Re: Spectrum prefix hijacks

[James Milko <jmilko () gmail com>]

The output I dumped was from route-views.routeviews.org.  On affected
prefes you get 7843->6453->nothing unaffected prefixes get
7843->6453->15169.  Unaffected prefixes don't have more specifics from
10512.  My sample size is only 8 though with a mix of affected and
unaffected users.

JM

On Tue, Jan 2, 2018 at 9:30 PM, Christopher Morrow <morrowc.lists () gmail com>
wrote:

> it looks like 203040 is a pure transit as (no originated prefixes) and
> 1103 - surfnet could squish what is your view anyway.
>
> On Tue, Jan 2, 2018 at 9:29 PM, Christopher Morrow <
> morrowc.lists () gmail com> wrote:
>
> > On Tue, Jan 2, 2018 at 8:50 PM, James Milko <jmilko () gmail com> wrote:
> >
> > > Not sure if anyone from Spectrum is looking here at this hour, but
> > > someone
> > > is hijacking a few of your prefixes.  It's causing problems in my area
> > > (NC)
> > > with reaching Google services.  I'm sure there are other impacts, but
> > > that's what people are noticing.
> > >
> > > Sorry if this hits the list twice, I sent it from the wrong e-mail
> > > address
> > > the first go round.
> > >
> > >  *   107.12.0.0/16    193.0.0.56                             0 3333 1103
> > > 203040 10512 i
> > >  *>                   103.247.3.45                           0 58511
> > > 203040
> > > 10512 i
> > >  *   107.13.0.0/16    193.0.0.56                             0 3333 1103
> > > 203040 10512 i
> > >  *>                   103.247.3.45                           0 58511
> > > 203040
> > > 10512 i
> > >  *   107.14.0.0/16    193.0.0.56                             0 3333 1103
> > > 203040 10512 i
> > >      Network          Next Hop            Metric LocPrf Weight Path
> > >  *>                   103.247.3.45                           0 58511
> > > 203040
> > > 10512 i
> > >  *   107.15.0.0/16    193.0.0.56                             0 3333 1103
> > > 203040 10512 i
> > >  *                    103.247.3.45                           0 58511
> > > 203040
> > > 10512 i
> >
> > E-Forex you say? shocker:
> >
> > AS      | BGP IPv4 Prefix     | AS Name
> > 10512   | 102.164.0.0/16      | EFOREX-AS - E-FOREX, US
> > 10512   | 102.194.0.0/16      | EFOREX-AS - E-FOREX, US
> > 10512   | 103.116.0.0/16      | EFOREX-AS - E-FOREX, US
> > 10512   | 106.128.0.0/16      | EFOREX-AS - E-FOREX, US
> > 10512   | 106.129.0.0/16      | EFOREX-AS - E-FOREX, US
> > 10512   | 106.130.0.0/16      | EFOREX-AS - E-FOREX, US
> > 10512   | 106.131.0.0/16      | EFOREX-AS - E-FOREX, US
> > 10512   | 107.12.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 107.13.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 107.14.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 107.15.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 14.5.0.0/16         | EFOREX-AS - E-FOREX, US
> > 10512   | 147.17.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 180.237.0.0/16      | EFOREX-AS - E-FOREX, US
> > 10512   | 42.183.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.185.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.186.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.187.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.188.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.189.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.190.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.191.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.192.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.193.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.194.0.0/16       | EFOREX-AS - E-FOREX, US
> > 10512   | 42.195.0.0/16       | EFOREX-AS - E-FOREX, US
> >
> > I'm going to guess they are hijacking a bunch of space and sending spam?
> > (the 42/8 space is variously telecom malaysia and china unicom)
> > the 102 space is un-allocated afrnic space... probably no good these folk
> > are up to.