BGPMON Alert Questions

Joseph_Jenkins · April 2, 2014, 6:51pm

So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me and I've
checked a bunch of different Looking Glasses and everything announcing
correctly.

I am assuming I should be contacting the provider about their
misconfiguration and announcing my prefixes and get them to fix it. Any
other recommendations?

Is there a way I can verify what they are announcing just to make sure they
are still doing it?

Here is the alert for reference:

Your prefix: 8.37.93.0/24:

Update time: 2014-04-02 18:26 (UTC)

Detected by #peers: 2

Detected prefix: 8.37.93.0/24

Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
Provider,ID)

Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of
Thailand(CAT),TH)

ASpath: 18356 9931 4651 4761

swlaemmr · April 2, 2014, 6:57pm

I just received the same exact notification -- same AS announcing one of my
blocks.

Frank_Bulk1 · April 2, 2014, 6:59pm

I received a similar notification about one of our prefixes also a few
minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I
also couldn't hit the websites for either AS, either.

Frank

Thorhallur_Halfdanar · April 2, 2014, 6:59pm

I have received those for two prefixes so far.

Same origin+transit

Br,
Tolli

Kate_Gerry1 · April 2, 2014, 6:59pm

I just got the same thing.

David_Hubbard · April 2, 2014, 7:02pm

If you contact bgpmon support you may be able to get some more in-depth
information. I've contacted them before with alerts like those and they
were able to give me specific date, time, ASN and interface information
about the peering points that received the announcements; that might
help make you present to the suspect party more likely to be acted upon.

Seth_Mattinen · April 2, 2014, 7:02pm

Same here for one of my /21s. Origin of AS4761 through AS4651.

~Seth

David_Hubbard · April 2, 2014, 7:05pm

Lol, and two minutes after I replied to you, I got the same alert about
the same AS with two of my prefixes.

Vlad2 · April 2, 2014, 7:05pm

I just got the same alert for one of my prefixes one minute ago.

Steve_Rossen · April 2, 2014, 7:06pm

Same alert for me on two of my prefixes. Still looking into it.

Octavio_Alvarez · April 2, 2014, 7:08pm

Same here. I got an alert for two prefixes. Same origin AS, same AS path
for one of them: 18356 9931 4651 4761, but a different one for the
other: 18356 38794 4651 4761.

Stephen_Fulton2 · April 2, 2014, 7:10pm

I'm seeing the same hijack of prefixes by multiple networks under my watch, at 18:40 UTC and 19:06 UTC.

-- Stephen

Eric_Tykwinski · April 2, 2014, 7:10pm

Sadly, it doesn't look like this is the first for Indosat either:
January 14th, 2011
http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
F: 610-429-3222

Rene_Wilhelm · April 2, 2014, 7:12pm

So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me and I've
checked a bunch of different Looking Glasses and everything announcing
correctly.

I am assuming I should be contacting the provider about their
misconfiguration and announcing my prefixes and get them to fix it. Any
other recommendations?

Is there a way I can verify what they are announcing just to make sure they
are still doing it?

You can check RIPEstat's BGP looking-glass:

This combines the result of 13 RIPE RIS route collectors.

A minute ago I saw the INDOSAT announcement at 2 locations (Amsterdam, Frankfurt) from 3 out of 101 peers, but it seems to have stopped just now.

-- Rene

Chris_Burton · April 2, 2014, 7:17pm

This seems to be occurring to many, I have two of my prefixes being
announced by the same AS's, and I have confirmation from several others who
are seeing this as well.

Chris

Olivier_Benghozi · April 2, 2014, 7:18pm

... and same here.

Indosat looks now to have developed a solid experience in BGP prefix hijack mess (last time was in 2011).

Olivier

Frank_Bulk1 · April 2, 2014, 7:18pm

bgpmon has tweeted that "We're currently observing a large hijack event.
Indosat AS4761 originating many prefixes not assigned to them."

Let's hope that AS4651 can quickly apply filters.

Frank

Andree_Toonk · April 2, 2014, 7:21pm

I can confirm that indosat appears to be hijacking many prefixes.
HE 6939 is one of the networks picking it up and distributing it
further. Here's an example for a Syrian prefix:

http://portal.bgpmon.net/data/indosat-hijack.png

Felix_Aronsson · April 2, 2014, 7:21pm

Seeing the same here for a /21. This seems to have happened before with
AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from
january 2011.

Lee_Johnston · April 2, 2014, 7:27pm

Snap, announcing a few of our /21s and a /23. Seems they did something similar a few year ago: http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/

I can't make any contact with Indosat (website non responsive / email queuing). This is what I have back from Aware Corp. AS18356 (first AS in the path):

I can confirm that we are seeing your prefixes as advertised by AS4761, via one of our upstreams CAT AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH)
We (Aware Corporation - AS18356) operate a BGPMon PeerMon node which is probably why you are seeing this alert from our AS.
It is likely that your highjacked prefixes are being advertised to all of CAT's customers.
I suggest contacting AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) directly for resolution as there is little we can do as a stub AS.

Regards,
Lee.