Re: BGP hijack: 64.68.207.0/24 from as133955

[Sandra Murphy <sandy () tislabs com>]

Not to respond to my own post, or anything.  But.

Another interesting thing.

bgp.he.net reports show that AS133955 is/was also announcing 69.172.127.0/24  "WiMore S.r.l.".  bgp.he.net shows a red 
key icon on that origination, meaning that there’s an RPKI ROA that does not match that origination.  And bgp.he.net 
reports an RADP route object with a proxy registration for AS133955 to originate 69.172.127.0/24, registered on 9/25 
like the three prefixes below.  

RADB still reports that route object (along with a very old one)

route: 69.172.127.0/24
descr: Fleg Asia Telecom Ltd
Proxy-registered route object
origin: AS133955
notify: ipbb-apol () aptg com tw
mnt-by: MAINT-AS17709
changed: kiayang () aptg com tw 20170925 #00:31:36Z
source: RADB

route: 69.172.64.0/18
descr: Canaca-Com Inc
descr: 1650 Dundas Street East Unit 203
descr: Mississauga, Ontario
descr: CA
origin: AS33139
mnt-by: MNT-CANAC
changed: peering () canaca com 20100624
source: ARIN

stats.ripe.net shows 69.172.127.0/24 is presently being announced - "Originated by: AS133955 (valid route object in 
RADB)”, "100% visible (by 157 of 157 RIS full peers)"

The RPKI says that AS34526 (WiMore S.r.l.) is authorized to originate 69.172.96.0/19.  But the aggregate prefix is not 
being announced.  If the AS133955 origination is valid, they really ought to update their ROA.

Hm. I am curious about that prefix.  Is it being hijacked?  Or am I just reading everything wrong?

—Sandy

> On Oct 4, 2017, at 1:45 PM, Sandra Murphy <sandy () tislabs com> wrote:
>
>
> > On Oct 4, 2017, at 11:29 AM, Theodore Baschak <theodore () ciscodude net> wrote:
> >
> > I noticed when I looked into both of these leaks 3 hours after Clinton's
> > message yesterday that I couldn't see them in any of the looking glasses I
> > was looking in (including the NLNOG looking glass)
> >
> > Looks like things were able to be cleaned up very quickly.
>
> Interesting.
>
> bgp.he.net is still reporting AS133955 as the originator of 64.68.207.0/24.  I don’t know what their refresh cycle is.
>
> And, oh look, bgp.he.net points to an RADB proxy registration for the AS133955 origination.  RADB no longer reports 
> that route object.  But it must have been there at some point.
>
> RADB
> route:      64.68.207.0/24
>
> descr:      Fleg Asia Telecom Ltd
>            Proxy-registered route object
> origin:     AS133955
> notify:     ipbb-apol () aptg com tw
> mnt-by:     MAINT-AS17709
> changed:    kiayang () aptg com tw 20170830  #05:45:57Z
> source:     RADB
>
> stat.ripe.net (bless you, RIPE!) shows that 64.68.207.0/24 has been originated by AS133955 off and on for the last 
> month (since the RADB route object’s change date?) in the BGP Update Activity and Routing History graphs.  And a huge 
> flurry of activity yesterday.
>
> Could I be reading all this wrong?  Seems to have been going on for quite a while.
>
> —Sandy
>
> P.S.  The other three prefixes mentioned below show similar results in bgp.he.net, with route objects proxy 
> registered on 9/25, and similar results in stats.ripe.net, with off-and-on announcements, more off than on for these, 
> closely timed with the route object registration. 
>
>
> > Theodore Baschak - AS395089 - Hextet Systems
> > https://bgp.guru/ - https://hextet.net/
> > http://mbix.ca/ - http://mbnog.ca/
> >
> >
> >
> >
> > On Tue, Oct 3, 2017 at 6:29 PM, Clinton Work <clinton () scripty com> wrote:
> >
> > > TELUS AS852 has three address blocks hijacked by AS133955 as well.   We
> > > have not been able to get in contact with AS24155.  It looks like they
> > > are buying transit from PCCW AS3491 and Taiwan Internet Gateway AS9505.
> > >
> > > 68.182.255.0/24
> > > 74.49.255.0/24
> > > 96.1.255.0/24
> > >
> > >
> > > On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote:
> > > > as133955 is broadcasting bogus BGP announcement for our netblock
> > > > 64.68.207.0/24
> > > >
> > > > It's in China, and we're trying to contact as24155 but they are also in
> > > > China and we're just emailing their whois record address.
> > > >
> > > > If you're nearby and in a position to block/dampen that might be helpful.
> > > >
> > > > Thx
> > > >
> > > > - mark
> > > >
> > > > --
> > > > Mark Jeftovic <markjr () easydns com>
> > > > Founder & CEO, easyDNS Technologies Inc.
> > > > http://www.easyDNS.com