Hi! This came up on our radar somewhere in the last 24 hours too. It indeed does look very curious. Thank you for your analysis and report.
NTT is taking steps to figure out what is behind this. Our current working theories are that perhaps the IRR maintainer account was compromised, or some kind of automation script gone rogue, or perhaps there is adverserial intent and this is stage setting. I'm not sure we will be able to report our findings back to this group, but we are actively investigating. Kind regards, Job On Sat, Jan 25, 2020 at 12:06:51AM +0100, Florian Brandstetter wrote: > It appears that there is currently an influx of rogue route > objects created within the NTTCOM and RaDB IRR databases, in > connection to Quadranet (AS8100) and China Mobile > International (CMI). > > Examples of affected networks are: > > 193.30.32.0/23 > 45.129.92.0/23 > 45.129.94.0/24 > > Networks, which have seemingly no affiliation with > Quadranet, nor China Mobile International (CMI), which > merely appears to be an upstream of Quadranet and hence > creates the route objects in an automated manner. > > Another person has already reached out to Quadranet to find > out the root cause of the creation of these objects. Their > support gave an ETA of 24-72 hours. > > The route objects are all identical: > > route: 193.30.32.0/23 > descr: CMI (Customer Route) > origin: AS8100 > mnt-by: MAINT-AS58453 > changed: qas_supp...@cmi.chinamobile.com 20200117 > source: RADB > > There appears to be a correlation with the affected > networks, a fair share of them is part of AS-SBAG, which in > turn is part of AS-VMHAUS, which in turn is part of AS- > QUADRANET and could yield the importing of these prefixes. > AS-VMHAUS appears to be a customer of Quadranet, listed > within AS-QUADRANET-CUSTOMER-ASSET. > > These networks do however have no direct connection to > Quadranet, and are not affiliated with Quadranet, nor are > currently connected to Quadranet, which, entirely ignoring > that the `origin` points to Quadranet, makes the route > object illicit. > > Basically this has given AS8100, whether that be > legitimately Quadranet, or somebody impersonating/spinning > up a rogue AS8100, theoretical control over a massive amount > of prefixes, as these can be advertised without restrictions > and very likely reach a fairly high percentage of global > visibility. > > -- > Florian Brandstetter > President & Founder > SquareFlow Network LTD. >
