AS 54271

Marshall_Eubanks3 · July 13, 2008, 5:01pm

As of this morning, I am seeing BGP from AS 54271

*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 62.77.254.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 81.17.184.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 81.17.190.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 82.131.196.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 82.131.198.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 82.131.248.0/21 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.64.0/22 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.70.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.72.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.78.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.82.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.96.0/23 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.99.0/24 38.101.161.116 6991 0 174 3549 3549 3549 12301 8696 20922 54271 i

This ASN has not been assigned to any RIR. Is this a bogon, or does
anyone know of a legitimate reason for this ?

Regards
Marshall

ianai · July 13, 2008, 5:04pm

Maybe someone mistyped "65271"? Which is still bad, but not at bad (IMHO).

Fredy_Kuenzler · July 13, 2008, 5:24pm

Patrick W. Gilmore schrieb:

As of this morning, I am seeing BGP from AS 54271

Maybe someone mistyped "65271"? Which is still bad, but not at bad
(IMHO).

Interestingly, AS54271 is the last # of an unassigned block:

46080-47103 Assigned by ARIN whois.arin.net 2008-03-27
47104-48127 Assigned by RIPE NCC whois.ripe.net 2008-04-07
48128-54271 Unassigned
54272-64511 Reserved by the IANA
64512-65534 Designated for private use (Allocated to the IANA)
65535 Reserved

http://www.iana.org/assignments/as-numbers

F.

Jon_Kibler · July 13, 2008, 5:35pm

Marshall Eubanks wrote:

As of this morning, I am seeing BGP from AS 54271

*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i

I would be willing to bet that the IP netblocks being advertised are
unallocated (or, unused within an allocated block). In the past, before
botnets were so common, spammers would often hijack unused netblocks,
advertise routes to them, flood spam from them, then the routes would
disappear, making it impossible to track the spammers.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Joel_Jaeggli · July 13, 2008, 5:35pm

those prefixes all have ripe route object with origin AS 20922

all the routes I see for a given prefix look like the following:

   2914 1299 12301 8696 20922 54271
     129.250.0.171 from 129.250.0.171 (129.250.0.12)
       Origin IGP, metric 1, localpref 100, valid, external
       Community: 2914:420 2914:2000 2914:3000 65504:1299

   2497 3257 12301 8696 20922 54271
     202.232.0.2 from 202.232.0.2 (202.232.0.2)
       Origin IGP, localpref 100, valid, external

   7660 2516 3257 12301 8696 20922 54271
     203.181.248.168 from 203.181.248.168 (203.181.248.168)
       Origin IGP, localpref 100, valid, external
       Community: 2516:1030

etc...

Marshall Eubanks wrote:

Manolo_Hernandez2 · July 13, 2008, 5:42pm

This ip space is from Bahrain 89.148.0.0/19 but some how has ended up in Hungary from an unknown owner. Definitely looks suspicious in my book.

Manolo

Joel Jaeggli wrote:

Scott_Morris · July 13, 2008, 7:02pm

Wouldn't it be better to ask the folks in Hungary (AS20922) who are peering
with this site?

One side, I'd buy the typo. Both sides, mutual typos are a little more
difficult.

Not that conspiracy theories are all that much fun, but I'm finding the
one-sided mistake hard to believe. Either that or the folks at AS20922
haven't figured out that an open bgp peer isn't a great idea!

Scott

Joel_Jaeggli · July 13, 2008, 8:10pm

Scott Morris wrote:

Wouldn't it be better to ask the folks in Hungary (AS20922) who are peering
with this site?

These are or appear to be all 20922's prefixes...

54271 is a stub from my vantage points that only appears from behind 20992.

One side, I'd buy the typo. Both sides, mutual typos are a little more
difficult.

looks more like a lack of clue. off-hand I'd hazard that only one party is involved.

Christian_Koch1 · July 13, 2008, 8:40pm

interestingly, before july 7th these prefixes were originating from another
private as - 65501, until sometime that day routes were withdrawn from 65501
and began being announced from 54271...