Tracing it back to the originator of the route is of course a good first
step.
I would send an FYI to the RIR that allocated the prefix; preferably
after the initial investigation established that it was not a genuine
mistake. In that message I would make very clear if any action is
requested from the RIR or not. If it is just an FYI the RIR will take
note of it, watch for trends and take it into account before doing
anything with the registration.
Just what I would do.
Daniel
(Full disclosure: I work for the RIPE NCC)
On 9 Mar 2021, at 18:58, Brian Turnbow via NANOG wrote:
Hello everyone,
We received a strange request that I wanted to share.
An email was sent to us asking to confirm a LOA from a diligent ISP.
The Loa was a request to open bgp for an AS , that is not ours, to
announce a /23 prefix that is ours.
So basically this entity sent to their upstream a request to announce
a prefix from one our allocated ranges.
We have the allocation correctly registered and ROAs in place , but it
is worrisome that someone would attempt this.
Obviously we have informed the ISP that the LOA is not valid and are
trying to contact the originating party.
Aside from RIRs for the offending AS and our IPs, Is there anywhere
to report this type of activity?
We have dealt with hijacking technically speaking in the past but this
is the first time, to my knowledge, of someone forging a LOA with our
IPs.
Thanks in advance for any advice
Brian
P.S. a big thanks to Chris for checking the boxes before activating
the filter if you are on the list!
