[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Dreamhost/AS26347 unauthorized bgp announcement
- Subject: Dreamhost/AS26347 unauthorized bgp announcement
- From: andree+nanog at toonk.nl (Andree Toonk)
- Date: Wed, 06 Mar 2013 10:29:01 -0800
- In-reply-to: <[email protected]>
- References: <[email protected]>
.-- My secret spy satellite informs me that at 2013-03-06 12:59 AM
Matsuzaki Yoshinobu wrote:
> According to RIPE RIS, AS26347 announced a bunch of prefixes again.
> - http://www.ris.ripe.net/dashboard/26347
>
> First suspicious announcement was started 2013-03-06 07:52:40 UTC, and
> last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
>
> It seems these unauthorized announcements have the same profile as
> before - AS26347 shrinks the prefix lenght of their received prefix
> somehow upto /20, and re-originates the prefix with origin AS26347.
>
> Any known bugs?
Sounds indeed like an exact copy of the incident on January 11:
http://seclists.org/nanog/2013/Jan/243
That time the prefixes seem to also have been learned via a route-server
in LA.
The strange thing is that the majority of the 'hijacked' prefixes (today
and in January) are new more specifics (not seen before).
(Using some kind of BGP route optimizer?).
This time it affected 203 unique prefixes and 133 ASns.
Below a list of some of the affected ASns
20115 Charter Telecom.
4837 China Unicom
8151 UNINET Mexico
11427 Roadrunner
42961 MTC GPRS Kuwait
7303 Telecom Argentina S.A.
25135 Vodafone
7018 AT&T
6389 BellSouth.net
8220 Colt
19262 Verizon
9143 ZIGGO
6830 UPC
5089 Virgin Media
Cheers,
Andree