Potential Prefix Hijack

Howdy,

We were hijacked aswell, by 27664 16735

Our affected prefixes were:

94.46.0.0/16
194.88.142.0/23
194.11.23.0/24
82.102.0.0/18
195.246.238.0/23
194.107.127.0/24
81.92.192.0/19
193.227.238.0/23

We are trying to contact them in order to get some feedback, and some good explanation for this.

In the meanwhile, there are lots of evidence spread around (thanks to RIS RIPE, Routeviews, BGPmon and others)

http://www.ris.ripe.net/dashboard/27664
http://www.ris.ripe.net/dashboard/16735

In the meanwhile we are sending notices to the Upstreams of those ASN's, in order for them to apply proper filtering to their downstream customers to avoid situations like this.

On the List i was able to found:

AS8167 - TELESC
AS6762 - SEABONE
AS12956 - TELEFONICA
AS3549 - GLOBAL CROSSING
AS17379 - Interlig

I welcome others to do the same, in order to avoid replicas for this situation.

Regards,

Hi!

We were hijacked aswell, by 27664 16735

Our affected prefixes were:

94.46.0.0/16
194.88.142.0/23
194.11.23.0/24
82.102.0.0/18
195.246.238.0/23
194.107.127.0/24
81.92.192.0/19
193.227.238.0/23

We are trying to contact them in order to get some feedback, and some good explanation for this.

The obviously were leaking full routing, are we all gonna annnounce 'my prefix was in there also?'

Bye,
Raymond.

Possibly silly question:

If a small ISP is leaking a full table and you cannot reach them, why not contact their upstreams?

Can't really check a router from here, but I saw (for instance) Verio mentioned. I am certain as2914 runs a 24/7 NOC and is responsive.

Hi!

> We were hijacked aswell, by 27664 16735
>
> Our affected prefixes were:
>
> 94.46.0.0/16
> 194.88.142.0/23
> 194.11.23.0/24
> 82.102.0.0/18
> 195.246.238.0/23
> 194.107.127.0/24
> 81.92.192.0/19
> 193.227.238.0/23
>
> We are trying to contact them in order to get some feedback, and some good explanation for this.

The obviously were leaking full routing, are we all gonna annnounce 'my
prefix was in there also?'

  ACTUALLY............ They didn't hijack ALL my netblocks... I have 3. One was completely
untouched, 1 was only hijacked by 1 site, and the last was hijacked by 2 different sites.

      Tuc

Hi!

94.46.0.0/16
194.88.142.0/23
194.11.23.0/24
82.102.0.0/18
195.246.238.0/23
194.107.127.0/24
81.92.192.0/19
193.227.238.0/23

We are trying to contact them in order to get some feedback, and some good explanation for this.

The obviously were leaking full routing, are we all gonna annnounce 'my
prefix was in there also?'

  ACTUALLY............ They didn't hijack ALL my netblocks... I have 3. One was completely
untouched, 1 was only hijacked by 1 site, and the last was hijacked by 2 different sites.

So their router had most likely a hard time and stuff was flapping, i see something like that in the BGPLay output also.

Bye,
Raymond.

That's not true, as not all our prefixes were hijacked nor leaked, since they were originating them. If they were leaking them you might be able to see further AS's on the AS-PATH, incluiding the legitimate AS for originating those prefixes.

My point here is also about peers and upstreams to set properly filter or max-prefix settings to avoid those nasty things.

Am i seeing things in a blur way ? or this is supposed to happen as wind flows ?

regards,

Hi!

That's not true, as not all our prefixes were hijacked nor leaked, since they were originating them. If they were leaking them you might be able to see further AS's on the AS-PATH, incluiding the legitimate AS for originating those prefixes.

We have seen issues like this also when a customer was leaking full routes, and his router ws not able to coop with the BGP tables. This gave really really strange things, simmilar like here, some prefixes were there and some not. Completely random.

Am i seeing things in a blur way ? or this is supposed to happen as wind flows ?

Upstreams should filter things properly. Thats a sure thing. OR max prefix limit customers like that....

Bye,
Raymond.