On Sun, Jan 31, 2021 at 9:36 AM G1FEF via 44Net <44net(a)mailman.ampr.org> wrote:
This is something that I keep an eye on, and I do act on any unauthorised announcements.
Just this last week several blocks were hijacked with malicious intent, I spent several
hours contacting their upstreams to get them blocked as well as altDB & RADB to get
their unauthorised route objects removed. Successfully I am pleased to say.
Which blocks did you report?
Any explanation for these prefixes announced in the UK by AS61337,
along side your portal prefixes, they are not documented at all in the
portal:
44.127.128.0/24
44.190.122.0/24
44.190.124.0/24
44.190.125.0/24
44.190.128.0/24
44.190.129.0/24
44.190.130.0/24
44.190.131.0/24
44.191.0.0/20
On a related subject, ARDC have recently opened an
account with RADB, many folks struggle to add route objects to an IRR DB after I have
issued an LOA, it is a recurring problem I deal with by adding their route object to
altDB. The problem with altDB is that not all carriers build their filters from there
(presumably because it is a free IRR DB and anyone can add any route object they like,
including hijackers). RADB is a more respected and more widely used IRR DB. The intention
is to automate the creation and removal of route objects via their API from the Portal.
RADB is ok, but not sufficient for the future. A better investment
would be for the ARDC to negotiation with one of the 5 RIRs for
prefixes to be registered there, so we could all benefit from use of
their RPKI trust anchors. Having prefixes in RADB will not provide
trust anchor functionality.
Adding visibility of the origin ASN to BGP announced
allocations is also on the list for the Portal development. Min/Max expected prefixes is
not something that has been considered before, however I can see that it would be quite
useful, and not at all difficult to implement, so I have added that to the list - thanks
for that Nat.
Which repo is this development taking place in?
I noticed the
github.com AMPRnet Portal repo has been removed.
Nat,
Regards,
Chris - G1FEF
On 31 Jan 2021, at 02:47, Nat Morris via 44Net
<44net(a)mailman.ampr.org> wrote:
Hi Colin,
Thanks for the prompt response to the thread, yes your exact use case
is one which I was expecting to see!
I'm more worried about the more specific announcements within the
portal covering /16 entries.
It would certainly be handy to have publically visible origin ASN
fields per BGP assignment, plus max / min expected prefix lists (like
RIPE route objects) that would allow for some automated alerting to be
built.
Nat,
On Sun, Jan 31, 2021 at 2:42 AM Colin Bodor <colin.bodor(a)imperium.ca
<mailto:colin.bodor@imperium.ca>> wrote:
Hello, nice work! And that's interesting/possibly concerning data.
I am AS 55016, and doing exactly as you mentioned, I got a /22 and am announcing it as
/24s instead. I may split one or two of the /24s out which is why it was done this way.
Thought I would just let everyone know those are legitimate announcements (55016 is in the
portal under the related /22 of course)
-Colin
-----Original Message-----
From: 44Net <44net-bounces+colin.bodor=imperium.ca(a)mailman.ampr.org> On Behalf Of
Nat Morris via 44Net
Sent: Saturday, January 30, 2021 19:35
To: AMPRNet working group <44net(a)mailman.ampr.org>
Cc: Nat Morris <nat(a)nuqe.net>
Subject: [44net] Concerning over undocumented BGP announcements
Hello all,
Over the last few months I have noticed some odd BGP announcements of prefixes which have
no allocations in the AMPRnet portal. After spotting 5 or 6 of these it made me wonder how
many existed.
This evening I took a snapshot of the RIPE RIS data for announcements within 44.0.0.0/9
and 44.128.0.0/10, which took place in 2021. Then scraped the allocations from the AMPRnet
portal, compared prefixes directly and then used a radix tree to find a best match.
The resulting data
https://docs.google.com/spreadsheets/d/1nb4cTYVG1tm4HpxgPp7TAcgZ_qOlcej1whd…
At first glance there are some expected entries, for example users with a /22 or /23
announcing a more specific /24.
What really worries me is the amount of announcements of /24s where the closest portal
documented prefix is a /16. Are these being used legitimately? do AMPR co-ordinators what
details about them? or have they been hijacked?
Look for example at /24 announcements within country assignments, but no specific
description!
I would like to start a discussion around these specific prefixes.
The scripts I wrote are here
https://github.com/natm/amprnet-observer
Kind regards,
Nat.
--
Nat
https://nat.ms
+44 7531 750292
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
--
Nat
https://nat.ms <https://nat.ms/>
+44 7531 750292
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org <mailto:44Net@mailman.ampr.org>
https://mailman.ampr.org/mailman/listinfo/44net
<https://mailman.ampr.org/mailman/listinfo/44net>
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
--
Nat
https://nat.ms
+44 7531 750292