Re: BGP Hijack/Sickness with AS4637

[Job Snijders <job () instituut net>]

On Thu, May 31, 2018 at 02:40:06PM +0000, Job Snijders wrote:
> Upon further inspection, it seems more likely that the bgp optimiser is
> in ColoAU's network. Given the scale of AS 4637, if it were deployed
> inside Telstra I'd expect more problem reports. AS 4637 may actually
> just be an innocent bystander.
>
> It is interesting to note that the /23 only appears on their Sydney
> based routers on https://lg.coloau.com.au/
>
> Is ColoAU's refusal to cooperate a matter of misunderstanding? Perhaps
> you should just straight up ask whether they use any type of "network
> optimisation" appliance.

I found a few more interesting routes inside ColoAU's looking glass:

128.10.4.0/24 - AS_PATH 63956 4637 3257 29909 16532 16532 16532 16532
                (should be 128.10.0.0/16 originated by AS 17, Purdue
                University)

192.54.130.0/24 - AS path: 135069 9439
                                (does not exist in the DFZ, a peering lan prefix? a typo?)

67.215.73.0/24 - AS path: 2764 1221 36692
                                (does not exist in the DFZ, a peering lan prefix? a typo?)

ColoAU propagated the above routes to their transit customers, so the
128.10.4.0/24 and 18.29.238.0/23 announcements definitely count as BGP
hijacks with fabricated an AS_PATH.

Kind regards,

Job