BGP hijack: 64.68.207.0/24 from as133955
as133955 is broadcasting bogus BGP announcement for our netblock 64.68.207.0/24 It's in China, and we're trying to contact as24155 but they are also in China and we're just emailing their whois record address. If you're nearby and in a position to block/dampen that might be helpful. Thx - mark -- Mark Jeftovic <markjr@easydns.com> Founder & CEO, easyDNS Technologies Inc. http://www.easyDNS.com
TELUS AS852 has three address blocks hijacked by AS133955 as well. We have not been able to get in contact with AS24155. It looks like they are buying transit from PCCW AS3491 and Taiwan Internet Gateway AS9505. 68.182.255.0/24 74.49.255.0/24 96.1.255.0/24 On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote:
as133955 is broadcasting bogus BGP announcement for our netblock 64.68.207.0/24
It's in China, and we're trying to contact as24155 but they are also in China and we're just emailing their whois record address.
If you're nearby and in a position to block/dampen that might be helpful.
Thx
- mark
-- Mark Jeftovic <markjr@easydns.com> Founder & CEO, easyDNS Technologies Inc. http://www.easyDNS.com
I noticed when I looked into both of these leaks 3 hours after Clinton's message yesterday that I couldn't see them in any of the looking glasses I was looking in (including the NLNOG looking glass) Looks like things were able to be cleaned up very quickly. Theodore Baschak - AS395089 - Hextet Systems https://bgp.guru/ - https://hextet.net/ http://mbix.ca/ - http://mbnog.ca/ On Tue, Oct 3, 2017 at 6:29 PM, Clinton Work <clinton@scripty.com> wrote:
TELUS AS852 has three address blocks hijacked by AS133955 as well. We have not been able to get in contact with AS24155. It looks like they are buying transit from PCCW AS3491 and Taiwan Internet Gateway AS9505.
68.182.255.0/24 74.49.255.0/24 96.1.255.0/24
On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote:
as133955 is broadcasting bogus BGP announcement for our netblock 64.68.207.0/24
It's in China, and we're trying to contact as24155 but they are also in China and we're just emailing their whois record address.
If you're nearby and in a position to block/dampen that might be helpful.
Thx
- mark
-- Mark Jeftovic <markjr@easydns.com> Founder & CEO, easyDNS Technologies Inc. http://www.easyDNS.com
On Oct 4, 2017, at 11:29 AM, Theodore Baschak <theodore@ciscodude.net> wrote:
I noticed when I looked into both of these leaks 3 hours after Clinton's message yesterday that I couldn't see them in any of the looking glasses I was looking in (including the NLNOG looking glass)
Looks like things were able to be cleaned up very quickly.
Interesting. bgp.he.net is still reporting AS133955 as the originator of 64.68.207.0/24. I don’t know what their refresh cycle is. And, oh look, bgp.he.net points to an RADB proxy registration for the AS133955 origination. RADB no longer reports that route object. But it must have been there at some point. RADB route: 64.68.207.0/24 descr: Fleg Asia Telecom Ltd Proxy-registered route object origin: AS133955 notify: ipbb-apol@aptg.com.tw mnt-by: MAINT-AS17709 changed: kiayang@aptg.com.tw 20170830 #05:45:57Z source: RADB stat.ripe.net (bless you, RIPE!) shows that 64.68.207.0/24 has been originated by AS133955 off and on for the last month (since the RADB route object’s change date?) in the BGP Update Activity and Routing History graphs. And a huge flurry of activity yesterday. Could I be reading all this wrong? Seems to have been going on for quite a while. —Sandy P.S. The other three prefixes mentioned below show similar results in bgp.he.net, with route objects proxy registered on 9/25, and similar results in stats.ripe.net, with off-and-on announcements, more off than on for these, closely timed with the route object registration.
Theodore Baschak - AS395089 - Hextet Systems https://bgp.guru/ - https://hextet.net/ http://mbix.ca/ - http://mbnog.ca/
On Tue, Oct 3, 2017 at 6:29 PM, Clinton Work <clinton@scripty.com> wrote:
TELUS AS852 has three address blocks hijacked by AS133955 as well. We have not been able to get in contact with AS24155. It looks like they are buying transit from PCCW AS3491 and Taiwan Internet Gateway AS9505.
68.182.255.0/24 74.49.255.0/24 96.1.255.0/24
On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote:
as133955 is broadcasting bogus BGP announcement for our netblock 64.68.207.0/24
It's in China, and we're trying to contact as24155 but they are also in China and we're just emailing their whois record address.
If you're nearby and in a position to block/dampen that might be helpful.
Thx
- mark
-- Mark Jeftovic <markjr@easydns.com> Founder & CEO, easyDNS Technologies Inc. http://www.easyDNS.com
Not to respond to my own post, or anything. But. Another interesting thing. bgp.he.net reports show that AS133955 is/was also announcing 69.172.127.0/24 "WiMore S.r.l.". bgp.he.net shows a red key icon on that origination, meaning that there’s an RPKI ROA that does not match that origination. And bgp.he.net reports an RADP route object with a proxy registration for AS133955 to originate 69.172.127.0/24, registered on 9/25 like the three prefixes below. RADB still reports that route object (along with a very old one) route: 69.172.127.0/24 descr: Fleg Asia Telecom Ltd Proxy-registered route object origin: AS133955 notify: ipbb-apol@aptg.com.tw mnt-by: MAINT-AS17709 changed: kiayang@aptg.com.tw 20170925 #00:31:36Z source: RADB route: 69.172.64.0/18 descr: Canaca-Com Inc descr: 1650 Dundas Street East Unit 203 descr: Mississauga, Ontario descr: CA origin: AS33139 mnt-by: MNT-CANAC changed: peering@canaca.com 20100624 source: ARIN stats.ripe.net shows 69.172.127.0/24 is presently being announced - "Originated by: AS133955 (valid route object in RADB)”, "100% visible (by 157 of 157 RIS full peers)" The RPKI says that AS34526 (WiMore S.r.l.) is authorized to originate 69.172.96.0/19. But the aggregate prefix is not being announced. If the AS133955 origination is valid, they really ought to update their ROA. Hm. I am curious about that prefix. Is it being hijacked? Or am I just reading everything wrong? —Sandy
On Oct 4, 2017, at 1:45 PM, Sandra Murphy <sandy@tislabs.com> wrote:
On Oct 4, 2017, at 11:29 AM, Theodore Baschak <theodore@ciscodude.net> wrote:
I noticed when I looked into both of these leaks 3 hours after Clinton's message yesterday that I couldn't see them in any of the looking glasses I was looking in (including the NLNOG looking glass)
Looks like things were able to be cleaned up very quickly.
Interesting.
bgp.he.net is still reporting AS133955 as the originator of 64.68.207.0/24. I don’t know what their refresh cycle is.
And, oh look, bgp.he.net points to an RADB proxy registration for the AS133955 origination. RADB no longer reports that route object. But it must have been there at some point.
RADB route: 64.68.207.0/24
descr: Fleg Asia Telecom Ltd Proxy-registered route object origin: AS133955 notify: ipbb-apol@aptg.com.tw mnt-by: MAINT-AS17709 changed: kiayang@aptg.com.tw 20170830 #05:45:57Z source: RADB
stat.ripe.net (bless you, RIPE!) shows that 64.68.207.0/24 has been originated by AS133955 off and on for the last month (since the RADB route object’s change date?) in the BGP Update Activity and Routing History graphs. And a huge flurry of activity yesterday.
Could I be reading all this wrong? Seems to have been going on for quite a while.
—Sandy
P.S. The other three prefixes mentioned below show similar results in bgp.he.net, with route objects proxy registered on 9/25, and similar results in stats.ripe.net, with off-and-on announcements, more off than on for these, closely timed with the route object registration.
Theodore Baschak - AS395089 - Hextet Systems https://bgp.guru/ - https://hextet.net/ http://mbix.ca/ - http://mbnog.ca/
On Tue, Oct 3, 2017 at 6:29 PM, Clinton Work <clinton@scripty.com> wrote:
TELUS AS852 has three address blocks hijacked by AS133955 as well. We have not been able to get in contact with AS24155. It looks like they are buying transit from PCCW AS3491 and Taiwan Internet Gateway AS9505.
68.182.255.0/24 74.49.255.0/24 96.1.255.0/24
On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote:
as133955 is broadcasting bogus BGP announcement for our netblock 64.68.207.0/24
It's in China, and we're trying to contact as24155 but they are also in China and we're just emailing their whois record address.
If you're nearby and in a position to block/dampen that might be helpful.
Thx
- mark
-- Mark Jeftovic <markjr@easydns.com> Founder & CEO, easyDNS Technologies Inc. http://www.easyDNS.com
participants (4)
-
Clinton Work -
Mark Jeftovic -
Sandra Murphy -
Theodore Baschak