[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AS4134/AS4847 - Appear to be hijacking some ip space.

Subject: AS4134/AS4847 - Appear to be hijacking some ip space.
From: jayb at att.com (Jay Borkenhagen)
Date: Fri, 5 Apr 2019 12:23:35 -0400
In-reply-to: <[email protected]om>
References: <[email protected]om>

Hi Chris,

It would be great if the Google Fiber / AS16591 folks could publish a
ROA in ARIN's hosted RPKI authorizing exactly 136.32.0.0/11 to be
originated only in AS16591.  That ROA would have addressed this matter
from AS7018's point of view.

In the interim, I have added a temporary whitelist (slurm) entry into
our RPKI caches, causing the AS7018 network to disregard the
more-specific /24s under 136.32.0.0/11.

Good luck.
						Jay B.


Christopher Morrow writes:
 > Howdy gentle folks:
 > 
 > It looks like AS4847 - "China Networks Inter-Exchange"
 > 
 > Is taking some time to announce reachability for at least:
 >   136.38.33.0/24
 > 
 > which they ought not, given that this /24 is part of a /11 assigned to
 > AS16591 (google fiber)... Looking at routeviews data, I see the
 > following as-paths for this one /24:
 > $ grep -A1 Refresh /tmp/x | grep 4847
 >   1239 174 4134 4847
 >   3549 3356 174 4134 4847
 >   701 174 4134 4847
 >   4901 6079 3257 4134 4847
 >   20912 174 4134 4847
 >   1221 4637 4134 4847
 >   1351 11164 4134 4847
 >   6079 1299 4134 4847
 >   6079 3257 4134 4847
 >   7018 4134 4847
 >   6939 1299 4134 4847
 >   3561 209 4134 4847
 >   3303 4134 4847
 >   3277 39710 9002 4134 4847
 >   2497 4134 4847
 >   4826 1299 4134 4847
 >   54728 20130 23352 2914 4134 4847
 >   19214 3257 4134 4847
 >   101 101 11164 4134 4847
 >   1403 6453 4134 4847
 >   852 6453 4134 4847
 >   1403 6453 4134 4847
 >   286 4134 4847
 >   3333 1273 4134 4847
 >   57866 3491 4134 4847
 >   3267 1299 4134 4847
 >   49788 174 4134 4847
 >   53767 3257 4134 4847
 >   53364 3257 4134 4847
 >   8283 57866 3491 4134 4847
 >   7660 2516 4134 4847
 > 
 > >From that I think the following AS should have filtered this prefix and are not:
 > $ grep -A1 Refresh /tmp/x | grep 4847 | sed 's/ 4134 4847//' | awk
 > '{print $NF}' | sort -n | uniq
 > 
 > 174  - Cogent
 > 209 - Qwest
 > 286 - KPN
 > 1273 - Vodafone
 > 1299 - Telia
 > 2497 - IIJ
 > 2516 - KDDI
 > 2914 - NTT
 > 3257 - GTT
 > 3303 - Swisscom
 > 3491 - PCCW
 > 4637 - Telstra
 > 6453 - TATA
 > 7018 - ATT
 > 9002 - RETN
 > 11164 - Internet2
 > 
 > It'd be great if the listed folk could filter AS4134 :)
 > 
 > -Chris

Follow-Ups:
- AS4134/AS4847 - Appear to be hijacking some ip space.
  - From: morrowc.lists at gmail.com (Christopher Morrow)

References:
- AS4134/AS4847 - Appear to be hijacking some ip space.
  - From: morrowc.lists at gmail.com (Christopher Morrow)

Prev by Date: DNS Qtypes and class values are a social construct
Next by Date: Weekly Routing Table Report
Previous by thread: AS4134/AS4847 - Appear to be hijacking some ip space.
Next by thread: AS4134/AS4847 - Appear to be hijacking some ip space.
Index(es):
- Date
- Thread