RE: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Peter Rocca
To: Peter Rocca Cc: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Hi List, this morning our BGPmon system picked up many new more specific announcements by a variety of Origin ASns, the interesting part is that the majority of them were classified as BGP Man In The midd

Re: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Andree Toonk
Hi List, this morning our BGPmon system picked up many new more specific announcements by a variety of Origin ASns, the interesting part is that the majority of them were classified as BGP Man In The middle attacks (MITM). A typical alert would look like:

Re: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Christian Teuschel
Hi Randy, Assuming that your prefix is 198.98.180.0/22 (AS29889 - FSNET-1 - Fast Serv Networks, LLC) none of the mentioned more specifics are currently seen from the RIPE NCC's RIS network, see the Looking Glass widget: https://stat.ripe.net/198.98.180.0/23#tabId=routing https://stat.ripe.net/198

Re: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Chuck Anderson
We are AS 10326 130.215.0.0/16 and I just received a BGPmon alert as well: 130.215.160.0/20 4795 4795 4761 9304 40633 18978 4436 10326 130.215.176.0/20 4795 4795 4761 9304 40633 18978 4436 10326 On Thu, Mar 26, 2015 at 10:45:09AM -0400, Christopher Morrow wrote: > On Thu, Mar 26, 2015 at 10:43 AM

Re: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Paul S.
Same here. These Indosat guys can't seem to catch a break =/ On 3/26/2015 午後 11:43, Peter Rocca wrote: We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788. 108.168.64.0/20 4795 4795 4761 9

Re: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Pierre Emeriaud
Hi, 2015-03-26 15:08 GMT+01:00 Randy : > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more > specifics on one of our prefixes. Anyone else seeing similar or is it just > us? > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > 198.98.182.0/23 4795 4795 4761

Re: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Randy
All, Info gathered off-list indicates this may be a couple of issues in our case - possible routing leak by 18978 (check your tables!) and more specifics on our prefixes from 4795 that we couldn't see before the leak hence the apparent hijack. -- ~Randy

Re: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Christopher Morrow
On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca wrote: > We just received a similar alert from bgpmon - part of 108.168.0.0/17 is > being advertised as /20's - although we're still listed as the origin. We are > 40788. > > 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > 108.168.80.0/

Re: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Christopher Morrow
On Thu, Mar 26, 2015 at 10:38 AM, Randy wrote: > On 03/26/2015 7:27 am, Christopher Morrow wrote: >> >> is your AS in the path below? (what is your AS so folk can check for >> your prefixes/customer-prefixes and attempt to help?) > > > Sorry, we're 29889. > ok, and it looks like the path you clip

RE: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Peter Rocca
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788. 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 47

Re: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Randy
On 03/26/2015 7:27 am, Christopher Morrow wrote: is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?) Sorry, we're 29889.

Re: Prefix hijack by INDOSAT AS4795 / AS4761

2015-03-26 Thread Christopher Morrow
On Thu, Mar 26, 2015 at 10:08 AM, Randy wrote: > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more > specifics on one of our prefixes. Anyone else seeing similar or is it just > us? is your AS in the path below? (what is your AS so folk can check for your prefixes/custo