Mailing List Archive

Potential Prefix Hijack
Hi all.

Anyone know how we can contact AS16735 and their upstream
AS27664. We think they are hijacking a number of our
prefixes (AS24218- and AS17992-originated). Thanks BGPmon:

e.g.,

====================
Possible Prefix Hijack (Code: 11)
1 number of peer(s) detected this updates for your prefix
61.11.208.0/20:
Update details: 2008-11-11 02:24 (UTC)
61.11.208.0/20
Announced by: AS16735 (Companhia de Telecomunicacoes do
Brasil Central)
Transit AS: 27664 (CTBC Multimídia)
ASpath: 27664 16735
=====================

RIPE's RIS BGPlay confirms the same, for about the last
hour.

E-mails to them won't get there (of course), so our NOC are
contacting them via Gmail/Yahoo.

All help appreciated.

Cheers,

Mark.
Re: Potential Prefix Hijack [ In reply to ]
On Tue, 11 Nov 2008, Mark Tinka wrote:
> Anyone know how we can contact AS16735 and their upstream
> AS27664. We think they are hijacking a number of our
> prefixes (AS24218- and AS17992-originated).

Have you tried CERT-BR? Uh... I was about to say "they're usually very
responsive, and good at coordinating this sort of thing." And then their
web site failed to load, because the prefix it's in is flapping. Hm.

Fred, you still awake?

-Bill
Re: Potential Prefix Hijack [ In reply to ]
Mark Tinka wrote:
> Hi all.
>
> Anyone know how we can contact AS16735 and their upstream
> AS27664. We think they are hijacking a number of our
> prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
>
>
All 19 of my prefixes for AS57, AS217 and AS1998 are being hijacked by
the same ASN. I sent a note to the ASN contact
adrianamr@CTBCTELECOM.NET.BR. I can't seem to contact lacnic for more
than a few queries without being blacked out.


Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP

% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries

% LACNIC resource: whois.lacnic.net


% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2008-11-11 00:51:09 (BRST -02:00)

aut-num: AS16735
owner: Companhia de Telecomunicacoes do Brasil Central
ownerid: BR-CTBC1-LACNIC
responsible: Adriana Maria Rocha Paula
address: Av Jo�o Pinheiro, 620, Centro
address: 38400-126 - Uberl�ndia - MG
country: BR
phone: +34 3256 2575 [2575]
owner-c: AMP
routing-c: AMP
abuse-c: AMP
created: 20000605
changed: 20040415

nic-hdl: AMP
person: Adriana Maria Rocha Paula
e-mail: adrianamr@CTBCTELECOM.NET.BR
address: Rua Jos� Alves Garcia, 415,
address: 38400710 - Uberl�ndia -
country: BR
phone: +34 3256 2575 [2575]
created: 20040628
changed: 20040628

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.


> e.g.,
>
> ====================
> Possible Prefix Hijack (Code: 11)
> 1 number of peer(s) detected this updates for your prefix
> 61.11.208.0/20:
> Update details: 2008-11-11 02:24 (UTC)
> 61.11.208.0/20
> Announced by: AS16735 (Companhia de Telecomunicacoes do
> Brasil Central)
> Transit AS: 27664 (CTBC Multim�dia)
> ASpath: 27664 16735
> =====================
>
> RIPE's RIS BGPlay confirms the same, for about the last
> hour.
>
> E-mails to them won't get there (of course), so our NOC are
> contacting them via Gmail/Yahoo.
>
> All help appreciated.
>
> Cheers,
>
> Mark.
>
Re: Potential Prefix Hijack [ In reply to ]
On Tue, Nov 11, 2008 at 10:54:01AM +0800, Mark Tinka wrote:
> Hi all.
>
> Anyone know how we can contact AS16735 and their upstream
> AS27664. We think they are hijacking a number of our
> prefixes (AS24218- and AS17992-originated). Thanks BGPmon:

Mine too -

94.228.64.0/20
89.200.216.0/21
193.34.28.0/23

Except I see it as AS16735: (47998 is me)


BGP routing table entry for 94.228.64.0/20
Paths: (3 available, best #3, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
193.0.0.71
27664 16735
200.219.130.21 from 200.219.130.21 (200.160.127.255)
Origin IGP, localpref 100, valid, external
Last update: Tue Nov 11 02:54:12 2008

19089 12956 5511 8928 47998
200.219.130.10 from 200.219.130.10 (200.225.95.3)
Origin IGP, localpref 100, valid, external
Community: 12956:65535
Last update: Mon Nov 10 18:40:54 2008

22548 16735
200.160.0.130 from 200.160.0.130 (200.160.0.137)
Origin IGP, localpref 100, valid, external, best
Last update: Tue Nov 11 02:51:57 2008

> RIPE's RIS BGPlay confirms the same, for about the last
> hour.

yep since 2am GMT.

C.
--
020 7729 4797
http://blog.playlouder.com/
Re: Potential Prefix Hijack [ In reply to ]
On Tuesday 11 November 2008 11:00:47 Bill Woodcock wrote:

> Have you tried CERT-BR?

Yes, we contacted them as well. We still have IP
reachability to them from this end.

Cheers,

Mark.
Re: Potential Prefix Hijack [ In reply to ]
Same problems here, for AS26028
Stefan

On Mon, Nov 10, 2008 at 8:54 PM, Mark Tinka <mtinka@globaltransit.net>wrote:

> Hi all.
>
> Anyone know how we can contact AS16735 and their upstream
> AS27664. We think they are hijacking a number of our
> prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
>
> e.g.,
>
> ====================
> Possible Prefix Hijack (Code: 11)
> 1 number of peer(s) detected this updates for your prefix
> 61.11.208.0/20:
> Update details: 2008-11-11 02:24 (UTC)
> 61.11.208.0/20
> Announced by: AS16735 (Companhia de Telecomunicacoes do
> Brasil Central)
> Transit AS: 27664 (CTBC Multimídia)
> ASpath: 27664 16735
> =====================
>
> RIPE's RIS BGPlay confirms the same, for about the last
> hour.
>
> E-mails to them won't get there (of course), so our NOC are
> contacting them via Gmail/Yahoo.
>
> All help appreciated.
>
> Cheers,
>
> Mark.
>
Re: Potential Prefix Hijack [ In reply to ]
Obvious, since I posted about it earlier, but confirmed here as well. Has
anyone made contact with these guys? I have yet to...


On Mon, Nov 10, 2008 at 9:32 PM, Network Fortius <netfortius@gmail.com>wrote:

> Same problems here, for AS26028
> Stefan
>
> On Mon, Nov 10, 2008 at 8:54 PM, Mark Tinka <mtinka@globaltransit.net
> >wrote:
>
> > Hi all.
> >
> > Anyone know how we can contact AS16735 and their upstream
> > AS27664. We think they are hijacking a number of our
> > prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
> >
> > e.g.,
> >
> > ====================
> > Possible Prefix Hijack (Code: 11)
> > 1 number of peer(s) detected this updates for your prefix
> > 61.11.208.0/20:
> > Update details: 2008-11-11 02:24 (UTC)
> > 61.11.208.0/20
> > Announced by: AS16735 (Companhia de Telecomunicacoes do
> > Brasil Central)
> > Transit AS: 27664 (CTBC Multimídia)
> > ASpath: 27664 16735
> > =====================
> >
> > RIPE's RIS BGPlay confirms the same, for about the last
> > hour.
> >
> > E-mails to them won't get there (of course), so our NOC are
> > contacting them via Gmail/Yahoo.
> >
> > All help appreciated.
> >
> > Cheers,
> >
> > Mark.
> >
>
RE: Potential Prefix Hijack [ In reply to ]
I sent e-mails to the AS contacts, but don't expect that to do much in the
middle of the night. No live person at the phone numbers. I can't even
get their web site to come up, although if they're re-routing the entire BGP
table internally, go figure. :)

BGPMon's a great thing though!

Somebody's been bad tonight.

Scott

-----Original Message-----
From: jamie [mailto:j@arpa.com]
Sent: Monday, November 10, 2008 10:37 PM
To: Network Fortius
Cc: nanog@nanog.org
Subject: Re: Potential Prefix Hijack

Obvious, since I posted about it earlier, but confirmed here as well. Has
anyone made contact with these guys? I have yet to...


On Mon, Nov 10, 2008 at 9:32 PM, Network Fortius
<netfortius@gmail.com>wrote:

> Same problems here, for AS26028
> Stefan
>
> On Mon, Nov 10, 2008 at 8:54 PM, Mark Tinka <mtinka@globaltransit.net
> >wrote:
>
> > Hi all.
> >
> > Anyone know how we can contact AS16735 and their upstream AS27664.
> > We think they are hijacking a number of our prefixes (AS24218- and
> > AS17992-originated). Thanks BGPmon:
> >
> > e.g.,
> >
> > ====================
> > Possible Prefix Hijack (Code: 11)
> > 1 number of peer(s) detected this updates for your prefix
> > 61.11.208.0/20:
> > Update details: 2008-11-11 02:24 (UTC) 61.11.208.0/20 Announced by:
> > AS16735 (Companhia de Telecomunicacoes do Brasil Central) Transit
> > AS: 27664 (CTBC Multimídia)
> > ASpath: 27664 16735
> > =====================
> >
> > RIPE's RIS BGPlay confirms the same, for about the last hour.
> >
> > E-mails to them won't get there (of course), so our NOC are
> > contacting them via Gmail/Yahoo.
> >
> > All help appreciated.
> >
> > Cheers,
> >
> > Mark.
> >
>
RE: Potential Prefix Hijack [ In reply to ]
I too have noticed the slip-up from Brazil, here at AS26935, all of our
prefixes appear from them also, PHAS also did nothing for me, but RIPE
tools and BGPmon both show issues.

If anyone from RIPE reads this, awesome job on the tools guys!

If anyone from GLBX reads this, have you had any contact with the offenders?

-Kyle
RE: Potential Prefix Hijack [ In reply to ]
More contact people here:
http://www.bovespa.com.br/Companies/FormConsultaImpressao.asp?CodCVM=21032

If I knew someone (readily available) who spoke Portuguese I would call them, but alas, they are sleeping and not technical.

Frank

-----Original Message-----
From: Tim Peiffer [mailto:peiffer@umn.edu]
Sent: Monday, November 10, 2008 9:04 PM
To: mtinka@globaltransit.net
Cc: nanog@nanog.org
Subject: Re: Potential Prefix Hijack

Mark Tinka wrote:
> Hi all.
>
> Anyone know how we can contact AS16735 and their upstream
> AS27664. We think they are hijacking a number of our
> prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
>
>
All 19 of my prefixes for AS57, AS217 and AS1998 are being hijacked by
the same ASN. I sent a note to the ASN contact
adrianamr@CTBCTELECOM.NET.BR. I can't seem to contact lacnic for more
than a few queries without being blacked out.


Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP

% Joint Whois - whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries

% LACNIC resource: whois.lacnic.net


% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2008-11-11 00:51:09 (BRST -02:00)

aut-num: AS16735
owner: Companhia de Telecomunicacoes do Brasil Central
ownerid: BR-CTBC1-LACNIC
responsible: Adriana Maria Rocha Paula
address: Av Jo�o Pinheiro, 620, Centro
address: 38400-126 - Uberl�ndia - MG
country: BR
phone: +34 3256 2575 [2575]
owner-c: AMP
routing-c: AMP
abuse-c: AMP
created: 20000605
changed: 20040415

nic-hdl: AMP
person: Adriana Maria Rocha Paula
e-mail: adrianamr@CTBCTELECOM.NET.BR
address: Rua Jos� Alves Garcia, 415,
address: 38400710 - Uberl�ndia -
country: BR
phone: +34 3256 2575 [2575]
created: 20040628
changed: 20040628

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.


> e.g.,
>
> ====================
> Possible Prefix Hijack (Code: 11)
> 1 number of peer(s) detected this updates for your prefix
> 61.11.208.0/20:
> Update details: 2008-11-11 02:24 (UTC)
> 61.11.208.0/20
> Announced by: AS16735 (Companhia de Telecomunicacoes do
> Brasil Central)
> Transit AS: 27664 (CTBC Multim�dia)
> ASpath: 27664 16735
> =====================
>
> RIPE's RIS BGPlay confirms the same, for about the last
> hour.
>
> E-mails to them won't get there (of course), so our NOC are
> contacting them via Gmail/Yahoo.
>
> All help appreciated.
>
> Cheers,
>
> Mark.
>
Re: Potential Prefix Hijack [ In reply to ]
I've just contacted (after three looong hours waiting...) and forward
those e-mails to them. Hope that helps ...

Can someone confirm that the issue is still happening? Maybe a show
bgp something would help me talk to them.


On Tue, Nov 11, 2008 at 4:12 AM, Frank Bulk <frnkblk@iname.com> wrote:
> More contact people here:
> http://www.bovespa.com.br/Companies/FormConsultaImpressao.asp?CodCVM=21032
>
> If I knew someone (readily available) who spoke Portuguese I would call them, but alas, they are sleeping and not technical.
>
> Frank
>
> -----Original Message-----
> From: Tim Peiffer [mailto:peiffer@umn.edu]
> Sent: Monday, November 10, 2008 9:04 PM
> To: mtinka@globaltransit.net
> Cc: nanog@nanog.org
> Subject: Re: Potential Prefix Hijack
>
> Mark Tinka wrote:
>> Hi all.
>>
>> Anyone know how we can contact AS16735 and their upstream
>> AS27664. We think they are hijacking a number of our
>> prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
>>
>>
> All 19 of my prefixes for AS57, AS217 and AS1998 are being hijacked by
> the same ASN. I sent a note to the ASN contact
> adrianamr@CTBCTELECOM.NET.BR. I can't seem to contact lacnic for more
> than a few queries without being blacked out.
>
>
> Tim Peiffer
> Network Support Engineer
> Office of Information Technology
> University of Minnesota/NorthernLights GigaPOP
>
> % Joint Whois - whois.lacnic.net
> % This server accepts single ASN, IPv4 or IPv6 queries
>
> % LACNIC resource: whois.lacnic.net
>
>
> % Copyright LACNIC lacnic.net
> % The data below is provided for information purposes
> % and to assist persons in obtaining information about or
> % related to AS and IP numbers registrations
> % By submitting a whois query, you agree to use this data
> % only for lawful purposes.
> % 2008-11-11 00:51:09 (BRST -02:00)
>
> aut-num: AS16735
> owner: Companhia de Telecomunicacoes do Brasil Central
> ownerid: BR-CTBC1-LACNIC
> responsible: Adriana Maria Rocha Paula
> address: Av Jo�o Pinheiro, 620, Centro
> address: 38400-126 - Uberl�ndia - MG
> country: BR
> phone: +34 3256 2575 [2575]
> owner-c: AMP
> routing-c: AMP
> abuse-c: AMP
> created: 20000605
> changed: 20040415
>
> nic-hdl: AMP
> person: Adriana Maria Rocha Paula
> e-mail: adrianamr@CTBCTELECOM.NET.BR
> address: Rua Jos� Alves Garcia, 415,
> address: 38400710 - Uberl�ndia -
> country: BR
> phone: +34 3256 2575 [2575]
> created: 20040628
> changed: 20040628
>
> % whois.lacnic.net accepts only direct match queries.
> % Types of queries are: POCs, ownerid, CIDR blocks, IP
> % and AS numbers.
>
>
>> e.g.,
>>
>> ====================
>> Possible Prefix Hijack (Code: 11)
>> 1 number of peer(s) detected this updates for your prefix
>> 61.11.208.0/20:
>> Update details: 2008-11-11 02:24 (UTC)
>> 61.11.208.0/20
>> Announced by: AS16735 (Companhia de Telecomunicacoes do
>> Brasil Central)
>> Transit AS: 27664 (CTBC Multim�dia)
>> ASpath: 27664 16735
>> =====================
>>
>> RIPE's RIS BGPlay confirms the same, for about the last
>> hour.
>>
>> E-mails to them won't get there (of course), so our NOC are
>> contacting them via Gmail/Yahoo.
>>
>> All help appreciated.
>>
>> Cheers,
>>
>> Mark.
>>
>
>
>
>
>
RE: Potential Prefix Hijack [ In reply to ]
We too saw this issue.

2008-11-11 01:56:36 GMT they took over one of our /20's ...

Paul Kelly
Technical Director
Blacknight Internet Solutions ltd
Hosting, Colocation, Dedicated servers
IP Transit Services
Tel: +353 (0) 59 9183072
Lo-call: 1850 929 929
DDI: +353 (0) 59 9183091

e-mail: paul@blacknight.ie
web: http://www.blacknight.ie

Blacknight Internet Solutions Ltd,
Unit 12A,Barrowside Business Park,
Sleaty Road,
Graiguecullen,
Carlow,
Ireland

Company No.: 370845


> -----Original Message-----
> From: Mark Tinka [mailto:mtinka@globaltransit.net]
> Sent: Tuesday, November 11, 2008 2:54 AM
> To: nanog@nanog.org
> Subject: Potential Prefix Hijack
>
> Hi all.
>
> Anyone know how we can contact AS16735 and their upstream
> AS27664. We think they are hijacking a number of our
> prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
>
> e.g.,
>
> ====================
> Possible Prefix Hijack (Code: 11)
> 1 number of peer(s) detected this updates for your prefix
> 61.11.208.0/20:
> Update details: 2008-11-11 02:24 (UTC)
> 61.11.208.0/20
> Announced by: AS16735 (Companhia de Telecomunicacoes do
> Brasil Central)
> Transit AS: 27664 (CTBC Multimdia)
> ASpath: 27664 16735
> =====================
>
> RIPE's RIS BGPlay confirms the same, for about the last
> hour.
>
> E-mails to them won't get there (of course), so our NOC are
> contacting them via Gmail/Yahoo.
>
> All help appreciated.
>
> Cheers,
>
> Mark.
>
Re: Potential Prefix Hijack [ In reply to ]
>
> On Tue, 11 Nov 2008, Mark Tinka wrote:
> > Anyone know how we can contact AS16735 and their upstream
> > AS27664. We think they are hijacking a number of our
> > prefixes (AS24218- and AS17992-originated).
>
> Have you tried CERT-BR? Uh... I was about to say "they're usually very
> responsive, and good at coordinating this sort of thing." And then their
> web site failed to load, because the prefix it's in is flapping. Hm.
>
> Fred, you still awake?
>
> -Bill
>
>
Odd, we were just hijacked too, one match to the same AS:

Prefix: 64.193.164.0/24
AS Path: 27664 16735
Seen by Route Collector: 15
Peer IP: 200.219.130.21
Peer AS Number: 27664
Timestamp (GMT): 1:56, Nov 11 2008

And a match from other AS's

Prefix: 192.136.64.0/24
AS Path: 22548 16735
Seen by Route Collector: 15
Peer IP: 200.160.0.130
Peer AS Number: 22548
Timestamp (GMT): 1:59, Nov 11 2008

Prefix: 64.193.164.0/24
AS Path: 22548 16735
Seen by Route Collector: 15
Peer IP: 200.160.0.130
Peer AS Number: 22548
Timestamp (GMT): 1:56, Nov 11 2008


Tuc
Re: Potential Prefix Hijack [ In reply to ]
Howdy,

We were hijacked aswell, by 27664 16735

Our affected prefixes were:

94.46.0.0/16
194.88.142.0/23
194.11.23.0/24
82.102.0.0/18
195.246.238.0/23
194.107.127.0/24
81.92.192.0/19
193.227.238.0/23

We are trying to contact them in order to get some feedback, and some good explanation for this.

In the meanwhile, there are lots of evidence spread around (thanks to RIS RIPE, Routeviews, BGPmon and others)

http://www.ris.ripe.net/dashboard/27664
http://www.ris.ripe.net/dashboard/16735

In the meanwhile we are sending notices to the Upstreams of those ASN's, in order for them to apply proper filtering to their downstream customers to avoid situations like this.

On the List i was able to found:

AS8167 - TELESC
AS6762 - SEABONE
AS12956 - TELEFONICA
AS3549 - GLOBAL CROSSING
AS17379 - Interlig

I welcome others to do the same, in order to avoid replicas for this situation.

Regards,
---
Nuno Vieira
nfsi telecom, lda.

nuno.vieira@nfsi.pt
Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301
http://www.nfsi.pt/



----- "Network Fortius" <netfortius@gmail.com> wrote:

> Same problems here, for AS26028
> Stefan
>
> On Mon, Nov 10, 2008 at 8:54 PM, Mark Tinka
> <mtinka@globaltransit.net>wrote:
>
> > Hi all.
> >
> > Anyone know how we can contact AS16735 and their upstream
> > AS27664. We think they are hijacking a number of our
> > prefixes (AS24218- and AS17992-originated). Thanks BGPmon:
> >
> > e.g.,
> >
> > ====================
> > Possible Prefix Hijack (Code: 11)
> > 1 number of peer(s) detected this updates for your prefix
> > 61.11.208.0/20:
> > Update details: 2008-11-11 02:24 (UTC)
> > 61.11.208.0/20
> > Announced by: AS16735 (Companhia de Telecomunicacoes do
> > Brasil Central)
> > Transit AS: 27664 (CTBC Multimídia)
> > ASpath: 27664 16735
> > =====================
> >
> > RIPE's RIS BGPlay confirms the same, for about the last
> > hour.
> >
> > E-mails to them won't get there (of course), so our NOC are
> > contacting them via Gmail/Yahoo.
> >
> > All help appreciated.
> >
> > Cheers,
> >
> > Mark.
> >
Re: Potential Prefix Hijack [ In reply to ]
Hi!

> We were hijacked aswell, by 27664 16735
>
> Our affected prefixes were:
>
> 94.46.0.0/16
> 194.88.142.0/23
> 194.11.23.0/24
> 82.102.0.0/18
> 195.246.238.0/23
> 194.107.127.0/24
> 81.92.192.0/19
> 193.227.238.0/23
>
> We are trying to contact them in order to get some feedback, and some good explanation for this.

The obviously were leaking full routing, are we all gonna annnounce 'my
prefix was in there also?'

Bye,
Raymond.
Re: Potential Prefix Hijack [ In reply to ]
Possibly silly question:

If a small ISP is leaking a full table and you cannot reach them, why
not contact their upstreams?

Can't really check a router from here, but I saw (for instance) Verio
mentioned. I am certain as2914 runs a 24/7 NOC and is responsive.

--
TTFN,
patrick
Re: Potential Prefix Hijack [ In reply to ]
>
> Hi!
>
> > We were hijacked aswell, by 27664 16735
> >
> > Our affected prefixes were:
> >
> > 94.46.0.0/16
> > 194.88.142.0/23
> > 194.11.23.0/24
> > 82.102.0.0/18
> > 195.246.238.0/23
> > 194.107.127.0/24
> > 81.92.192.0/19
> > 193.227.238.0/23
> >
> > We are trying to contact them in order to get some feedback, and some good explanation for this.
>
> The obviously were leaking full routing, are we all gonna annnounce 'my
> prefix was in there also?'
>
ACTUALLY............ They didn't hijack ALL my netblocks... I have 3. One was completely
untouched, 1 was only hijacked by 1 site, and the last was hijacked by 2 different sites. :)

Tuc
Re: Potential Prefix Hijack [ In reply to ]
Hi!

>>> 94.46.0.0/16
>>> 194.88.142.0/23
>>> 194.11.23.0/24
>>> 82.102.0.0/18
>>> 195.246.238.0/23
>>> 194.107.127.0/24
>>> 81.92.192.0/19
>>> 193.227.238.0/23
>>>

>>> We are trying to contact them in order to get some feedback, and some good explanation for this.

>> The obviously were leaking full routing, are we all gonna annnounce 'my
>> prefix was in there also?'

> ACTUALLY............ They didn't hijack ALL my netblocks... I have 3. One was completely
> untouched, 1 was only hijacked by 1 site, and the last was hijacked by 2 different sites. :)

So their router had most likely a hard time and stuff was flapping, i see
something like that in the BGPLay output also.

Bye,
Raymond.
Re: Potential Prefix Hijack [ In reply to ]
That's not true, as not all our prefixes were hijacked nor leaked, since they were originating them. If they were leaking them you might be able to see further AS's on the AS-PATH, incluiding the legitimate AS for originating those prefixes.

My point here is also about peers and upstreams to set properly filter or max-prefix settings to avoid those nasty things.

Am i seeing things in a blur way ? or this is supposed to happen as wind flows ?

regards,
---
Nuno Vieira
nfsi telecom, lda.

nuno.vieira@nfsi.pt
Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301
http://www.nfsi.pt/



----- "Raymond Dijkxhoorn" <raymond@prolocation.net> wrote:

> Hi!
>
> > We were hijacked aswell, by 27664 16735
> >
> > Our affected prefixes were:
> >
> > 94.46.0.0/16
> > 194.88.142.0/23
> > 194.11.23.0/24
> > 82.102.0.0/18
> > 195.246.238.0/23
> > 194.107.127.0/24
> > 81.92.192.0/19
> > 193.227.238.0/23
> >
> > We are trying to contact them in order to get some feedback, and
> some good explanation for this.
>
> The obviously were leaking full routing, are we all gonna annnounce
> 'my
> prefix was in there also?'
>
> Bye,
> Raymond.
Re: Potential Prefix Hijack [ In reply to ]
Hi!

> That's not true, as not all our prefixes were hijacked nor leaked,
> since they were originating them. If they were leaking them you might
> be able to see further AS's on the AS-PATH, incluiding the legitimate
> AS for originating those prefixes.

We have seen issues like this also when a customer was leaking full
routes, and his router ws not able to coop with the BGP tables. This gave
really really strange things, simmilar like here, some prefixes were
there and some not. Completely random.

> Am i seeing things in a blur way ? or this is supposed to happen as
> wind flows ?

Upstreams should filter things properly. Thats a sure thing. OR max prefix
limit customers like that....

Bye,
Raymond.
Re: Potential Prefix Hijack [ In reply to ]
Hi Bill,

On Mon, Nov 10, 2008 at 07:00:47PM -0800, Bill Woodcock wrote:
> On Tue, 11 Nov 2008, Mark Tinka wrote:
> > Anyone know how we can contact AS16735 and their upstream
> > AS27664. We think they are hijacking a number of our
> > prefixes (AS24218- and AS17992-originated).
>
> Have you tried CERT-BR? Uh... I was about to say "they're usually very
> responsive, and good at coordinating this sort of thing." And then their
> web site failed to load, because the prefix it's in is flapping. Hm.
>
> Fred, you still awake?

Not at the time of the event :-(

AFAIK the event was local to CTBC (AS16735) and their customers. This
is our case and as we host RRC15 at PTTMetro São Paulo, and feed it
with a full routing BGP feed it triggered the reports from bgpmon [1].

CTBC is still pending to explain the event,

> -Bill

Fred

[1] http://bgpmon.net/blog/?p=80
Re: Potential Prefix Hijack [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

As several people have already observed here, AS 16735 announced
almost the whole Internet last night to two of its peers (AS 27664,
174213 routes and AS 22548, 111231 routes). These routes were not
propagated to the global Internet--and as Frederico A C Neves has
confirmed, it was a localized event.

For more detail on what happened, see Frederico's post [0] and the
BGPMon site's summary [1]. We also have a slightly more detailed
analysis here [2].

- -Martin

[0] http://www.merit.edu/mail.archives/nanog/msg12813.html
[1] http://bgpmon.net/blog/?p=80
[2] http://www.renesys.com/blog/2008/11/brazil-leak-if-a-tree-falls-in.shtml

- --
Martin A. Brown --- Renesys Corporation --- mabrown@renesys.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/)

iD8DBQFJGdmkdXQGngQsWbkRAkEQAKCNUj6C6B0fVf3JOpp3nHnfyBGMYgCg1t6q
xAGn9T2yn9FuFeXGXCaBDnU=
=2kVx
-----END PGP SIGNATURE-----
Re: Potential Prefix Hijack [ In reply to ]
Dear Fellows,

I would like to add some information to this thread from AS27664 perspective.

Both AS27664 (CTBC Multimídia) and AS22548 (Nic.br) share two common points:
1. They are IP transit customers from AS16735 (CTBC Telecom).
2. They feed with full BGP routing table the RIS/RIPE project located
at PTTMetro-SP, Brazil (rrc15).

I checked all BGP updates of 2008111[01] from Route Views Archive
Project [1] and looked for prefixes originated by AS16735. I compared
those with the prefixes officially allocated by Registro.br to AS16735
[2] and did not find any case o prefixes from different AS. This
analyses confirms that yesterday AS16735 issue of IP prefixes
Hijacking was not globally propagated.

It seems that only some AS16735's Internet customers (like AS27664 and
AS22548) were affect by this problem.

Regards,

--

Eduardo Ascenço Reis

[1] http://archive.routeviews.org/
[2] https://registro.br/cgi-bin/whois/
Re: Potential Prefix Hijack [ In reply to ]
The local scope of the event is also the reason that PHAS did not catch the
hijack. Nevertheless, its good to have different services for hijack
detection running independently, especially if they are getting different
feeds. Even a hijack that is local in scope is worth alerting about; if not
anything, at least to ensure it stays local :)

-Mohit

On Nov 12, 2008, at 4:52 AM, Eduardo Ascenço Reis wrote:

Dear Fellows,

I would like to add some information to this thread from AS27664
perspective.

Both AS27664 (CTBC Multimídia) and AS22548 (Nic.br) share two common points:
1. They are IP transit customers from AS16735 (CTBC Telecom).
2. They feed with full BGP routing table the RIS/RIPE project located
at PTTMetro-SP, Brazil (rrc15).

I checked all BGP updates of 2008111[01] from Route Views Archive
Project [1] and looked for prefixes originated by AS16735. I compared
those with the prefixes officially allocated by Registro.br to AS16735
[2] and did not find any case o prefixes from different AS. This
analyses confirms that yesterday AS16735 issue of IP prefixes
Hijacking was not globally propagated.

It seems that only some AS16735's Internet customers (like AS27664 and
AS22548) were affect by this problem.

Regards,

--

Eduardo Ascenço Reis

[1] http://archive.routeviews.org/
[2] https://registro.br/cgi-bin/whois/