Re: Spectrum prefix hijacks

[Christopher Morrow <morrowc.lists () gmail com>]

it looks like 203040 is a pure transit as (no originated prefixes) and 1103
- surfnet could squish what is your view anyway.

On Tue, Jan 2, 2018 at 9:29 PM, Christopher Morrow <morrowc.lists () gmail com>
wrote:

> On Tue, Jan 2, 2018 at 8:50 PM, James Milko <jmilko () gmail com> wrote:
>
> > Not sure if anyone from Spectrum is looking here at this hour, but someone
> > is hijacking a few of your prefixes.  It's causing problems in my area
> > (NC)
> > with reaching Google services.  I'm sure there are other impacts, but
> > that's what people are noticing.
> >
> > Sorry if this hits the list twice, I sent it from the wrong e-mail address
> > the first go round.
> >
> >  *   107.12.0.0/16    193.0.0.56                             0 3333 1103
> > 203040 10512 i
> >  *>                   103.247.3.45                           0 58511
> > 203040
> > 10512 i
> >  *   107.13.0.0/16    193.0.0.56                             0 3333 1103
> > 203040 10512 i
> >  *>                   103.247.3.45                           0 58511
> > 203040
> > 10512 i
> >  *   107.14.0.0/16    193.0.0.56                             0 3333 1103
> > 203040 10512 i
> >      Network          Next Hop            Metric LocPrf Weight Path
> >  *>                   103.247.3.45                           0 58511
> > 203040
> > 10512 i
> >  *   107.15.0.0/16    193.0.0.56                             0 3333 1103
> > 203040 10512 i
> >  *                    103.247.3.45                           0 58511
> > 203040
> > 10512 i
>
> E-Forex you say? shocker:
>
> AS      | BGP IPv4 Prefix     | AS Name
> 10512   | 102.164.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 102.194.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 103.116.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 106.128.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 106.129.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 106.130.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 106.131.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 107.12.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 107.13.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 107.14.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 107.15.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 14.5.0.0/16         | EFOREX-AS - E-FOREX, US
> 10512   | 147.17.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 180.237.0.0/16      | EFOREX-AS - E-FOREX, US
> 10512   | 42.183.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.185.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.186.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.187.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.188.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.189.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.190.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.191.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.192.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.193.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.194.0.0/16       | EFOREX-AS - E-FOREX, US
> 10512   | 42.195.0.0/16       | EFOREX-AS - E-FOREX, US
>
> I'm going to guess they are hijacking a bunch of space and sending spam?
> (the 42/8 space is variously telecom malaysia and china unicom)
> the 102 space is un-allocated afrnic space... probably no good these folk
> are up to.