nanog mailing list archives

Re: odd hijack

From: Michael.Dillon () btradianz com
Date: Fri, 10 Nov 2006 13:13:15 +0000

 My question to the community is,
what kind of misconfiguration could cause this set of prefixes to be
announced?

11.0.0.0/8
12.0.0.0/7
121.0.0.0/8
122.0.0.0/7
124.0.0.0/7
126.0.0.0/8
128.0.0.0/3

etc ...

This looks to me like some large multinational leaked
their internal announcements to an ISP. It is not unusual
for large companies to use random unregistered /8 blocks
in their internal networks. There are all kinds of 
applications that need to talk across networks which do
not need any Internet connectivity or any direct
connectivity to general use workstations. This network
traffic would normally be hidden inside some kind of
VPN on the same infrastructure as other corporate 
traffic.

So to answer your question, first look for all the ways
that a misconfiguration could allow routing information
to leak out of some flavor of VPN.

--Michael Dillon

Current thread:

Re: odd hijack, (continued)
- Re: odd hijack Hank Nussbacher (Nov 09)
  - Re: odd hijack Josh Karlin (Nov 09)
    - Re: odd hijack Hank Nussbacher (Nov 10)
    - Re: odd hijack steve (Nov 10)
    - Re: odd hijack Nick Feamster (Nov 10)
    - Re: odd hijack Randy Bush (Nov 10)
    - Re: odd hijack Josh Karlin (Nov 10)
    - Re: odd hijack Randy Bush (Nov 10)
    - Re: odd hijack Nick Feamster (Nov 10)
  - Re: odd hijack Nick Feamster (Nov 10)
- Re: odd hijack Michael . Dillon (Nov 10)