[bdNOG] BGP Prefix hijacking

Anurag Bhatia me at anuragbhatia.com
Thu Dec 31 15:48:28 BDT 2015


Additionally I looked at AS44050 looking glass here <http://lg.pinspb.ru/>.



Router: PIN-SPB-ASR9001-CORE
Command: show bgp ipv4 unicast regexp 131788$


Thu Dec 31 12:45:53.169 MSK
BGP router identifier 95.215.3.1, local AS number 65221
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0xe0000000   RD version: 246514823
BGP main routing table version 246514823
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
*> 203.23.51.0/24     95.215.3.78              0           500 131788 i

Processed 1 prefixes, 1 paths




So that old route is removed but still a new/weird AS131788 route is
visible.  Hard to believe 203.23.51.0/24 is allocated over there. So ASN
and prefix hijacked for purpose of spamming or something like that.




Thanks.

On Thu, Dec 31, 2015 at 2:59 PM, Anurag Bhatia <me at anuragbhatia.com> wrote:

> Dear Mahbubul
>
>
>
>
> I think this is not BGP prefix hijack based on the aspath in bgpmon alert.
>
>
> 1103 286 9002 44050 131788
>
>
> Shows AS 131788 is announcing to AS44050 and beyond. Except origin AS none
> of other AS belongs to any Indian telco and I am sure AS 44050 transit is
> not available in India. :)
>
> Hence, I think AS131788 has not hijacked prefix but it's rather a case
> where an ASN has been hijacked and is being used to announce fishy routes.
>
>
> http://bgp.he.net/AS131788#_graph4
>
>
> Shows the relations.
>
>
> Anyways, will wait to hear back from AS131788 (though I think they haven't
> done any misconfig at their end).
>
>
>
>
>
>
>
> On Thu, Dec 31, 2015 at 2:31 PM, Scott Weeks <surfer at mauigateway.com>
> wrote:
>
>>
>>
>> On Thu, Dec 31, 2015 at 1:31 PM, Md. Mahbubul Alam Reyad
>> <mahbubul.reyad at qubee.com.bd> wrote:
>>
>> > I received the following alert mail from bgpmon where one of our (QUBEE)
>> > prefix (163.47.76.0/22 ) is announce by an indian ISP.  FYN this IP
>> > prefix was newly acquired from APNIC and yet to be announce from QUBEE
>> > (AS45951) network.
>> --------------------------------
>>
>>
>> --- kzobair at gmail.com wrote:
>> From: "Md. Zobair Khan" <kzobair at gmail.com>
>>
>> You can send an email to that ISP querying about this possible hijack.
>> Other than that, there is no big primary steps. If the ISP doesn't reply
>> you back with suitable answers, then you can communicate with their
>> upstream to filter these routes from that ISP, since it is your prefix.
>> ---------------------------------
>>
>>
>>
>> You could also email their upstream providers and ask
>> them to properly filter their customers.  The upstream
>> providers should allow the ISP to only announce the
>> prefixes they're supposed to announce.
>>
>> scott
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> >
>> > _______________________________________________
>> > nog mailing list
>> > nog at bdnog.org
>> > http://mailman.bdnog.org/mailman/listinfo/nog
>> >
>> >
>>
>>
>> _______________________________________________
>> nog mailing list
>> nog at bdnog.org
>> http://mailman.bdnog.org/mailman/listinfo/nog
>>
>>
>> _______________________________________________
>> nog mailing list
>> nog at bdnog.org
>> http://mailman.bdnog.org/mailman/listinfo/nog
>>
>
>
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
>
> PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
>



-- 


Anurag Bhatia
anuragbhatia.com


PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20151231/014f36cb/attachment-0001.html>


More information about the nog mailing list