Not to respond to my own post, or anything. But. Another interesting thing.
bgp.he.net reports show that AS133955 is/was also announcing 69.172.127.0/24 "WiMore S.r.l.". bgp.he.net shows a red key icon on that origination, meaning that there’s an RPKI ROA that does not match that origination. And bgp.he.net reports an RADP route object with a proxy registration for AS133955 to originate 69.172.127.0/24, registered on 9/25 like the three prefixes below. RADB still reports that route object (along with a very old one) route: 69.172.127.0/24 descr: Fleg Asia Telecom Ltd Proxy-registered route object origin: AS133955 notify: [email protected] mnt-by: MAINT-AS17709 changed: [email protected] 20170925 #00:31:36Z source: RADB route: 69.172.64.0/18 descr: Canaca-Com Inc descr: 1650 Dundas Street East Unit 203 descr: Mississauga, Ontario descr: CA origin: AS33139 mnt-by: MNT-CANAC changed: [email protected] 20100624 source: ARIN stats.ripe.net shows 69.172.127.0/24 is presently being announced - "Originated by: AS133955 (valid route object in RADB)”, "100% visible (by 157 of 157 RIS full peers)" The RPKI says that AS34526 (WiMore S.r.l.) is authorized to originate 69.172.96.0/19. But the aggregate prefix is not being announced. If the AS133955 origination is valid, they really ought to update their ROA. Hm. I am curious about that prefix. Is it being hijacked? Or am I just reading everything wrong? —Sandy > On Oct 4, 2017, at 1:45 PM, Sandra Murphy <[email protected]> wrote: > > >> On Oct 4, 2017, at 11:29 AM, Theodore Baschak <[email protected]> wrote: >> >> I noticed when I looked into both of these leaks 3 hours after Clinton's >> message yesterday that I couldn't see them in any of the looking glasses I >> was looking in (including the NLNOG looking glass) >> >> Looks like things were able to be cleaned up very quickly. > > Interesting. > > bgp.he.net is still reporting AS133955 as the originator of 64.68.207.0/24. > I don’t know what their refresh cycle is. > > And, oh look, bgp.he.net points to an RADB proxy registration for the > AS133955 origination. RADB no longer reports that route object. But it must > have been there at some point. > > RADB > route: 64.68.207.0/24 > > descr: Fleg Asia Telecom Ltd > Proxy-registered route object > origin: AS133955 > notify: [email protected] > mnt-by: MAINT-AS17709 > changed: [email protected] 20170830 #05:45:57Z > source: RADB > > stat.ripe.net (bless you, RIPE!) shows that 64.68.207.0/24 has been > originated by AS133955 off and on for the last month (since the RADB route > object’s change date?) in the BGP Update Activity and Routing History graphs. > And a huge flurry of activity yesterday. > > Could I be reading all this wrong? Seems to have been going on for quite a > while. > > —Sandy > > P.S. The other three prefixes mentioned below show similar results in > bgp.he.net, with route objects proxy registered on 9/25, and similar results > in stats.ripe.net, with off-and-on announcements, more off than on for these, > closely timed with the route object registration. > > >> >> >> >> Theodore Baschak - AS395089 - Hextet Systems >> https://bgp.guru/ - https://hextet.net/ >> http://mbix.ca/ - http://mbnog.ca/ >> >> >> >> >> On Tue, Oct 3, 2017 at 6:29 PM, Clinton Work <[email protected]> wrote: >> >>> TELUS AS852 has three address blocks hijacked by AS133955 as well. We >>> have not been able to get in contact with AS24155. It looks like they >>> are buying transit from PCCW AS3491 and Taiwan Internet Gateway AS9505. >>> >>> 68.182.255.0/24 >>> 74.49.255.0/24 >>> 96.1.255.0/24 >>> >>> >>> On Tue, Oct 3, 2017, at 10:30 AM, Mark Jeftovic wrote: >>>> >>>> as133955 is broadcasting bogus BGP announcement for our netblock >>>> 64.68.207.0/24 >>>> >>>> It's in China, and we're trying to contact as24155 but they are also in >>>> China and we're just emailing their whois record address. >>>> >>>> If you're nearby and in a position to block/dampen that might be helpful. >>>> >>>> Thx >>>> >>>> - mark >>>> >>>> -- >>>> Mark Jeftovic <[email protected]> >>>> Founder & CEO, easyDNS Technologies Inc. >>>> http://www.easyDNS.com >>>> >>>> >>>
