as133955 is broadcasting bogus BGP announcement for our netblock
64.68.207.0/24
It's in China, and we're trying to contact as24155 but they are also in
China and we're just emailing their whois record address.
If you're nearby and in a position to block/dampen that might be helpful.
Thx
- mark
TELUS AS852 has three address blocks hijacked by AS133955 as well. We
have not been able to get in contact with AS24155. It looks like they
are buying transit from PCCW AS3491 and Taiwan Internet Gateway AS9505.
68.182.255.0/24
74.49.255.0/24
96.1.255.0/24
I noticed when I looked into both of these leaks 3 hours after Clinton's
message yesterday that I couldn't see them in any of the looking glasses I
was looking in (including the NLNOG looking glass)
Looks like things were able to be cleaned up very quickly.
Theodore Baschak - AS395089 - Hextet Systems
https://bgp.guru/ - https://hextet.net/
http://mbix.ca/ - http://mbnog.ca/
I noticed when I looked into both of these leaks 3 hours after Clinton's
message yesterday that I couldn't see them in any of the looking glasses I
was looking in (including the NLNOG looking glass)Looks like things were able to be cleaned up very quickly.
Interesting.
bgp.he.net is still reporting AS133955 as the originator of 64.68.207.0/24. I don’t know what their refresh cycle is.
And, oh look, bgp.he.net points to an RADB proxy registration for the AS133955 origination. RADB no longer reports that route object. But it must have been there at some point.
RADB
route: 64.68.207.0/24
descr: Fleg Asia Telecom Ltd
Proxy-registered route object
origin: AS133955
notify: ipbb-apol@aptg.com.tw
mnt-by: MAINT-AS17709
changed: kiayang@aptg.com.tw 20170830 #05:45:57Z
source: RADB
stat.ripe.net (bless you, RIPE!) shows that 64.68.207.0/24 has been originated by AS133955 off and on for the last month (since the RADB route object’s change date?) in the BGP Update Activity and Routing History graphs. And a huge flurry of activity yesterday.
Could I be reading all this wrong? Seems to have been going on for quite a while.
—Sandy
P.S. The other three prefixes mentioned below show similar results in bgp.he.net, with route objects proxy registered on 9/25, and similar results in stats.ripe.net, with off-and-on announcements, more off than on for these, closely timed with the route object registration.
Not to respond to my own post, or anything. But.
Another interesting thing.
bgp.he.net reports show that AS133955 is/was also announcing 69.172.127.0/24 "WiMore S.r.l.". bgp.he.net shows a red key icon on that origination, meaning that there’s an RPKI ROA that does not match that origination. And bgp.he.net reports an RADP route object with a proxy registration for AS133955 to originate 69.172.127.0/24, registered on 9/25 like the three prefixes below.
RADB still reports that route object (along with a very old one)
route: 69.172.127.0/24
descr: Fleg Asia Telecom Ltd
Proxy-registered route object
origin: AS133955
notify: ipbb-apol@aptg.com.tw
mnt-by: MAINT-AS17709
changed: kiayang@aptg.com.tw 20170925 #00:31:36Z
source: RADB
route: 69.172.64.0/18
descr: Canaca-Com Inc
descr: 1650 Dundas Street East Unit 203
descr: Mississauga, Ontario
descr: CA
origin: AS33139
mnt-by: MNT-CANAC
changed: peering@canaca.com 20100624
source: ARIN
stats.ripe.net shows 69.172.127.0/24 is presently being announced - "Originated by: AS133955 (valid route object in RADB)”, "100% visible (by 157 of 157 RIS full peers)"
The RPKI says that AS34526 (WiMore S.r.l.) is authorized to originate 69.172.96.0/19. But the aggregate prefix is not being announced. If the AS133955 origination is valid, they really ought to update their ROA.
Hm. I am curious about that prefix. Is it being hijacked? Or am I just reading everything wrong?
—Sandy