Hi all.
Anyone know how we can contact AS16735 and their upstream
AS27664. We think they are hijacking a number of our
prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
e.g.,
Have you tried CERT-BR? Uh... I was about to say "they're usually very
responsive, and good at coordinating this sort of thing." And then their
web site failed to load, because the prefix it's in is flapping. Hm.
Fred, you still awake?
-Bill
Mark Tinka wrote:
Hi all.
Anyone know how we can contact AS16735 and their upstream AS27664. We think they are hijacking a number of our prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
All 19 of my prefixes for AS57, AS217 and AS1998 are being hijacked by the same ASN. I sent a note to the ASN contact adrianamr@CTBCTELECOM.NET.BR. I can't seem to contact lacnic for more than a few queries without being blacked out.
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP
% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries
% LACNIC resource: whois.lacnic.net
% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2008-11-11 00:51:09 (BRST -02:00)
aut-num: AS16735
owner: Companhia de Telecomunicacoes do Brasil Central
ownerid: BR-CTBC1-LACNIC
responsible: Adriana Maria Rocha Paula
address: Av Jo�o Pinheiro, 620, Centro
address: 38400-126 - Uberl�ndia - MG
country: BR
phone: +34 3256 2575 [2575]
owner-c: AMP
routing-c: AMP
abuse-c: AMP
created: 20000605
changed: 20040415
nic-hdl: AMP
person: Adriana Maria Rocha Paula
e-mail: adrianamr@CTBCTELECOM.NET.BR
address: Rua Jos� Alves Garcia, 415,
address: 38400710 - Uberl�ndia -
country: BR
phone: +34 3256 2575 [2575]
created: 20040628
changed: 20040628
% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.
Hi all.
Anyone know how we can contact AS16735 and their upstream
AS27664. We think they are hijacking a number of our
prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
Mine too -
94.228.64.0/20
89.200.216.0/21
193.34.28.0/23
Except I see it as AS16735: (47998 is me)
BGP routing table entry for 94.228.64.0/20
Paths: (3 available, best #3, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
193.0.0.71
27664 16735
200.219.130.21 from 200.219.130.21 (200.160.127.255)
Origin IGP, localpref 100, valid, external
Last update: Tue Nov 11 02:54:12 2008
19089 12956 5511 8928 47998
200.219.130.10 from 200.219.130.10 (200.225.95.3)
Origin IGP, localpref 100, valid, external
Community: 12956:65535
Last update: Mon Nov 10 18:40:54 2008
22548 16735
200.160.0.130 from 200.160.0.130 (200.160.0.137)
Origin IGP, localpref 100, valid, external, best
Last update: Tue Nov 11 02:51:57 2008
RIPE's RIS BGPlay confirms the same, for about the last
hour.
yep since 2am GMT.
C.
Yes, we contacted them as well. We still have IP
reachability to them from this end.
Cheers,
Mark.
Same problems here, for AS26028
Stefan
Obvious, since I posted about it earlier, but confirmed here as well. Has
anyone made contact with these guys? I have yet to...
I sent e-mails to the AS contacts, but don't expect that to do much in the
middle of the night. No live person at the phone numbers. I can't even
get their web site to come up, although if they're re-routing the entire BGP
table internally, go figure. 
BGPMon's a great thing though!
Somebody's been bad tonight.
Scott
More contact people here:
http://www.bovespa.com.br/Companies/FormConsultaImpressao.asp?CodCVM=21032
If I knew someone (readily available) who spoke Portuguese I would call them, but alas, they are sleeping and not technical.
Frank
I've just contacted (after three looong hours waiting...) and forward
those e-mails to them. Hope that helps ...
Can someone confirm that the issue is still happening? Maybe a show
bgp something would help me talk to them.
We too saw this issue.
2008-11-11 01:56:36 GMT they took over one of our /20's ...
Paul Kelly
Technical Director
Blacknight Internet Solutions ltd
Hosting, Colocation, Dedicated servers
IP Transit Services
Tel: +353 (0) 59 9183072
Lo-call: 1850 929 929
DDI: +353 (0) 59 9183091
e-mail: paul@blacknight.ie
web: http://www.blacknight.ie
Blacknight Internet Solutions Ltd,
Unit 12A,Barrowside Business Park,
Sleaty Road,
Graiguecullen,
Carlow,
Ireland
Company No.: 370845
> Anyone know how we can contact AS16735 and their upstream
> AS27664. We think they are hijacking a number of our
> prefixes (AS24218- and AS17992-originated).Have you tried CERT-BR? Uh... I was about to say "they're usually very
responsive, and good at coordinating this sort of thing." And then their
web site failed to load, because the prefix it's in is flapping. Hm.Fred, you still awake?
-Bill
Odd, we were just hijacked too, one match to the same AS:
Prefix: 64.193.164.0/24
AS Path: 27664 16735
Seen by Route Collector: 15
Peer IP: 200.219.130.21
Peer AS Number: 27664
Timestamp (GMT): 1:56, Nov 11 2008
And a match from other AS's
Prefix: 192.136.64.0/24
AS Path: 22548 16735
Seen by Route Collector: 15
Peer IP: 200.160.0.130
Peer AS Number: 22548
Timestamp (GMT): 1:59, Nov 11 2008
Prefix: 64.193.164.0/24
AS Path: 22548 16735
Seen by Route Collector: 15
Peer IP: 200.160.0.130
Peer AS Number: 22548
Timestamp (GMT): 1:56, Nov 11 2008
Tuc
Hi Bill,
> Anyone know how we can contact AS16735 and their upstream
> AS27664. We think they are hijacking a number of our
> prefixes (AS24218- and AS17992-originated).Have you tried CERT-BR? Uh... I was about to say "they're usually very
responsive, and good at coordinating this sort of thing." And then their
web site failed to load, because the prefix it's in is flapping. Hm.Fred, you still awake?
Not at the time of the event 
AFAIK the event was local to CTBC (AS16735) and their customers. This
is our case and as we host RRC15 at PTTMetro S�o Paulo, and feed it
with a full routing BGP feed it triggered the reports from bgpmon [1].
CTBC is still pending to explain the event,
-Bill
Fred
[1] Blog | BGPmon
Hello,
As several people have already observed here, AS 16735 announced
almost the whole Internet last night to two of its peers (AS 27664,
174213 routes and AS 22548, 111231 routes). These routes were not
propagated to the global Internet--and as Frederico A C Neves has
confirmed, it was a localized event.
For more detail on what happened, see Frederico's post [0] and the
BGPMon site's summary [1]. We also have a slightly more detailed
analysis here [2].
- -Martin
[0] http://www.merit.edu/mail.archives/nanog/msg12813.html
[1] http://bgpmon.net/blog/?p=80
[2] http://www.renesys.com/blog/2008/11/brazil-leak-if-a-tree-falls-in.shtml
- --
Martin A. Brown --- Renesys Corporation --- mabrown@renesys.com
Dear Fellows,
I would like to add some information to this thread from AS27664 perspective.
Both AS27664 (CTBC Multimídia) and AS22548 (Nic.br) share two common points:
1. They are IP transit customers from AS16735 (CTBC Telecom).
2. They feed with full BGP routing table the RIS/RIPE project located
at PTTMetro-SP, Brazil (rrc15).
I checked all BGP updates of 2008111[01] from Route Views Archive
Project [1] and looked for prefixes originated by AS16735. I compared
those with the prefixes officially allocated by Registro.br to AS16735
[2] and did not find any case o prefixes from different AS. This
analyses confirms that yesterday AS16735 issue of IP prefixes
Hijacking was not globally propagated.
It seems that only some AS16735's Internet customers (like AS27664 and
AS22548) were affect by this problem.
Regards,