Re: an IP hijacking attempt

Tue, 09 Mar 2021 13:20:01 -0800 

RPKI can be very useful to mitigate an attempt.
I used to process IP LOAs all the time.  I never saw a RR attached but usually we did a check against the RIR just to make sure (because we made access-list per interface as well) 

On 3/9/2021 1:42 PM, Mel Beckman wrote:

Not everyone uses RRs, and there is also the possibility that their 
upstream would register it. Having an RR doesn’t seem definitive 
either way. I can see reasons to wait on the RR until  ready to 
receive traffic.


-mel via cell


On Mar 9, 2021, at 11:14 AM, Brian Turnbow <b.turn...@twt.it> wrote:



If they had a route record that was close, I Would give them the 
benefit of doubt.
They do not however as the only records start with 217. And our IPs 
are 45.


So It Is very strange. Would you send a LOA without a route record?

Brian Turnbow
------------------------------------------------------------------------
*Da:* Mel Beckman <m...@beckman.org>
*Inviato:* martedì 9 marzo 2021 19:17
*A:* Brian Turnbow
*Cc:* North American Network Operators' Group
*Oggetto:* Re: an IP hijacking attempt


It could just be a typo on the LOA. It seems unlikely any ISP would 
approve a forged LOA that could readily be debunked by contacting the 
IP space owner. The whole point of LOA’s is to facilitate this 
verification.


-mel via cell


> On Mar 9, 2021, at 10:01 AM, Brian Turnbow via NANOG 
<nanog@nanog.org> wrote:

>
> Hello everyone,
>
> We received a strange request that I wanted to share.
> An email was sent to us asking to confirm a LOA from a diligent ISP.

> The Loa was a request to open bgp for an AS , that is not ours, to 
announce a /23 prefix that is ours.
> So basically this entity sent to their upstream a request to 
announce a prefix from one our allocated ranges.
> We have the allocation correctly registered and ROAs in place , but 
it is worrisome that someone would attempt this.
> Obviously we have informed the ISP that the LOA is not valid and 
are trying to contact the originating party.
> Aside from RIRs for the offending AS and our IPs,  Is there 
anywhere to report this type of activity?
> We have dealt with hijacking technically speaking in the past but 
this is the first time, to my knowledge, of someone forging a LOA 
with our IPs.

>
> Thanks in advance for any advice
>
> Brian
>

> P.S. a big thanks to Chris for checking the boxes before activating 
the filter if you are on the list!

>
>
>
>






















					Reply via email to