Hello all,
Over the last few months I have noticed some odd BGP announcements of prefixes which have no allocations in the AMPRnet portal. After spotting 5 or 6 of these it made me wonder how many existed.
This evening I took a snapshot of the RIPE RIS data for announcements within 44.0.0.0/9 and 44.128.0.0/10, which took place in 2021. Then scraped the allocations from the AMPRnet portal, compared prefixes directly and then used a radix tree to find a best match.
The resulting data https://docs.google.com/spreadsheets/d/1nb4cTYVG1tm4HpxgPp7TAcgZ_qOlcej1whdv...
At first glance there are some expected entries, for example users with a /22 or /23 announcing a more specific /24.
What really worries me is the amount of announcements of /24s where the closest portal documented prefix is a /16. Are these being used legitimately? do AMPR co-ordinators what details about them? or have they been hijacked?
Look for example at /24 announcements within country assignments, but no specific description!
I would like to start a discussion around these specific prefixes.
The scripts I wrote are here https://github.com/natm/amprnet-observer
Kind regards,
Nat.