[lacnog] Prefix Hijacking

Arturo Servin arturo.servin en gmail.com
Jue Dic 19 14:53:29 -02 2019


According to RADB AS267759 is the correct origin.

route:      45.167.18.0/23
origin:     AS267759
descr:      GRUPO INVERSOR EN COMUNICACIONES - Cliente de Trânsito da
R-Line
mnt-by:     MAINT-AS28145
changed:    fabio en rline.com.br 20191213  #18:08:35Z
source:     RADB

No ROA apparently.

So, not sure what the problem is.

.as


On Thu, Dec 19, 2019 at 4:49 PM Lucas Willian Bocchi <lucas.bocchi en gmail.com>
wrote:

> At the moment, appears.
> We will test again in other time, maybe a time that the NOC doesn't are
> reading the list threads.
>
>
> Em qui., 19 de dez. de 2019 às 13:47, Ariel Antigua via LACNOG <
> lacnog en lacnic.net> escreveu:
>
>> Maybe is fixed already?
>>
>>
>>
>> I was looking for your prefix and is not in my routing table or being
>> announced by 263774.
>>
>>
>>
>> bird>
>>
>> bird> show route where bgp_path.last = 263774 primary
>>
>> 138.117.78.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 138.117.78.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 138.117.79.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 138.117.76.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 138.117.76.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 138.117.76.0/22    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 138.117.77.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 170.83.126.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 170.83.126.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774?]
>>
>> 170.83.127.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 170.83.124.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 170.83.124.0/22    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> 170.83.124.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774?]
>>
>> 170.83.125.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>> from 185.1.119.2] * (110) [AS263774i]
>>
>> bird> show route where bgp_path.last = 267759 primary
>>
>> bird>
>>
>>
>>
>>
>>
>>
>>
>> .aa
>>
>>
>>
>> *From: *Lucas Willian Bocchi <lucas.bocchi en gmail.com>
>> *Sent: *Thursday, December 19, 2019 12:27 PM
>> *To: *lacnog en lacnic.net
>> *Subject: *[lacnog] Prefix Hijacking
>>
>>
>>
>> Hello.
>>
>>
>>
>> We have entered in contact with AS263774 informing the problem but we
>> won't provide any solution to the trouble.
>>
>>
>>
>> Our BGP session with the AS263774 are totally down and the announces
>> don't cease to exists. We believe that these provider hijack our announces
>>
>> Thu Dec 19 16:08:16.916 UTC
>>
>> BGP routing table entry for 45.167.18.0/24
>>
>> Versions:
>>
>>   Process           bRIB/RIB  SendTblVer
>>
>>   Speaker          497636789   497636789
>>
>> Last Modified: Dec 19 15:36:44.535 for 00:31:32
>>
>> Paths: (1 available, best #1)
>>
>>   Advertised IPv4 Unicast paths to peers (in unique update groups):
>>
>>     38.5.0.99
>>
>>   Path #1: Received by speaker 0
>>
>>   Advertised IPv4 Unicast paths to peers (in unique update groups):
>>
>>     38.5.0.99
>>
>>   3356 3549 263774 263774 267759
>>
>>     4.68.111.177 (metric 103030) from 38.28.1.83 (38.28.1.238)
>>
>>       Origin IGP, metric 4294967294, localpref 100, valid, internal, best, group-best, import-candidate
>>
>>       Received Path ID 0, Local Path ID 1, version 497636789
>>
>>       Community: 174:11401 174:20666 174:21100 174:22005
>>
>>       Originator: 38.28.1.238, Cluster list: 38.28.1.83, 38.28.1.67
>>
>> How are the correct solution to the case? The NOC are already alerted
>> about the problem but says that "all is ok on your side".
>>
>>
>>
>> Regards.
>>
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20191219/9ecbeda2/attachment.html>


Más información sobre la lista de distribución LACNOG