Hey everybody, I run bgp.tools, (And had a extremely busy alerting engine for a few minutes)
>From what bgp.tools can see it seems like they had a private asn in the path like so ``` 2027 4220270000 6696 6939 42615 212232 ``` This can be valid for a number of reasons, ( they might have been doing some homemade BGP confederation for example ), and I assume then that they had enabled some kind of private asn filter that had not quite done what they expected. I think what they are expecting was the part to look like this: ``` 2027 6696 6939 42615 212232 ``` However instead the private AS stripping function instead did this, and sent it to their customers/collector feeds: ``` 2027 ``` This then obviously made everything look like a BGP origin hijack to all of the route collectors and alerting systems. It's worth noting that bgp.tools saw this from more than MilkyWan directly, but also from what I can assume are their customers. But I don't see any indication this faulty routing information propagated anywhere else than that. ( To sort of backup the response that Vincent has already provided us) Hope this provides some interesting insight, and maybe some future heads up :) On Sun, Oct 22, 2023 at 10:04 PM Christopher Morrow <morrowc.li...@gmail.com> wrote: > > Hank, all exact match for prefix length? Or longer subnets covering the whole? > (Is this leakage of a optimizer or possibly censorship leakage?) > > On Sun, Oct 22, 2023, 1:03 PM Olivier Benghozi <olivier.bengh...@wifirst.fr> > wrote: >> >> Same stuff (with our ASN and our prefixes) detected here, coming from AS2027 >> (Milkywan), for a short time... >> >> Le dim. 22 oct. 2023 à 17:18, Hank Nussbacher <h...@efes.iucc.ac.il> a écrit >> : >>> >>> We just had every single prefix in AS378 start being announced by AS2027. >>> >>> Every announcement by AS2027 is failing RPKI yet being propagated a bit. >>> Is this yet another misbehaving device or an actual attack? >> >> >> Ce message et toutes les pièces jointes (ci-après le "message") sont établis >> à l’intention exclusive des destinataires désignés. Il contient des >> informations confidentielles et pouvant être protégé par le secret >> professionnel. Si vous recevez ce message par erreur, merci d'en avertir >> immédiatement l'expéditeur et de détruire le message. Toute utilisation de >> ce message non conforme à sa destination, toute diffusion ou toute >> publication, totale ou partielle, est interdite, sauf autorisation expresse >> de l'émetteur
