nanog mailing list archives
Re: an IP hijacking attempt
From: Paul Emmons <paul () emmons mx>
Date: Tue, 9 Mar 2021 14:17:25 -0700
RPKI can be very useful to mitigate an attempt.I used to process IP LOAs all the time. I never saw a RR attached but usually we did a check against the RIR just to make sure (because we made access-list per interface as well)
On 3/9/2021 1:42 PM, Mel Beckman wrote:
Not everyone uses RRs, and there is also the possibility that their upstream would register it. Having an RR doesn’t seem definitive either way. I can see reasons to wait on the RR until ready to receive traffic.-mel via cellOn Mar 9, 2021, at 11:14 AM, Brian Turnbow <b.turnbow () twt it> wrote: If they had a route record that was close, I Would give them the benefit of doubt. They do not however as the only records start with 217. And our IPs are 45.So It Is very strange. Would you send a LOA without a route record? Brian Turnbow ------------------------------------------------------------------------ *Da:* Mel Beckman <mel () beckman org> *Inviato:* martedì 9 marzo 2021 19:17 *A:* Brian Turnbow *Cc:* North American Network Operators' Group *Oggetto:* Re: an IP hijacking attemptIt could just be a typo on the LOA. It seems unlikely any ISP would approve a forged LOA that could readily be debunked by contacting the IP space owner. The whole point of LOA’s is to facilitate this verification.-mel via cell> On Mar 9, 2021, at 10:01 AM, Brian Turnbow via NANOG <nanog () nanog org> wrote:> > Hello everyone, > > We received a strange request that I wanted to share. > An email was sent to us asking to confirm a LOA from a diligent ISP.> The Loa was a request to open bgp for an AS , that is not ours, to announce a /23 prefix that is ours. > So basically this entity sent to their upstream a request to announce a prefix from one our allocated ranges. > We have the allocation correctly registered and ROAs in place , but it is worrisome that someone would attempt this. > Obviously we have informed the ISP that the LOA is not valid and are trying to contact the originating party. > Aside from RIRs for the offending AS and our IPs, Is there anywhere to report this type of activity? > We have dealt with hijacking technically speaking in the past but this is the first time, to my knowledge, of someone forging a LOA with our IPs.> > Thanks in advance for any advice > > Brian >> P.S. a big thanks to Chris for checking the boxes before activating the filter if you are on the list!> > > >
Current thread:
- an IP hijacking attempt Brian Turnbow via NANOG (Mar 09)
- Re: an IP hijacking attempt Mel Beckman (Mar 09)
- Re: an IP hijacking attempt Daniel Karrenberg (Mar 11)
- RE: an IP hijacking attempt Brian Turnbow via NANOG (Mar 11)
- Re: an IP hijacking attempt Noah (Mar 17)
- RE: an IP hijacking attempt Brian Turnbow via NANOG (Mar 17)
- Re: an IP hijacking attempt Eric Kuhnke (Mar 17)
- RE: an IP hijacking attempt Brian Turnbow via NANOG (Mar 11)
- <Possible follow-ups>
- Re: an IP hijacking attempt Brian Turnbow via NANOG (Mar 09)
- Re: an IP hijacking attempt Mel Beckman (Mar 09)
- Re: an IP hijacking attempt Paul Emmons (Mar 09)
- Re: an IP hijacking attempt Mel Beckman (Mar 09)