Re: an IP hijacking attempt

[Brian Turnbow via NANOG <nanog () nanog org>]

If they had a route record that was close, I Would give them the benefit of doubt.
They do not however as the only records start with 217. And our IPs are 45.

So It Is very strange. Would you send a LOA without a route record?


Brian Turnbow
________________________________
Da: Mel Beckman <mel () beckman org>
Inviato: martedì 9 marzo 2021 19:17
A: Brian Turnbow
Cc: North American Network Operators' Group
Oggetto: Re: an IP hijacking attempt

It could just be a typo on the LOA. It seems unlikely any ISP would approve a forged LOA that could readily be debunked 
by contacting the IP space owner. The whole point of LOA’s is to facilitate this verification.

-mel via cell

> On Mar 9, 2021, at 10:01 AM, Brian Turnbow via NANOG <nanog () nanog org> wrote:
>
> Hello everyone,
>
> We received a strange request that I wanted to share.
> An email was sent to us asking to confirm a LOA from a diligent ISP.
> The Loa was a request to open bgp for an AS , that is not ours, to announce a /23 prefix that is ours.
> So basically this entity sent to their upstream a request to announce a prefix from one our allocated ranges.
> We have the allocation correctly registered and ROAs in place , but it is worrisome that someone would attempt this.
> Obviously we have informed the ISP that the LOA is not valid and are trying to contact the originating party.
> Aside from RIRs for the offending AS and our IPs,  Is there anywhere to report this type of activity?
> We have dealt with hijacking technically speaking in the past but this is the first time, to my knowledge, of someone 
> forging a LOA with our IPs.
>
> Thanks in advance for any advice
>
> Brian
>
> P.S. a big thanks to Chris for checking the boxes before activating the filter if you are on the list!