[bdNOG] BGP Prefix hijacking

• Previous message: [bdNOG] Happy New Year 2016
• Next message: [bdNOG] BGP Prefix hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks Brian for your nice findings.

Sincerely Yours
-------------------------------------------------------
Md. Mahbubul Alam Reyad
Assistant Manager
CORE-IP Network || Technology
Cell: +880 1976672281 || Skype: new_reyad
www.qubee.com.bd<http://www.qubee.com.bd/>
T +88 02 8812113 || F +88 02 8812115
[Description: Description: logo-02]


From: Brian Candler [mailto:brian at nsrc.org]
Sent: Thursday, December 31, 2015 3:20 PM
To: Md. Mahbubul Alam Reyad; nog at bdnog.org
Subject: Re: [bdNOG] BGP Prefix hijacking

On 31/12/2015 07:31, Md. Mahbubul Alam Reyad wrote:
Hi

I received the following alert mail from bgpmon where one of our (QUBEE) prefix (163.47.76.0/22 ) is announce by an indian ISP.  FYN this IP prefix was newly acquired from APNIC and yet to be announce from QUBEE (AS45951) network.


It looks like they're not announcing it at the moment. Here are some useful test sites

* http://bgp.he.net/

Search by IP address or AS number. It doesn't see anything for 163.47.76.0/22

* Other looking glasses, e.g. telnet route-views.oregon-ix.net

This shows no route (only default) matching that address

route-views>sh ip bgp 163.47.76.0
BGP routing table entry for 0.0.0.0/0, version 8805302
Paths: (4 available, best #4, table default, RIB-failure(17))
  Not advertised to any peer
  Refresh Epoch 1
  58901 51167
    93.104.209.174 from 93.104.209.174 (93.104.209.174)
      Origin IGP, localpref 100, valid, external
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
  58443 45177
    103.255.249.22 from 103.255.249.22 (103.255.249.250)
      Origin IGP, localpref 100, valid, external
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
  20771 1299
    80.241.176.31 from 80.241.176.31 (80.241.176.30)
      Origin IGP, localpref 100, valid, external
      rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
  58511 2764
    103.247.3.45 from 103.247.3.45 (103.247.3.45)
      Origin IGP, localpref 100, valid, external, best
      rx pathid: 0, tx pathid: 0x0
route-views>

* https://stat.ripe.net/
which will take you to
https://stat.ripe.net/widget/routing-history

This shows a full history of announcements, and I can only see that route being announced up to March 2012.

You could also try the older site http://bgplay.routeviews.org/ (needs Java I think)

So... it seems to me that if AS131788 is really announcing your route, it's probably being filtered before the rest of the Internet sees it. Or maybe it was just a temporary glitch.

I note from
http://bgp.he.net/AS131788
that it says they are also announcing bogons :-(

Regards,

Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20160103/22da49df/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1750 bytes
Desc: image001.jpg
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20160103/22da49df/attachment.jpg>

• Previous message: [bdNOG] Happy New Year 2016
• Next message: [bdNOG] BGP Prefix hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]