[bdNOG] BGP Prefix hijacking

• Previous message: [bdNOG] BGP Prefix hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks Anurag for dig down the issue.

Sincerely Yours
-------------------------------------------------------
Md. Mahbubul Alam Reyad
Assistant Manager
CORE-IP Network || Technology
Cell: +880 1976672281 || Skype: new_reyad
www.qubee.com.bd<http://www.qubee.com.bd/>
T +88 02 8812113 || F +88 02 8812115
[Description: Description: logo-02]


From: nog-bounces at bdnog.org [mailto:nog-bounces at bdnog.org] On Behalf Of Anurag Bhatia
Sent: Thursday, December 31, 2015 3:48 PM
To: nog at bdnog.org
Subject: Re: [bdNOG] BGP Prefix hijacking

Additionally I looked at AS44050 looking glass here<http://lg.pinspb.ru/>.



Router: PIN-SPB-ASR9001-CORE
Command: show bgp ipv4 unicast regexp 131788$


Thu Dec 31 12:45:53.169 MSK
BGP router identifier 95.215.3.1, local AS number 65221
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0xe0000000   RD version: 246514823
BGP main routing table version 246514823
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
*> 203.23.51.0/24<http://203.23.51.0/24>     95.215.3.78              0           500 131788 i

Processed 1 prefixes, 1 paths




So that old route is removed but still a new/weird AS131788 route is visible.  Hard to believe 203.23.51.0/24<http://203.23.51.0/24> is allocated over there. So ASN and prefix hijacked for purpose of spamming or something like that.




Thanks.

On Thu, Dec 31, 2015 at 2:59 PM, Anurag Bhatia <me at anuragbhatia.com<mailto:me at anuragbhatia.com>> wrote:
Dear Mahbubul




I think this is not BGP prefix hijack based on the aspath in bgpmon alert.


1103 286 9002 44050 131788


Shows AS 131788 is announcing to AS44050 and beyond. Except origin AS none of other AS belongs to any Indian telco and I am sure AS 44050 transit is not available in India. :)

Hence, I think AS131788 has not hijacked prefix but it's rather a case where an ASN has been hijacked and is being used to announce fishy routes.


http://bgp.he.net/AS131788#_graph4


Shows the relations.


Anyways, will wait to hear back from AS131788 (though I think they haven't done any misconfig at their end).







On Thu, Dec 31, 2015 at 2:31 PM, Scott Weeks <surfer at mauigateway.com<mailto:surfer at mauigateway.com>> wrote:


On Thu, Dec 31, 2015 at 1:31 PM, Md. Mahbubul Alam Reyad
<mahbubul.reyad at qubee.com.bd<mailto:mahbubul.reyad at qubee.com.bd>> wrote:

> I received the following alert mail from bgpmon where one of our (QUBEE)
> prefix (163.47.76.0/22<http://163.47.76.0/22> ) is announce by an indian ISP.  FYN this IP
> prefix was newly acquired from APNIC and yet to be announce from QUBEE
> (AS45951) network.
--------------------------------


--- kzobair at gmail.com<mailto:kzobair at gmail.com> wrote:
From: "Md. Zobair Khan" <kzobair at gmail.com<mailto:kzobair at gmail.com>>

You can send an email to that ISP querying about this possible hijack.
Other than that, there is no big primary steps. If the ISP doesn't reply
you back with suitable answers, then you can communicate with their
upstream to filter these routes from that ISP, since it is your prefix.
---------------------------------



You could also email their upstream providers and ask
them to properly filter their customers.  The upstream
providers should allow the ISP to only announce the
prefixes they're supposed to announce.

scott











>
> _______________________________________________
> nog mailing list
> nog at bdnog.org<mailto:nog at bdnog.org>
> http://mailman.bdnog.org/mailman/listinfo/nog
>
>


_______________________________________________
nog mailing list
nog at bdnog.org<mailto:nog at bdnog.org>
http://mailman.bdnog.org/mailman/listinfo/nog


_______________________________________________
nog mailing list
nog at bdnog.org<mailto:nog at bdnog.org>
http://mailman.bdnog.org/mailman/listinfo/nog



--


Anurag Bhatia
anuragbhatia.com<http://anuragbhatia.com>


PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2



--


Anurag Bhatia
anuragbhatia.com<http://anuragbhatia.com>


PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20160103/45a92fe1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1750 bytes
Desc: image001.jpg
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20160103/45a92fe1/attachment-0001.jpg>

• Previous message: [bdNOG] BGP Prefix hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]