31 Jan
2021
31 Jan
'21
3:35 a.m.
Hi Guys,
This is something that I keep an eye on, and I do act on any unauthorised announcements.
Just this last week several blocks were hijacked with malicious intent, I spent several
hours contacting their upstreams to get them blocked as well as altDB & RADB to get
their unauthorised route objects removed. Successfully I am pleased to say.
As for more specific prefixes being announced from within larger allocated prefixes - this
really depends on when the larger block was allocated: Before 2020 there was no specific
restriction mentioned in the LOA regarding this, however as this has been an issue, all
LOAs issued from near the start of 2020 have a clause that specifically prohibits this.
Again, I do keep an eye on this.
On a related subject, ARDC have recently opened an account with RADB, many folks struggle
to add route objects to an IRR DB after I have issued an LOA, it is a recurring problem I
deal with by adding their route object to altDB. The problem with altDB is that not all
carriers build their filters from there (presumably because it is a free IRR DB and anyone
can add any route object they like, including hijackers). RADB is a more respected and
more widely used IRR DB. The intention is to automate the creation and removal of route
objects via their API from the Portal.
Adding visibility of the origin ASN to BGP announced allocations is also on the list for
the Portal development. Min/Max expected prefixes is not something that has been
considered before, however I can see that it would be quite useful, and not at all
difficult to implement, so I have added that to the list - thanks for that Nat.
Regards,
Chris - G1FEF
On 31 Jan 2021, at 02:47, Nat Morris via 44Net
<44net(a)mailman.ampr.org> wrote:
Hi Colin,
Thanks for the prompt response to the thread, yes your exact use case
is one which I was expecting to see!
I'm more worried about the more specific announcements within the
portal covering /16 entries.
It would certainly be handy to have publically visible origin ASN
fields per BGP assignment, plus max / min expected prefix lists (like
RIPE route objects) that would allow for some automated alerting to be
built.
Nat,
On Sun, Jan 31, 2021 at 2:42 AM Colin Bodor <colin.bodor(a)imperium.ca
<mailto:colin.bodor@imperium.ca>> wrote:
Hello, nice work! And that's interesting/possibly concerning data.
I am AS 55016, and doing exactly as you mentioned, I got a /22 and am announcing it as
/24s instead. I may split one or two of the /24s out which is why it was done this way.
Thought I would just let everyone know those are legitimate announcements (55016 is in the
portal under the related /22 of course)
-Colin
-----Original Message-----
From: 44Net <44net-bounces+colin.bodor=imperium.ca(a)mailman.ampr.org> On Behalf Of
Nat Morris via 44Net
Sent: Saturday, January 30, 2021 19:35
To: AMPRNet working group <44net(a)mailman.ampr.org>
Cc: Nat Morris <nat(a)nuqe.net>
Subject: [44net] Concerning over undocumented BGP announcements
Hello all,
Over the last few months I have noticed some odd BGP announcements of prefixes which have
no allocations in the AMPRnet portal. After spotting 5 or 6 of these it made me wonder how
many existed.
This evening I took a snapshot of the RIPE RIS data for announcements within 44.0.0.0/9
and 44.128.0.0/10, which took place in 2021. Then scraped the allocations from the AMPRnet
portal, compared prefixes directly and then used a radix tree to find a best match.
The resulting data
https://docs.google.com/spreadsheets/d/1nb4cTYVG1tm4HpxgPp7TAcgZ_qOlcej1whd…
At first glance there are some expected entries, for example users with a /22 or /23
announcing a more specific /24.
What really worries me is the amount of announcements of /24s where the closest portal
documented prefix is a /16. Are these being used legitimately? do AMPR co-ordinators what
details about them? or have they been hijacked?
Look for example at /24 announcements within country assignments, but no specific
description!
I would like to start a discussion around these specific prefixes.
The scripts I wrote are here https://github.com/natm/amprnet-observer
Kind regards,
Nat.
--
Nat
https://nat.ms
+44 7531 750292
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
--
Nat
https://nat.ms <https://nat.ms/>
+44 7531 750292
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org <mailto:44Net@mailman.ampr.org>
https://mailman.ampr.org/mailman/listinfo/44net
<https://mailman.ampr.org/mailman/listinfo/44net>