To: Peter Rocca
Cc: nanog@nanog.org
Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
Hi List,
this morning our BGPmon system picked up many new more specific announcements
by a variety of Origin ASns, the interesting part is that the majority of them
were classified as BGP Man In The midd
Hi List,
this morning our BGPmon system picked up many new more specific
announcements by a variety of Origin ASns, the interesting part is that
the majority of them were classified as BGP Man In The middle attacks
(MITM).
A typical alert would look like:
Hi Randy,
Assuming that your prefix is 198.98.180.0/22 (AS29889 - FSNET-1 - Fast
Serv Networks, LLC) none of the mentioned more specifics are currently
seen from the RIPE NCC's RIS network, see the Looking Glass widget:
https://stat.ripe.net/198.98.180.0/23#tabId=routing
https://stat.ripe.net/198
We are AS 10326 130.215.0.0/16 and I just received a BGPmon alert as
well:
130.215.160.0/20 4795 4795 4761 9304 40633 18978 4436 10326
130.215.176.0/20 4795 4795 4761 9304 40633 18978 4436 10326
On Thu, Mar 26, 2015 at 10:45:09AM -0400, Christopher Morrow wrote:
> On Thu, Mar 26, 2015 at 10:43 AM
Same here. These Indosat guys can't seem to catch a break =/
On 3/26/2015 午後 11:43, Peter Rocca wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being
advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9
Hi,
2015-03-26 15:08 GMT+01:00 Randy :
> On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more
> specifics on one of our prefixes. Anyone else seeing similar or is it just
> us?
>
> 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
> 198.98.182.0/23 4795 4795 4761
All,
Info gathered off-list indicates this may be a couple of issues in our
case - possible routing leak by 18978 (check your tables!) and more
specifics on our prefixes from 4795 that we couldn't see before the leak
hence the apparent hijack.
--
~Randy
On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca wrote:
> We just received a similar alert from bgpmon - part of 108.168.0.0/17 is
> being advertised as /20's - although we're still listed as the origin. We are
> 40788.
>
> 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788
> 108.168.80.0/
On Thu, Mar 26, 2015 at 10:38 AM, Randy wrote:
> On 03/26/2015 7:27 am, Christopher Morrow wrote:
>>
>> is your AS in the path below? (what is your AS so folk can check for
>> your prefixes/customer-prefixes and attempt to help?)
>
>
> Sorry, we're 29889.
>
ok, and it looks like the path you clip
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being
advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788
108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788
108.168.96.0/20 47
On 03/26/2015 7:27 am, Christopher Morrow wrote:
is your AS in the path below? (what is your AS so folk can check for
your prefixes/customer-prefixes and attempt to help?)
Sorry, we're 29889.
On Thu, Mar 26, 2015 at 10:08 AM, Randy wrote:
> On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more
> specifics on one of our prefixes. Anyone else seeing similar or is it just
> us?
is your AS in the path below? (what is your AS so folk can check for
your prefixes/custo
12 matches
Mail list logo
