This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[routing-wg] Fwd: [stat-dev] RIPE routing registry (ab)used to legitimize prefix hijacks
- Next message (by thread): [routing-wg] Fwd: [stat-dev] RIPE routing registry (ab)used to legitimize prefix hijacks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Daniel Karrenberg
daniel.karrenberg at ripe.net
Thu Nov 6 07:04:13 CET 2014
Dear colleagues, maybe this is something you could find time to discuss at today's face-to-face meeting. I believe the points Rene raises are worth considering. I do not have a concrete proposal how to improve this undesirable state of things. Of course RPKI is the a better tool. But do we need to do something here before it is deployed widely? Daniel -------- Forwarded Message -------- Subject: [stat-dev] RIPE routing registry (ab)used to legitimize prefix hijacks Date: Thu, 06 Nov 2014 01:32:29 +0100 From: Rene Wilhelm <wilhelm at ripe.net> ... As per the below message from nanog.org list, AS201640 is hijacking a total of eleven routes to IP space scattered all over the world... none of which appears to belong to anybody in or near Bulgaria. Interestingly, as shown in the RIPEstat AS routing consistency widget[*], some of the announcements get a touch of legitimacy by corresponding route objects in the RIPE routing registry; because the IP space is from other RIRs (apnic, afrinic), the usual checks for hierarchical authorization do not apply and hijackers can fool RIPE DB users, claim AS201640 is allowed to originate the hijacked prefixes. Is there anything we can do about that? remove the rogue objects? disallow new route objects with origin AS201640 in non-RIPE space? Do the RIPE DB terms and conditions have clauses which deal with entering false information? Even if it has no impact on the hijack in progress, I think it helps quality and reputation of RIPE routing registry if we act on dubious, most likely false, entries which are brought to our attention. -- Rene [*] https://stat.ripe.net/widget/as-routing-consistency#w.resource=AS201640 -------- Original Message -------- Return-path: <nanog-bounces at nanog.org> Envelope-to: wilhelm at ripe.net Delivery-date: Wed, 05 Nov 2014 23:00:02 +0100 Received: from koko.ripe.net ([193.0.19.72]) by titi.ripe.net with esmtps (UNKNOWN:AES256-GCM-SHA384:256) (Exim 4.72) (envelope-from <nanog-bounces at nanog.org>) id 1Xm8cT-0008Am-OP; Wed, 05 Nov 2014 23:00:01 +0100 Received: from mail.nanog.org ([2001:1838:2001:8::10]) by koko.ripe.net with esmtp (Exim 4.72) (envelope-from <nanog-bounces at nanog.org>) id 1Xm8cS-0002Ry-LF; Wed, 05 Nov 2014 23:00:01 +0100 Received: from mail.nanog.org (localhost [127.0.0.1]) by mail.nanog.org (Postfix) with ESMTP id 9D2632D41A9; Wed, 5 Nov 2014 21:59:24 +0000 (UTC) X-Original-To: nanog at nanog.org Delivered-To: nanog at nanog.org Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mail.nanog.org (Postfix) with ESMTP id C10362D415F for <nanog at nanog.org>; Wed, 5 Nov 2014 21:59:17 +0000 (UTC) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 297803AF26 for <nanog at nanog.org>; Wed, 5 Nov 2014 13:59:17 -0800 (PST) From: Ronald F. Guilmette <rfg at tristatelogic.com> To: nanog at nanog.org Subject: Hijack factory: AS201640 -- MEGA - SPRED LTD / Michael A. Persaud Date: Wed, 05 Nov 2014 13:59:17 -0800 Message-ID: <81757.1415224757 at server1.tristatelogic.com> X-BeenThere: nanog at nanog.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: North American Network Operators Group <nanog.nanog.org> List-Unsubscribe: <http://mailman.nanog.org/mailman/options/nanog>, <mailto:nanog-request at nanog.org?subject=unsubscribe> List-Archive: <http://mailman.nanog.org/pipermail/nanog/> List-Post: <mailto:nanog at nanog.org> List-Help: <mailto:nanog-request at nanog.org?subject=help> List-Subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:nanog-request at nanog.org?subject=subscribe> Errors-To: nanog-bounces at nanog.org Sender: "NANOG" <nanog-bounces at nanog.org> X-RIPE-Spam-Level: + X-RIPE-Spam-Report: Spam Total Points: 1.5 points pts rule name description ---- ---------------------- ------------------------------------ -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 4.0 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) X-RIPE-Signature: b6ab524b1e2ef58d696cc0c68bdb4d998c7e56c7a3ace7a0c536a4fd780385ef I already posted about this rogue AS days ago, but nothing has really changed much, since then, with respect to its hijacking of IP space. Well, at least Brian Krebs was kind anough to write about it: http://krebsonsecurity.com/2014/11/still-spamming-after-all-these-years/ (Please note that that is a convicted felon spamming from the hijacked IP space. He's not allowed to own firearms, but he _can_ apparently own a keyboard.) As of today, AS201640 is still hijacking a total of eleven routes to IP space scattered all over the world... none of which appears to belong to anybody in or near Bulgaria. In fact, it would appear that the organization that is the registrant of AS201640 currently has exactly -zero- IP addresses to call its own. Nobody in a postion to _do_ anything about this gives a darn? As of today: 36.0.56.0/21 41.92.206.0/23 41.198.80.0/20 41.198.224.0/20 61.242.128.0/19 119.227.224.0/19 123.29.96.0/19 177.22.117.0/24 177.46.48.0/22 187.189.158.0/23 202.39.112.0/20
- Next message (by thread): [routing-wg] Fwd: [stat-dev] RIPE routing registry (ab)used to legitimize prefix hijacks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]