So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me and I've
checked a bunch of different Looking Glasses and everything announcing
correctly.
I am assuming I should be contacting the provider about their
misconfiguration and announcing my prefixes and get them to fix it. Any
other recommendations?
Is there a way I can verify what they are announcing just to make sure they
are still doing it?
Here is the alert for reference:
Your prefix: 8.37.93.0/24:
Update time: 2014-04-02 18:26 (UTC)
Detected by #peers: 2
Detected prefix: 8.37.93.0/24
Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
Provider,ID)
Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of
Thailand(CAT),TH)
I received a similar notification about one of our prefixes also a few
minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I
also couldn't hit the websites for either AS, either.
If you contact bgpmon support you may be able to get some more in-depth
information. I've contacted them before with alerts like those and they
were able to give me specific date, time, ASN and interface information
about the peering points that received the announcements; that might
help make you present to the suspect party more likely to be acted upon.
Same here. I got an alert for two prefixes. Same origin AS, same AS path
for one of them: 18356 9931 4651 4761, but a different one for the
other: 18356 38794 4651 4761.
So I setup BGPMON for my prefixes and got an alert about someone in
Thailand announcing my prefix. Everything looks fine to me and I've
checked a bunch of different Looking Glasses and everything announcing
correctly.
I am assuming I should be contacting the provider about their
misconfiguration and announcing my prefixes and get them to fix it. Any
other recommendations?
Is there a way I can verify what they are announcing just to make sure they
are still doing it?
You can check RIPEstat's BGP looking-glass:
This combines the result of 13 RIPE RIS route collectors.
A minute ago I saw the INDOSAT announcement at 2 locations (Amsterdam, Frankfurt) from 3 out of 101 peers, but it seems to have stopped just now.
This seems to be occurring to many, I have two of my prefixes being
announced by the same AS's, and I have confirmation from several others who
are seeing this as well.
I can confirm that indosat appears to be hijacking many prefixes.
HE 6939 is one of the networks picking it up and distributing it
further. Here's an example for a Syrian prefix:
I can't make any contact with Indosat (website non responsive / email queuing). This is what I have back from Aware Corp. AS18356 (first AS in the path):
I can confirm that we are seeing your prefixes as advertised by AS4761, via one of our upstreams CAT AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH)
We (Aware Corporation - AS18356) operate a BGPMon PeerMon node which is probably why you are seeing this alert from our AS.
It is likely that your highjacked prefixes are being advertised to all of CAT's customers.
I suggest contacting AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) directly for resolution as there is little we can do as a stub AS.