Something apparently in Brazil is hijacking 128.255.192.0/22, part of 128.255.0.0/16 which is held by the University of Iowa. AS 263971 is announcing 128.255.192.0/22 which Hurricane Electric is accepting & propagating. None of that has any authorization.
I can't find any decent contact information for the originating entity, so I have reported it to abuse@he.net, but it'd be fabulous if some HE folks listening here could whack the hijacking faster than the abuse channels will get to it. Also useful would be some functional contact for AS263971.
Any help will be appreciated.
Hi Jay,
Please note that there is Lacnog mailing list.., I will forward your
message. Not sure if it will work but worth giving it a try.
Regards,
Alejandro,
A reason to de-aggregate down to /24s, to make hijacks more
difficult/less effective?
/kc
A reason to de-aggregate down to /24s, to make hijacks more difficult/less
effective?
Or perhaps something less costly for everyone: a reason for HE to implement
prefix-based EBGP filters?
At any given moment there appear to be roughly 5500 prefixes in HE’s
customer cone for which no attestation can be found in any of IRR, RPKI or
WHOIS. I find this deeply concerning.
Kind regards,
Job
I contacted the company and forwarded this email to them.
Best regards, João Butzke.
Hello,
Someone in Lacnog privately told me this:
aut-num: AS263971 owner: FaleMais Comunicações LTDA responsible: Paulo
Henrique Mem Pereira owner-c: LEVAL5 routing-c: LEVAL5 abuse-c: LEVAL5
created: 20150831 changed: 20150831 inetnum: 138.255.192.0/22 inetnum:
2804:28a0::/32 inetnum: 170.254.76.0/22 <http://170.254.76.0/22>
Regards, Alejandro,
You are pointing out that 138.255.192.0/22 is the likely cause of the hijack of 128.255.192.0/22, right?
(No need to be privately told - that’s straight from the LACNIC Whois)
—Sandy
Looks like this incident didn't start today. I show it starting back on
2/22 at 00:31:38 UTC. It then persisted till 3/19 where it started to
get withdrawn by most peers. It wasn't until 3/20 at 19:10:10 UTC when
it was globally withdrawn from all peers that were advertising it.
I'll be like Job and plug monitoring. Had FaleMais and/or University of
Iowa been monitoring their own prefixes as well as what they advertised
(originate in this case), this could have been stopped when it started
almost a month ago.
--Tim
Can someone from HE comment on how they are doing their filtering? We often see our routes leaked by them or their customers and it’s quite the problem and significantly contributes to the pollution in the routing table.
Often friends and smaller providers come to me for help and the lack of filtering as well as BGP communities poses significant operational issues for networks.
Jared Mauch