Mailing List Archive

IP Route Hijacking Bad Actor: AS57129/RU-SERVERSGET-KRSK, RU/Optibit LLC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Howdy,

I'm soliciting any background information, anecdotes, shared
experiences, previous evidence, etc. of bad behavior and/or IP route
hijacking for this 'hijack factory', as I've heard it called privately.

They are actively -- and illegitimately -- announcing prefixes which
are (legitimately) allocated to other organizations, a couple of them
are very large & well-known U.S. healthcare providers.

I'd also be interesting in hearing suggestion on the course of action
one of these organizations might take to make this stop....

Thanks in advance,

- - ferg


- --
Paul Ferguson
Seattle, WA USA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAl1i4CEACgkQKJasdVTchbJVHAEA0s7Ej73VPQth2Rho4xwTnv8e
qQFJ6SB+qulM1HFHoUgA/RXAL1BFJC3wq9GsXYJ4sqLSrje/gPm1JzVMeEJMTGlQ
=r3mY
-----END PGP SIGNATURE-----
Re: IP Route Hijacking Bad Actor: AS57129/RU-SERVERSGET-KRSK, RU/Optibit LLC [ In reply to ]
Have no history/background that I can share.

In terms of actions, this seems obvious, but…

Look at the AS Paths fo the hijacked prefixes announced from 57129 and start with the
second to last AS and work backwards asking that at least those prefixes from 57129 be
rejected/filtered.

Most legitimate providers faced with appropriate documentation of prefix registration in the
relevant RIR will do the following:
1. Contact their customer/peer and ask them to stop announcing.
2. Install the necessary filters.
3. If 1 is not successful in a reasonable amount of time, potentially escalate to
disconnection/depeering.

Owen


> On Aug 25, 2019, at 12:23 , Paul Ferguson <fergdawgster@mykolab.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Howdy,
>
> I'm soliciting any background information, anecdotes, shared
> experiences, previous evidence, etc. of bad behavior and/or IP route
> hijacking for this 'hijack factory', as I've heard it called privately.
>
> They are actively -- and illegitimately -- announcing prefixes which
> are (legitimately) allocated to other organizations, a couple of them
> are very large & well-known U.S. healthcare providers.
>
> I'd also be interesting in hearing suggestion on the course of action
> one of these organizations might take to make this stop....
>
> Thanks in advance,
>
> - - ferg
>
>
> - --
> Paul Ferguson
> Seattle, WA USA
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iF4EAREIAAYFAl1i4CEACgkQKJasdVTchbJVHAEA0s7Ej73VPQth2Rho4xwTnv8e
> qQFJ6SB+qulM1HFHoUgA/RXAL1BFJC3wq9GsXYJ4sqLSrje/gPm1JzVMeEJMTGlQ
> =r3mY
> -----END PGP SIGNATURE-----