/32 A 286 25459 25459 25459 2013.07.24 25459 91.121.183.228/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 91.121.82.179/32 A 286 25459 25459 25459 2013.07.24 25459 91.121.82.179/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 94.126.8.26/32 A 286 25459 25459 25459 2013.07.24 25459 94.126.8.26/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 94.23.207.222/32 A 286 25459 25459 25459 2013.07.24 25459 94.23.207.222/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 94.23.40.106/32 A 286 25459 25459 25459 2013.07.24 25459 94.23.40.106/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 94.236.46.240/32 A 286 25459 25459 25459 2013.07.24 25459 94.236.46.240/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 95.211.113.200/32 A 286 25459 25459 25459 2013.07.24 25459 95.211.113.200/32 A 3333 1103 286 25459 25459 25459 2013.07.24 25459 95.211.211.76/32 A 286 25459 25459 25459 2013.07.24 25459 95.211.211.76/32 A 3333 1103 286 25459 25459 25459 My first thought is leaked null routes. Is this even worth alerting on?
On 26-07-13 14:59, NetSecGuy wrote:
BGPMon.net has alerted me to /32 hijacks. Does anyone have thoughts on what this might be and if it's malicious or misconfiguration? My first thought is leaked null routes. Is this even worth alerting on?
We had similar cases. In most cases they appeared to be indeed leaked null routes. -- Grzegorz Janoszka
On Jul 26, 2013, at 3:09 PM, Grzegorz Janoszka <Grzegorz@Janoszka.pl> wrote:
On 26-07-13 14:59, NetSecGuy wrote:
BGPMon.net has alerted me to /32 hijacks. Does anyone have thoughts on what this might be and if it's malicious or misconfiguration? My first thought is leaked null routes. Is this even worth alerting on?
We had similar cases. In most cases they appeared to be indeed leaked null routes.
I'll poke AS 25459, they are fellow Dutchies Kind regards, Job
participants (3)
-
Grzegorz Janoszka
-
Job Snijders
-
NetSecGuy