Hi All,
I am a network admin for Aware Corporation AS18356 (Thailand), as
mentioned in the alert.
We operate a BGPMon PeerMon node on our network, which peers with the
BGPMon service as a collector.
It is likely that AS4761 (INDOSAT) has somehow managed to hijack these
prefixes and CAT (Communications Authority of Thailand AS4651) is not
filtering them,
hence they are announced to us and are triggering these BGPMon alerts.
I have had several mails to our NOC about this already and have responded
directly to those.
I suggest contacting Indosat directly to get this resolved.
AS18356 is a stub AS, so we are not actually advertising these learned
hijacked prefixes to anyone but BGPMon for data collection purposes.
Thanks.
Regards,
Andrew Ashley
Office: +27 21 673 6841
E-mail: andrew.a@aware.co.th
Web: www.aware.co.th
route-views4 /64.25.208.71 has seen updates that contains large amount of
prefixes at time 1396464452 (04 / 02 / 14 @ 6:47:32pm UTC) with path
[20225, 6939, 4761]
full prefixes list: http://pastebin.com/Eu4ePgp4
is it normal for single update to contain such large amount NLRI info?
yeah you're seeing the impact of a pretty broad prefix injection
indosat's upstream filters seem to be working for the most part.
Just got the same for 5 of my prefixes.
Another 5 of ours just got hit.
Anyone have any ideas on what will be done about it?
Based on the image they tweeted, I don't think they are doing much
filtering; the Syrian prefix was spread to a number of countries and AS. If
you have good US connectivity the impact seems limited due to better AS
Paths winning, but for less well connected prefixes I'm assuming it's more
up in the air.
Bob
Yes, I too have alerts for some of our prefixes from the same offending
origin 4761
On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change
event for your prefix (66.201.48.0/20 slash 20 bottom of nor cal)
The detected prefix: 66.201.48.0/20, was announced by AS4761
(INDOSAT-INP-AP INDOSAT Internet Network Provider,ID)
Alert description: Origin AS Change
Detected Prefix: 66.201.48.0/20
Detected Origin AS: 4761
Expected Origin AS: 26803
Bob Evans
CTO
I have someone from cat.net.th on the phone and he doesn't speak a lot of English and I don't speak any Thai..... He knew what indosat was and their AS number. He further stated he got my email (never told him who I was), but he said he would be replying ASAP. We only had one /24 announced by indosat.
James Laszko
Mythos Technology Inc
I called into +66 2104-2374
James Laszko
Mythos Technology Inc
They have advertised all of ours now.
Saw this as well on my blocks.
Is this malicious or did someone redistribute all of bgp with bad upstream
filtering?
where did you get that number ?
aut-num: AS4761
as-name: INDOSAT-INP-AP
descr: INDOSAT Internet Network Provider
descr: Internet Network Access Point in INDONESIA
country: ID
admin-c: IH151-AP
tech-c: DA205-AP
mnt-by: MAINT-ID-INDOSAT-INP
changed: hostmaster@indosat.com 20081006
source: APNIC
person: Dewi Amalia
nic-hdl: DA205-AP
e-mail: dewi.amalia@indosat.com
address: PT INDOSAT
address: JL. Medan Merdeka Barat 21
address: Jakarta Pusat
phone: +62-21-30444066
fax-no: +62-21-30001073
country: ID
changed: dewi.amalia@indosat.com 20080117
mnt-by: MAINT-ID-INDOSAT-INP
source: APNIC
person: INDOSAT INP Hostmaster
nic-hdl: IH151-AP
e-mail: hostmaster@indosat.com
address: PT Indosat
address: Jl. Medan Merdeka Barat 21
address: Jakarta Pusat
phone: +62-21-30444066
fax-no: +62-21-30001073
country: ID
changed: hostmaster@indosat.com 20120104
mnt-by: MAINT-ID-INDOSAT-INP
source: APNIC
Bob Evans
CTO
Three of ours just got jacked. I have tried to contact via email for update / fix of their end.
-Mike
I emailed hostmaster@indosat.com a little over an hour ago, and no response
as yet. Anyone having luck making contact with Indosat themselves?
Contacted ip.tac@indosat.com about this, I urge others to do the same.
--Aris
We are getting multiple alerts for a mix of our and customers prefixes.
Could someone from HE tell if they started filtering yet ?
Erik Bais
I think that was a number for CAT, AS4651.
~Seth
They perfectly re-advertized all mine. Loos like a huge mistake. And still
ongoing.
Although this was nice to see:
I got a bounce from Indosat saying:
"Dear Senders,
Thank you for your email, started March,1st 2012 email address for
correspondence with Indosat IP Support & All Support INP will be change and
not active with detail information as follows :
1. Correspondence and complain handling for Indosat Corporate customers
(INP, IDIA and INIX services) please kindly address to :
corporatesolution@indosat.com (Service Desk MIDI Indosat Corporate Solution)
2. Correspondence and coordination for upstream and peering purpose please
kindly address to : SNOCIPSurv@indosat.com (SNOC IP Surveillance)
Thank you for your kind cooperation and understanding.
Indosat IP Support"
Perhaps the ³SNOC IP Surveillance² address is better?
For CAT Thailand, the contact details I have are:
NOC call center
CAT Telecom
Tel: 66 2 104 2382
FAX: 66 2 104 2281
e-mail: cusserv@cattelecom.com
As someone mentioned, English may be an issue, especially at this time of
the morning over there.
Regards,
Andrew Ashley
Office: +27 21 673 6841
E-mail: andrew.a@aware.co.th
Web: www.aware.co.th