Hello everyone, We received a strange request that I wanted to share. An email was sent to us asking to confirm a LOA from a diligent ISP. The Loa was a request to open bgp for an AS , that is not ours, to announce a /23 prefix that is ours. So basically this entity sent to their upstream a request to announce a prefix from one our allocated ranges. We have the allocation correctly registered and ROAs in place , but it is worrisome that someone would attempt this. Obviously we have informed the ISP that the LOA is not valid and are trying to contact the originating party. Aside from RIRs for the offending AS and our IPs, Is there anywhere to report this type of activity? We have dealt with hijacking technically speaking in the past but this is the first time, to my knowledge, of someone forging a LOA with our IPs. Thanks in advance for any advice Brian P.S. a big thanks to Chris for checking the boxes before activating the filter if you are on the list!
It could just be a typo on the LOA. It seems unlikely any ISP would approve a forged LOA that could readily be debunked by contacting the IP space owner. The whole point of LOA’s is to facilitate this verification. -mel via cell
On Mar 9, 2021, at 10:01 AM, Brian Turnbow via NANOG <nanog@nanog.org> wrote:
Hello everyone,
We received a strange request that I wanted to share. An email was sent to us asking to confirm a LOA from a diligent ISP. The Loa was a request to open bgp for an AS , that is not ours, to announce a /23 prefix that is ours. So basically this entity sent to their upstream a request to announce a prefix from one our allocated ranges. We have the allocation correctly registered and ROAs in place , but it is worrisome that someone would attempt this. Obviously we have informed the ISP that the LOA is not valid and are trying to contact the originating party. Aside from RIRs for the offending AS and our IPs, Is there anywhere to report this type of activity? We have dealt with hijacking technically speaking in the past but this is the first time, to my knowledge, of someone forging a LOA with our IPs.
Thanks in advance for any advice
Brian
P.S. a big thanks to Chris for checking the boxes before activating the filter if you are on the list!
Tracing it back to the originator of the route is of course a good first step. I would send an FYI to the RIR that allocated the prefix; preferably after the initial investigation established that it was not a genuine mistake. In that message I would make very clear if any action is requested from the RIR or not. If it is just an FYI the RIR will take note of it, watch for trends and take it into account before doing anything with the registration. Just what I would do. Daniel (Full disclosure: I work for the RIPE NCC) On 9 Mar 2021, at 18:58, Brian Turnbow via NANOG wrote:
Hello everyone,
We received a strange request that I wanted to share. An email was sent to us asking to confirm a LOA from a diligent ISP. The Loa was a request to open bgp for an AS , that is not ours, to announce a /23 prefix that is ours. So basically this entity sent to their upstream a request to announce a prefix from one our allocated ranges. We have the allocation correctly registered and ROAs in place , but it is worrisome that someone would attempt this. Obviously we have informed the ISP that the LOA is not valid and are trying to contact the originating party. Aside from RIRs for the offending AS and our IPs, Is there anywhere to report this type of activity? We have dealt with hijacking technically speaking in the past but this is the first time, to my knowledge, of someone forging a LOA with our IPs.
Thanks in advance for any advice
Brian
P.S. a big thanks to Chris for checking the boxes before activating the filter if you are on the list!
Hi Daniel,
Tracing it back to the originator of the route is of course a good first step.
Yes, we have done that and the results were not good. The company that created the LOA is registered in the Seychelles and they have IPs that were/are being revoked by Afrinic remarks: * * * * * * * * * * * * * * * * * * * * * * * * * remarks: * * remarks: * This IP prefix will be reclaimed and * remarks: * returned to the free pool by AFRINIC * remarks: * on the 5th March 2021. * remarks: * * remarks: * For more information, please contact * remarks: * AFRINIC at hostmaster@afrinic.net * remarks: * * remarks: * * * * * * * * * * * * * * * * * * * * * * * * *
I would send an FYI to the RIR that allocated the prefix; preferably after the initial investigation established that it was not a genuine mistake. In that message I would make very clear if any action is requested from the RIR or not. If it is just an FYI the RIR will take note of it, watch for trends and take it into account before doing anything with the registration.
Just what I would do.
Thanks for the Advice, I will do so Brian
Hi Brian On Thu, Mar 11, 2021 at 1:51 PM Brian Turnbow via NANOG <nanog@nanog.org> wrote:
Hi Daniel,
Tracing it back to the originator of the route is of course a good first
step.
Yes, we have done that and the results were not good.
The company that created the LOA is registered in the Seychelles and they
have IPs that were/are being revoked by Afrinic remarks: * * * * * * * * * * * * * * * * * * * * * * * * * remarks: * * remarks: * This IP prefix will be reclaimed and * remarks: * returned to the free pool by AFRINIC * remarks: * on the 5th March 2021. * remarks: * * remarks: * For more information, please contact * remarks: * AFRINIC at hostmaster@afrinic.net * remarks: * * remarks: * * * * * * * * * * * * * * * * * * * * * * * * *
Would you care to share the said prefix? Cheers, Noah
I would encourage anyone who is not familiar with the full situation to read the recent history of AFRINIC events: https://afrinic.net/ast/pdf/afrinic-whois-audit-report-full-20210121.pdf https://afrinic.net/20200826-ceo-statement-on-ip-address-misappropriation https://krebsonsecurity.com/2019/12/the-great-50m-african-ip-address-heist/ On Wed, Mar 17, 2021 at 2:09 AM Brian Turnbow via NANOG <nanog@nanog.org> wrote:
Hi Noah,
Would you care to share the said prefix?
This is the prefix we found associated with their name in the afrinic db.
inetnum: 169.239.204.0 - 169.239.207.255
Cheers,
Brian
participants (5)
-
Brian Turnbow
-
Daniel Karrenberg
-
Eric Kuhnke
-
Mel Beckman
-
Noah