Re: hijacking of 128.255.192.0/22

2018-03-21 Thread Jared Mauch 
Can someone from HE comment on how they are doing their filtering? We often see 
our routes leaked by them or their customers and it’s quite the problem and 
significantly contributes to the pollution in the routing table. 

Often friends and smaller providers come to me for help and the lack of 
filtering as well as BGP communities poses significant operational issues for 
networks. 

Jared Mauch

> On Mar 20, 2018, at 5:35 PM, Jay Ford  wrote:
> 
> Something apparently in Brazil is hijacking 128.255.192.0/22, part of 
> 128.255.0.0/16 which is held by the University of Iowa.  AS 263971 is 
> announcing 128.255.192.0/22 which Hurricane Electric is accepting & 
> propagating.  None of that has any authorization.
> 
> I can't find any decent contact information for the originating entity, so I 
> have reported it to ab...@he.net, but it'd be fabulous if some HE folks 
> listening here could whack the hijacking faster than the abuse channels will 
> get to it.  Also useful would be some functional contact for AS263971.
> 
> Any help will be appreciated.
> 
> 
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-f...@uiowa.edu, phone: 319-335-

Re: hijacking of 128.255.192.0/22

2018-03-20 Thread Tim Evens 


Looks like this incident didn't start today. I show it starting back on
2/22 at 00:31:38 UTC. It then persisted till 3/19 where it started to
get withdrawn by most peers. It wasn't until 3/20 at 19:10:10 UTC when
it was globally withdrawn from all peers that were advertising it. 

I'll be like Job and plug monitoring. Had FaleMais and/or University of
Iowa been monitoring their own prefixes as well as what they advertised
(originate in this case), this could have been stopped when it started
almost a month ago. 

--Tim 

On 20.03.2018 13:32, Sandra Murphy wrote: 

> You are pointing out that 138.255.192.0/22 is the likely cause of the hijack 
> of 128.255.192.0/22, right?
> 
> (No need to be privately told - that's straight from the LACNIC Whois)
> 
> --Sandy
> On Mar 20, 2018, at 3:40 PM, Alejandro Acosta 
>  wrote: Hello, Someone in Lacnog privately 
> told me this: aut-num: AS263971 owner: FaleMais Comunicações LTDA 
> responsible: Paulo Henrique Mem Pereira owner-c: LEVAL5 routing-c: LEVAL5 
> abuse-c: LEVAL5 created: 20150831 changed: 20150831 inetnum: 138.255.192.0/22 
> inetnum: 2804:28a0::/32 inetnum: 170.254.76.0/22  
> Regards, Alejandro, El 20/3/18 a las 2:35 p. m., Jay Ford escribió: Something 
> apparently in Brazil is hijacking 128.255.192.0/22, part of 128.255.0.0/16 
> which is held by the University of Iowa. AS 263971 is announcing 
> 128.255.192.0/22 which Hurricane Electric is accepting & propagating. None of 
> that has any authorization. I can't find any decent contact information for 
> the originating entity, so I have reported it to ab...@he.net, but it'd be 
> fabulous if some HE folks listening here could whack the hijacking faster 
> than the abuse channels will get to it. Also useful
would be some functional contact for AS263971. Any help will be appreciated. 
 Jay 
Ford, Network Engineering Group, Information Technology Services University of 
Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-



Links:
--
[1] http://170.254.76.0/22

Re: hijacking of 128.255.192.0/22

2018-03-20 Thread Sandra Murphy 
You are pointing out that 138.255.192.0/22 is the likely cause of the hijack of 
128.255.192.0/22, right?

(No need to be privately told - that’s straight from the LACNIC Whois)

—Sandy

> On Mar 20, 2018, at 3:40 PM, Alejandro Acosta 
>  wrote:
> 
> Hello,
> 
>   Someone in Lacnog privately told me this:
> 
> 
> aut-num: AS263971 owner: FaleMais Comunicações LTDA responsible: Paulo
> Henrique Mem Pereira owner-c: LEVAL5 routing-c: LEVAL5 abuse-c: LEVAL5
> created: 20150831 changed: 20150831 inetnum: 138.255.192.0/22 inetnum:
> 2804:28a0::/32 inetnum: 170.254.76.0/22 
> Regards, Alejandro,
> 
> 
> El 20/3/18 a las 2:35 p. m., Jay Ford escribió:
>> Something apparently in Brazil is hijacking 128.255.192.0/22, part of
>> 128.255.0.0/16 which is held by the University of Iowa.  AS 263971 is
>> announcing 128.255.192.0/22 which Hurricane Electric is accepting &
>> propagating.  None of that has any authorization.
>> 
>> I can't find any decent contact information for the originating
>> entity, so I have reported it to ab...@he.net, but it'd be fabulous if
>> some HE folks listening here could whack the hijacking faster than the
>> abuse channels will get to it.  Also useful would be some functional
>> contact for AS263971.
>> 
>> Any help will be appreciated.
>> 
>> 
>> Jay Ford, Network Engineering Group, Information Technology Services
>> University of Iowa, Iowa City, IA 52242
>> email: jay-f...@uiowa.edu, phone: 319-335-

Re: hijacking of 128.255.192.0/22

2018-03-20 Thread Alejandro Acosta 
Hello,

  Someone in Lacnog privately told me this:


aut-num: AS263971 owner: FaleMais Comunicações LTDA responsible: Paulo
Henrique Mem Pereira owner-c: LEVAL5 routing-c: LEVAL5 abuse-c: LEVAL5
created: 20150831 changed: 20150831 inetnum: 138.255.192.0/22 inetnum:
2804:28a0::/32 inetnum: 170.254.76.0/22 
Regards, Alejandro,


El 20/3/18 a las 2:35 p. m., Jay Ford escribió:
> Something apparently in Brazil is hijacking 128.255.192.0/22, part of
> 128.255.0.0/16 which is held by the University of Iowa.  AS 263971 is
> announcing 128.255.192.0/22 which Hurricane Electric is accepting &
> propagating.  None of that has any authorization.
>
> I can't find any decent contact information for the originating
> entity, so I have reported it to ab...@he.net, but it'd be fabulous if
> some HE folks listening here could whack the hijacking faster than the
> abuse channels will get to it.  Also useful would be some functional
> contact for AS263971.
>
> Any help will be appreciated.
>
> 
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-f...@uiowa.edu, phone: 319-335-

Re: hijacking of 128.255.192.0/22

2018-03-20 Thread João Butzke 

I contacted the company and forwarded this email to them.

Best regards, João Butzke.
Em 20/03/2018 16:32, Job Snijders escreveu:

On Tue, 20 Mar 2018 at 19:26, Ken Chase  wrote:


A reason to de-aggregate down to /24s, to make hijacks more difficult/less
effective?


Or perhaps something less costly for everyone: a reason for HE to implement
prefix-based EBGP filters?

At any given moment there appear to be roughly 5500 prefixes in HE’s
customer cone for which no attestation can be found in any of IRR, RPKI or
WHOIS. I find this deeply concerning.

Kind regards,

Job

Re: hijacking of 128.255.192.0/22

2018-03-20 Thread Job Snijders 
On Tue, 20 Mar 2018 at 19:26, Ken Chase  wrote:

> A reason to de-aggregate down to /24s, to make hijacks more difficult/less
> effective?


Or perhaps something less costly for everyone: a reason for HE to implement
prefix-based EBGP filters?

At any given moment there appear to be roughly 5500 prefixes in HE’s
customer cone for which no attestation can be found in any of IRR, RPKI or
WHOIS. I find this deeply concerning.

Kind regards,

Job

>

Re: hijacking of 128.255.192.0/22

2018-03-20 Thread Ken Chase 
A reason to de-aggregate down to /24s, to make hijacks more
difficult/less effective?

/kc


On Tue, Mar 20, 2018 at 04:20:47PM -0300, Alejandro Acosta said:
  >Hi Jay,
  >
  >?? Please note that there is Lacnog mailing list.., I will forward your
  >message. Not sure if it will work but worth giving it a try.
  >
  >
  >Regards,
  >
  >Alejandro,
  >
  >
  >
  >El 20/3/18 a las 2:35 p. m., Jay Ford escribi??:
  >> Something apparently in Brazil is hijacking 128.255.192.0/22, part of
  >> 128.255.0.0/16 which is held by the University of Iowa.?? AS 263971 is
  >> announcing 128.255.192.0/22 which Hurricane Electric is accepting &
  >> propagating.?? None of that has any authorization.
  >>
  >> I can't find any decent contact information for the originating
  >> entity, so I have reported it to ab...@he.net, but it'd be fabulous if
  >> some HE folks listening here could whack the hijacking faster than the
  >> abuse channels will get to it.?? Also useful would be some functional
  >> contact for AS263971.
  >>
  >> Any help will be appreciated.
  >>
  >> 
  >> Jay Ford, Network Engineering Group, Information Technology Services
  >> University of Iowa, Iowa City, IA 52242
  >> email: jay-f...@uiowa.edu, phone: 319-335-
  >

-- 
Ken Chase - m...@sizone.org

Re: hijacking of 128.255.192.0/22

2018-03-20 Thread Alejandro Acosta 
Hi Jay,

  Please note that there is Lacnog mailing list.., I will forward your
message. Not sure if it will work but worth giving it a try.


Regards,

Alejandro,



El 20/3/18 a las 2:35 p. m., Jay Ford escribió:
> Something apparently in Brazil is hijacking 128.255.192.0/22, part of
> 128.255.0.0/16 which is held by the University of Iowa.  AS 263971 is
> announcing 128.255.192.0/22 which Hurricane Electric is accepting &
> propagating.  None of that has any authorization.
>
> I can't find any decent contact information for the originating
> entity, so I have reported it to ab...@he.net, but it'd be fabulous if
> some HE folks listening here could whack the hijacking faster than the
> abuse channels will get to it.  Also useful would be some functional
> contact for AS263971.
>
> Any help will be appreciated.
>
> 
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-f...@uiowa.edu, phone: 319-335-