Re: AS3266: BitCanal hijack factory, courtesy of many connectivity providers

[Fredrik Korsbäck <hugge () nordu net>]

On 2018-07-09 17:24, Fredrik Korsbäck wrote:
> On 2018-07-06 21:18, Tom Paseka via NANOG wrote:
> > Hi,
> >
> > I've been casually observing the connectivity to Bitcanal / AS3266 /
> > AS197426 since the thread started.
> >
> > After GTT shared that bitcanal had been disconnected, bitcanal was only
> > visible behind Cogent. But the Cogent path now also seems to have been
> > disconnected. After Cogent they popped up behind BICS (but just for a few
> > days), that circuit seems to have been disconnected too.
> >
> > On the IX front: I noticed that Bitcanal's IP addresses on LINX (since
> > yesterday) and FranceIX (since today) are no longer responding.
> >
> > It is good to see that discussing BGP hijacking abuse complaints actually
> > results in clean up activities. I hope the remaining IX's they're still
> > connected to can act too.
> >
> > Thanks!
> > -Tom
>
> And it also seems that they are now no longer reachable over the AMS-IX fabric (and is no longer listed as a member).
>
> I also noticed that hey are not reachable over the Megaport/ECIX fabric in Frankfurt either (no arp or ping-reply) but
> is listed as member on the megaport website, so not sure whats going on there.
>
> The only routes i can see now for 3266/197426 is two /24 v4 and one /29 v6 that jumps on over to portugal through 1299
> (telia) -> 174 (cogent) -> 29003 (refertelecom / iptelecom).

And now it also seems that NANOG-contributor Doug over at Dyn has done a complete wrap-up of the thing and he has
hilighted all the important aspects of this incident in a very educative manner.

https://dyn.com/blog/shutting-down-the-bgp-hijack-factory/

Thanks for this Doug!

I will bring this post up with my NOC and L2-teams since i think these type of incidents will become as common as
regular spam in the future...

-- 
hugge