Mailing List Archive

We appeared to be impacted with some address space within 206.47.0.0/16
which AS577 normally advertises, but that was between 15:50 and 16:30
Eastern.

Jeff

On Wed, Jul 29, 2020, 10:48 PM Clinton Work <clinton@scripty.com> wrote:

> We saw a bunch of our IP blocks hijacked by AS10990 from 19:15 MDT until
> 20:23 MDT. Anybody else have problems with that.
>
> ASpath: 1299 7219 10990
>
> 50.92.0.0/17 AS10990
> 198.166.0.0/17 AS10990
> 198.166.128.0/17 AS10990
> 162.157.128.0/17 AS10990
> 162.157.0.0/17 AS10990
> 50.92.128.0/17 AS10990
>
>
>
> --
> Clinton Work
> Airdrie, AB
>

Looks like the list is too long.. none of them have any valid ROAs as well.

= 104.230.0.0/18 206313 6724 1299 7219 10990
= 104.230.64.0/18 206313 6724 1299 7219 10990
= 107.184.0.0/16 206313 6724 1299 7219 10990
= 107.185.0.0/16 206313 6724 1299 7219 10990
= 107.189.192.0/19 206313 6724 1299 7219 10990
= 107.189.224.0/19 206313 6724 1299 7219 10990
= 108.49.0.0/17 206313 6724 1299 7219 10990
= 108.49.128.0/17 206313 6724 1299 7219 10990
= 135.19.192.0/19 206313 6724 1299 7219 10990
= 135.19.224.0/19 206313 6724 1299 7219 10990
= 137.119.140.0/23 206313 6724 1299 7219 10990
= 137.119.142.0/23 206313 6724 1299 7219 10990
= 142.113.0.0/17 206313 6724 1299 7219 10990
= 142.113.128.0/17 206313 6724 1299 7219 10990
= 147.194.0.0/20 206313 6724 1299 7219 10990
= 147.194.16.0/20 206313 6724 1299 7219 10990
= 162.157.0.0/17 206313 6724 1299 7219 10990
= 162.157.128.0/17 206313 6724 1299 7219 10990
= 166.48.0.0/18 206313 6724 1299 7219 10990
= 166.48.64.0/18 206313 6724 1299 7219 10990
= 167.100.80.0/22 206313 6724 1299 7219 10990
= 167.100.84.0/22 206313 6724 1299 7219 10990
= 172.103.112.0/20 206313 6724 1299 7219 10990
= 172.103.96.0/20 206313 6724 1299 7219 10990
= 172.112.0.0/14 206313 6724 1299 7219 10990
= 172.116.0.0/14 206313 6724 1299 7219 10990
= 173.160.0.0/14 206313 6724 1299 7219 10990
= 173.164.0.0/14 206313 6724 1299 7219 10990
= 173.28.224.0/21 206313 6724 1299 7219 10990
= 173.28.232.0/21 206313 6724 1299 7219 10990
= 173.48.0.0/17 206313 6724 1299 7219 10990
= 173.48.128.0/17 206313 6724 1299 7219 10990
= 173.90.0.0/16 206313 6724 1299 7219 10990
= 173.91.0.0/16 206313 6724 1299 7219 10990
= 174.1.56.0/23 206313 6724 1299 7219 10990
= 174.1.58.0/23 206313 6724 1299 7219 10990
= 174.108.0.0/15 206313 6724 1299 7219 10990
= 174.110.0.0/15 206313 6724 1299 7219 10990
= 174.223.0.0/18 206313 6724 1299 7219 10990
= 174.223.64.0/18 206313 6724 1299 7219 10990
= 174.228.0.0/18 206313 6724 1299 7219 10990
= 174.228.64.0/18 206313 6724 1299 7219 10990
= 174.231.128.0/18 206313 6724 1299 7219 10990
= 174.231.192.0/18 206313 6724 1299 7219 10990
= 177.132.112.0/20 206313 6724 1299 7219 10990
= 177.132.96.0/20 206313 6724 1299 7219 10990
= 198.166.0.0/17 206313 6724 1299 7219 10990
= 198.166.128.0/17 206313 6724 1299 7219 10990
= 198.52.176.0/23 206313 6724 1299 7219 10990
= 198.52.178.0/23 206313 6724 1299 7219 10990
= 204.195.0.0/18 206313 6724 1299 7219 10990


*= 208.79.152.0/22 <http://208.79.152.0/22> 206313 6724 6939 10990=
208.79.153.0/24 <http://208.79.153.0/24> 206313 6724 6939 7219 10990*=
216.10.190.0/24 206313 6724 1299 7219 10990
= 216.10.191.0/24 206313 6724 1299 7219 10990
= 24.102.64.0/19 206313 6724 1299 7219 10990
= 24.102.96.0/19 206313 6724 1299 7219 10990
= 24.197.208.0/21 206313 6724 1299 7219 10990
= 24.197.216.0/21 206313 6724 1299 7219 10990
= 24.201.64.0/19 206313 6724 1299 7219 10990
= 24.201.96.0/19 206313 6724 1299 7219 10990
= 24.205.160.0/20 206313 6724 1299 7219 10990
= 24.205.176.0/20 206313 6724 1299 7219 10990
= 24.48.0.0/19 206313 6724 1299 7219 10990
= 24.48.32.0/19 206313 6724 1299 7219 10990
= 24.57.0.0/17 206313 6724 1299 7219 10990
= 24.57.128.0/17 206313 6724 1299 7219 10990
= 24.89.16.0/20 206313 6724 1299 7219 10990
= 24.90.64.0/19 206313 6724 1299 7219 10990
= 24.90.96.0/19 206313 6724 1299 7219 10990
= 35.211.0.0/17 206313 6724 1299 7219 10990
= 35.211.128.0/17 206313 6724 1299 7219 10990
= 45.48.0.0/15 206313 6724 1299 7219 10990
= 45.50.0.0/15 206313 6724 1299 7219 10990
= 47.218.0.0/23 206313 6724 1299 7219 10990
= 47.218.2.0/23 206313 6724 1299 7219 10990
= 47.32.64.0/19 206313 6724 1299 7219 10990
= 47.32.96.0/19 206313 6724 1299 7219 10990
= 47.36.0.0/19 206313 6724 1299 7219 10990
= 47.36.32.0/19 206313 6724 1299 7219 10990
= 47.39.64.0/19 206313 6724 1299 7219 10990
= 47.39.96.0/19 206313 6724 1299 7219 10990
= 50.88.0.0/16 206313 6724 1299 7219 10990
= 50.89.0.0/16 206313 6724 1299 7219 10990
= 50.92.0.0/17 206313 6724 1299 7219 10990
= 50.92.128.0/17 206313 6724 1299 7219 10990
= 66.65.0.0/18 206313 6724 1299 7219 10990
= 66.65.64.0/18 206313 6724 1299 7219 10990
= 66.68.0.0/16 206313 6724 1299 7219 10990
= 66.69.0.0/16 206313 6724 1299 7219 10990
= 67.149.198.0/24 206313 6724 1299 7219 10990
= 67.149.199.0/24 206313 6724 1299 7219 10990
= 67.247.112.0/20 206313 6724 1299 7219 10990
= 67.247.96.0/20 206313 6724 1299 7219 10990
= 70.83.128.0/19 206313 6724 1299 7219 10990
= 70.83.160.0/19 206313 6724 1299 7219 10990
= 72.137.0.0/17 206313 6724 1299 7219 10990
= 72.137.128.0/17 206313 6724 1299 7219 10990
= 72.140.0.0/16 206313 6724 1299 7219 10990
= 72.141.0.0/16 206313 6724 1299 7219 10990
= 72.53.64.0/20 206313 6724 1299 7219 10990
= 72.53.80.0/20 206313 6724 1299 7219 10990
= 74.56.192.0/19 206313 6724 1299 7219 10990
= 74.56.224.0/19 206313 6724 1299 7219 10990
= 74.59.128.0/19 206313 6724 1299 7219 10990
= 74.59.160.0/19 206313 6724 1299 7219 10990
= 74.76.0.0/15 206313 6724 1299 7219 10990
= 74.78.0.0/15 206313 6724 1299 7219 10990
= 76.168.0.0/14 206313 6724 1299 7219 10990
= 76.172.0.0/14 206313 6724 1299 7219 10990
= 76.86.0.0/16 206313 6724 1299 7219 10990
= 76.87.0.0/16 206313 6724 1299 7219 10990
= 96.3.0.0/17 206313 6724 1299 7219 10990
= 96.3.128.0/17 206313 6724 1299 7219 10990
= 96.32.64.0/20 206313 6724 1299 7219 10990
= 96.32.80.0/20 206313 6724 1299 7219 10990
= 98.148.0.0/16 206313 6724 1299 7219 10990
= 98.149.0.0/16 206313 6724 1299 7219 10990
= 98.32.0.0/13 206313 6724 1299 7219 10990
= 98.40.0.0/13 206313 6724 1299 7219 10990
= 99.225.0.0/19 206313 6724 1299 7219 10990
= 99.225.192.0/19 206313 6724 1299 7219 10990
= 99.225.224.0/19 206313 6724 1299 7219 10990
= 99.225.32.0/19 206313 6724 1299 7219 10990
= 99.240.128.0/18 206313 6724 1299 7219 10990
= 99.240.192.0/18 206313 6724 1299 7219 10990
= 99.254.80.0/21 206313 6724 1299 7219 10990
= 99.254.88.0/21 206313 6724 1299 7219 10990
= 99.255.0.0/19 206313 6724 1299 7219 10990
= 99.255.32.0/19 206313 6724 1299 7219 10990


Regards,

Aftab A. Siddiqui


On Thu, 30 Jul 2020 at 12:49, Clinton Work <clinton@scripty.com> wrote:

> We saw a bunch of our IP blocks hijacked by AS10990 from 19:15 MDT until
> 20:23 MDT. Anybody else have problems with that.
>
> ASpath: 1299 7219 10990
>
> 50.92.0.0/17 AS10990
> 198.166.0.0/17 AS10990
> 198.166.128.0/17 AS10990
> 162.157.128.0/17 AS10990
> 162.157.0.0/17 AS10990
> 50.92.128.0/17 AS10990
>
>
>
> --
> Clinton Work
> Airdrie, AB
>

On 30/07/2020 05:46, Clinton Work wrote:
See: https://bgpstream.com/event/245264"]https://bgpstream.com/event/245264 https://bgpstream.com/event/245265"]https://bgpstream.com/event/245265
-Hank
Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer

We saw a bunch of our IP blocks hijacked by AS10990 from 19:15 MDT until 20:23 MDT. Anybody else have problems with that. ASpath: 1299 7219 10990 50.92.0.0/17 AS10990 198.166.0.0/17 AS10990 198.166.128.0/17 AS10990 162.157.128.0/17 AS10990 162.157.0.0/17 AS10990 50.92.128.0/17 AS10990 -- Clinton Work Airdrie, AB

On Thu, Jul 30, 2020 at 11:21:04AM +0300,
Hank Nussbacher <hank@interall.co.il> wrote
a message of 48 lines which said:

> See:

And:

https://stat.ripe.net/widget/bgp-update-activity#w.starttime=2020-07-16T05%3A00%3A00&w.endtime=2020-07-30T05%3A00%3A00&w.resource=AS10990

Looks like the real question here is why doesn’t 7219 do a better job of filtering what they accept.

Has anyone reached out to them?

Owen


> On Jul 29, 2020, at 23:31 , Aftab Siddiqui <aftab.siddiqui@gmail.com> wrote:
>
> Looks like the list is too long.. none of them have any valid ROAs as well.
>
> = 104.230.0.0/18 <http://104.230.0.0/18> 206313 6724 1299 7219 10990
> = 104.230.64.0/18 <http://104.230.64.0/18> 206313 6724 1299 7219 10990
> = 107.184.0.0/16 <http://107.184.0.0/16> 206313 6724 1299 7219 10990
> = 107.185.0.0/16 <http://107.185.0.0/16> 206313 6724 1299 7219 10990
> = 107.189.192.0/19 <http://107.189.192.0/19> 206313 6724 1299 7219 10990
> = 107.189.224.0/19 <http://107.189.224.0/19> 206313 6724 1299 7219 10990
> = 108.49.0.0/17 <http://108.49.0.0/17> 206313 6724 1299 7219 10990
> = 108.49.128.0/17 <http://108.49.128.0/17> 206313 6724 1299 7219 10990
> = 135.19.192.0/19 <http://135.19.192.0/19> 206313 6724 1299 7219 10990
> = 135.19.224.0/19 <http://135.19.224.0/19> 206313 6724 1299 7219 10990
> = 137.119.140.0/23 <http://137.119.140.0/23> 206313 6724 1299 7219 10990
> = 137.119.142.0/23 <http://137.119.142.0/23> 206313 6724 1299 7219 10990
> = 142.113.0.0/17 <http://142.113.0.0/17> 206313 6724 1299 7219 10990
> = 142.113.128.0/17 <http://142.113.128.0/17> 206313 6724 1299 7219 10990
> = 147.194.0.0/20 <http://147.194.0.0/20> 206313 6724 1299 7219 10990
> = 147.194.16.0/20 <http://147.194.16.0/20> 206313 6724 1299 7219 10990
> = 162.157.0.0/17 <http://162.157.0.0/17> 206313 6724 1299 7219 10990
> = 162.157.128.0/17 <http://162.157.128.0/17> 206313 6724 1299 7219 10990
> = 166.48.0.0/18 <http://166.48.0.0/18> 206313 6724 1299 7219 10990
> = 166.48.64.0/18 <http://166.48.64.0/18> 206313 6724 1299 7219 10990
> = 167.100.80.0/22 <http://167.100.80.0/22> 206313 6724 1299 7219 10990
> = 167.100.84.0/22 <http://167.100.84.0/22> 206313 6724 1299 7219 10990
> = 172.103.112.0/20 <http://172.103.112.0/20> 206313 6724 1299 7219 10990
> = 172.103.96.0/20 <http://172.103.96.0/20> 206313 6724 1299 7219 10990
> = 172.112.0.0/14 <http://172.112.0.0/14> 206313 6724 1299 7219 10990
> = 172.116.0.0/14 <http://172.116.0.0/14> 206313 6724 1299 7219 10990
> = 173.160.0.0/14 <http://173.160.0.0/14> 206313 6724 1299 7219 10990
> = 173.164.0.0/14 <http://173.164.0.0/14> 206313 6724 1299 7219 10990
> = 173.28.224.0/21 <http://173.28.224.0/21> 206313 6724 1299 7219 10990
> = 173.28.232.0/21 <http://173.28.232.0/21> 206313 6724 1299 7219 10990
> = 173.48.0.0/17 <http://173.48.0.0/17> 206313 6724 1299 7219 10990
> = 173.48.128.0/17 <http://173.48.128.0/17> 206313 6724 1299 7219 10990
> = 173.90.0.0/16 <http://173.90.0.0/16> 206313 6724 1299 7219 10990
> = 173.91.0.0/16 <http://173.91.0.0/16> 206313 6724 1299 7219 10990
> = 174.1.56.0/23 <http://174.1.56.0/23> 206313 6724 1299 7219 10990
> = 174.1.58.0/23 <http://174.1.58.0/23> 206313 6724 1299 7219 10990
> = 174.108.0.0/15 <http://174.108.0.0/15> 206313 6724 1299 7219 10990
> = 174.110.0.0/15 <http://174.110.0.0/15> 206313 6724 1299 7219 10990
> = 174.223.0.0/18 <http://174.223.0.0/18> 206313 6724 1299 7219 10990
> = 174.223.64.0/18 <http://174.223.64.0/18> 206313 6724 1299 7219 10990
> = 174.228.0.0/18 <http://174.228.0.0/18> 206313 6724 1299 7219 10990
> = 174.228.64.0/18 <http://174.228.64.0/18> 206313 6724 1299 7219 10990
> = 174.231.128.0/18 <http://174.231.128.0/18> 206313 6724 1299 7219 10990
> = 174.231.192.0/18 <http://174.231.192.0/18> 206313 6724 1299 7219 10990
> = 177.132.112.0/20 <http://177.132.112.0/20> 206313 6724 1299 7219 10990
> = 177.132.96.0/20 <http://177.132.96.0/20> 206313 6724 1299 7219 10990
> = 198.166.0.0/17 <http://198.166.0.0/17> 206313 6724 1299 7219 10990
> = 198.166.128.0/17 <http://198.166.128.0/17> 206313 6724 1299 7219 10990
> = 198.52.176.0/23 <http://198.52.176.0/23> 206313 6724 1299 7219 10990
> = 198.52.178.0/23 <http://198.52.178.0/23> 206313 6724 1299 7219 10990
> = 204.195.0.0/18 <http://204.195.0.0/18> 206313 6724 1299 7219 10990
> = 208.79.152.0/22 <http://208.79.152.0/22> 206313 6724 6939 10990
> = 208.79.153.0/24 <http://208.79.153.0/24> 206313 6724 6939 7219 10990
> = 216.10.190.0/24 <http://216.10.190.0/24> 206313 6724 1299 7219 10990
> = 216.10.191.0/24 <http://216.10.191.0/24> 206313 6724 1299 7219 10990
> = 24.102.64.0/19 <http://24.102.64.0/19> 206313 6724 1299 7219 10990
> = 24.102.96.0/19 <http://24.102.96.0/19> 206313 6724 1299 7219 10990
> = 24.197.208.0/21 <http://24.197.208.0/21> 206313 6724 1299 7219 10990
> = 24.197.216.0/21 <http://24.197.216.0/21> 206313 6724 1299 7219 10990
> = 24.201.64.0/19 <http://24.201.64.0/19> 206313 6724 1299 7219 10990
> = 24.201.96.0/19 <http://24.201.96.0/19> 206313 6724 1299 7219 10990
> = 24.205.160.0/20 <http://24.205.160.0/20> 206313 6724 1299 7219 10990
> = 24.205.176.0/20 <http://24.205.176.0/20> 206313 6724 1299 7219 10990
> = 24.48.0.0/19 <http://24.48.0.0/19> 206313 6724 1299 7219 10990
> = 24.48.32.0/19 <http://24.48.32.0/19> 206313 6724 1299 7219 10990
> = 24.57.0.0/17 <http://24.57.0.0/17> 206313 6724 1299 7219 10990
> = 24.57.128.0/17 <http://24.57.128.0/17> 206313 6724 1299 7219 10990
> = 24.89.16.0/20 <http://24.89.16.0/20> 206313 6724 1299 7219 10990
> = 24.90.64.0/19 <http://24.90.64.0/19> 206313 6724 1299 7219 10990
> = 24.90.96.0/19 <http://24.90.96.0/19> 206313 6724 1299 7219 10990
> = 35.211.0.0/17 <http://35.211.0.0/17> 206313 6724 1299 7219 10990
> = 35.211.128.0/17 <http://35.211.128.0/17> 206313 6724 1299 7219 10990
> = 45.48.0.0/15 <http://45.48.0.0/15> 206313 6724 1299 7219 10990
> = 45.50.0.0/15 <http://45.50.0.0/15> 206313 6724 1299 7219 10990
> = 47.218.0.0/23 <http://47.218.0.0/23> 206313 6724 1299 7219 10990
> = 47.218.2.0/23 <http://47.218.2.0/23> 206313 6724 1299 7219 10990
> = 47.32.64.0/19 <http://47.32.64.0/19> 206313 6724 1299 7219 10990
> = 47.32.96.0/19 <http://47.32.96.0/19> 206313 6724 1299 7219 10990
> = 47.36.0.0/19 <http://47.36.0.0/19> 206313 6724 1299 7219 10990
> = 47.36.32.0/19 <http://47.36.32.0/19> 206313 6724 1299 7219 10990
> = 47.39.64.0/19 <http://47.39.64.0/19> 206313 6724 1299 7219 10990
> = 47.39.96.0/19 <http://47.39.96.0/19> 206313 6724 1299 7219 10990
> = 50.88.0.0/16 <http://50.88.0.0/16> 206313 6724 1299 7219 10990
> = 50.89.0.0/16 <http://50.89.0.0/16> 206313 6724 1299 7219 10990
> = 50.92.0.0/17 <http://50.92.0.0/17> 206313 6724 1299 7219 10990
> = 50.92.128.0/17 <http://50.92.128.0/17> 206313 6724 1299 7219 10990
> = 66.65.0.0/18 <http://66.65.0.0/18> 206313 6724 1299 7219 10990
> = 66.65.64.0/18 <http://66.65.64.0/18> 206313 6724 1299 7219 10990
> = 66.68.0.0/16 <http://66.68.0.0/16> 206313 6724 1299 7219 10990
> = 66.69.0.0/16 <http://66.69.0.0/16> 206313 6724 1299 7219 10990
> = 67.149.198.0/24 <http://67.149.198.0/24> 206313 6724 1299 7219 10990
> = 67.149.199.0/24 <http://67.149.199.0/24> 206313 6724 1299 7219 10990
> = 67.247.112.0/20 <http://67.247.112.0/20> 206313 6724 1299 7219 10990
> = 67.247.96.0/20 <http://67.247.96.0/20> 206313 6724 1299 7219 10990
> = 70.83.128.0/19 <http://70.83.128.0/19> 206313 6724 1299 7219 10990
> = 70.83.160.0/19 <http://70.83.160.0/19> 206313 6724 1299 7219 10990
> = 72.137.0.0/17 <http://72.137.0.0/17> 206313 6724 1299 7219 10990
> = 72.137.128.0/17 <http://72.137.128.0/17> 206313 6724 1299 7219 10990
> = 72.140.0.0/16 <http://72.140.0.0/16> 206313 6724 1299 7219 10990
> = 72.141.0.0/16 <http://72.141.0.0/16> 206313 6724 1299 7219 10990
> = 72.53.64.0/20 <http://72.53.64.0/20> 206313 6724 1299 7219 10990
> = 72.53.80.0/20 <http://72.53.80.0/20> 206313 6724 1299 7219 10990
> = 74.56.192.0/19 <http://74.56.192.0/19> 206313 6724 1299 7219 10990
> = 74.56.224.0/19 <http://74.56.224.0/19> 206313 6724 1299 7219 10990
> = 74.59.128.0/19 <http://74.59.128.0/19> 206313 6724 1299 7219 10990
> = 74.59.160.0/19 <http://74.59.160.0/19> 206313 6724 1299 7219 10990
> = 74.76.0.0/15 <http://74.76.0.0/15> 206313 6724 1299 7219 10990
> = 74.78.0.0/15 <http://74.78.0.0/15> 206313 6724 1299 7219 10990
> = 76.168.0.0/14 <http://76.168.0.0/14> 206313 6724 1299 7219 10990
> = 76.172.0.0/14 <http://76.172.0.0/14> 206313 6724 1299 7219 10990
> = 76.86.0.0/16 <http://76.86.0.0/16> 206313 6724 1299 7219 10990
> = 76.87.0.0/16 <http://76.87.0.0/16> 206313 6724 1299 7219 10990
> = 96.3.0.0/17 <http://96.3.0.0/17> 206313 6724 1299 7219 10990
> = 96.3.128.0/17 <http://96.3.128.0/17> 206313 6724 1299 7219 10990
> = 96.32.64.0/20 <http://96.32.64.0/20> 206313 6724 1299 7219 10990
> = 96.32.80.0/20 <http://96.32.80.0/20> 206313 6724 1299 7219 10990
> = 98.148.0.0/16 <http://98.148.0.0/16> 206313 6724 1299 7219 10990
> = 98.149.0.0/16 <http://98.149.0.0/16> 206313 6724 1299 7219 10990
> = 98.32.0.0/13 <http://98.32.0.0/13> 206313 6724 1299 7219 10990
> = 98.40.0.0/13 <http://98.40.0.0/13> 206313 6724 1299 7219 10990
> = 99.225.0.0/19 <http://99.225.0.0/19> 206313 6724 1299 7219 10990
> = 99.225.192.0/19 <http://99.225.192.0/19> 206313 6724 1299 7219 10990
> = 99.225.224.0/19 <http://99.225.224.0/19> 206313 6724 1299 7219 10990
> = 99.225.32.0/19 <http://99.225.32.0/19> 206313 6724 1299 7219 10990
> = 99.240.128.0/18 <http://99.240.128.0/18> 206313 6724 1299 7219 10990
> = 99.240.192.0/18 <http://99.240.192.0/18> 206313 6724 1299 7219 10990
> = 99.254.80.0/21 <http://99.254.80.0/21> 206313 6724 1299 7219 10990
> = 99.254.88.0/21 <http://99.254.88.0/21> 206313 6724 1299 7219 10990
> = 99.255.0.0/19 <http://99.255.0.0/19> 206313 6724 1299 7219 10990
> = 99.255.32.0/19 <http://99.255.32.0/19> 206313 6724 1299 7219 10990
>
>
> Regards,
>
> Aftab A. Siddiqui
>
>
> On Thu, 30 Jul 2020 at 12:49, Clinton Work <clinton@scripty.com <mailto:clinton@scripty.com>> wrote:
> We saw a bunch of our IP blocks hijacked by AS10990 from 19:15 MDT until 20:23 MDT. Anybody else have problems with that.
>
> ASpath: 1299 7219 10990
>
> 50.92.0.0/17 <http://50.92.0.0/17> AS10990
> 198.166.0.0/17 <http://198.166.0.0/17> AS10990
> 198.166.128.0/17 <http://198.166.128.0/17> AS10990
> 162.157.128.0/17 <http://162.157.128.0/17> AS10990
> 162.157.0.0/17 <http://162.157.0.0/17> AS10990
> 50.92.128.0/17 <http://50.92.128.0/17> AS10990
>
>
>
> --
> Clinton Work
> Airdrie, AB

On Thu, Jul 30, 2020 at 9:37 AM Owen DeLong <owen@delong.com> wrote:
>
> Looks like the real question here is why doesn’t 7219 do a better job of filtering what they accept.
>
> Has anyone reached out to them?

You mean 1299? 7219 and 10990 are the same entity.

Peace,

On Thu, Jul 30, 2020, 5:48 AM Clinton Work <clinton@scripty.com> wrote:

> We saw a bunch of our IP blocks hijacked by AS10990 from 19:15 MDT until
> 20:23 MDT. Anybody else have problems with that.
>

Here's what we discovered about the incident. Hope that brings some
clarity.

https://radar.qrator.net/blog/as10990-routing-optimization-tale

--
Töma

>

so, bgp optimizers... again?

--
Patrick

Am 30.07.2020 um 18:58 schrieb Töma Gavrichenkov:
> Peace,
>
> On Thu, Jul 30, 2020, 5:48 AM Clinton Work <clinton@scripty.com <mailto:clinton@scripty.com>> wrote:
>
> We saw a bunch of our IP blocks hijacked by AS10990 from 19:15 MDT until 20:23 MDT.   Anybody else have problems with that.
>
>
> Here's what we discovered about the incident.  Hope that brings some clarity.
>
> https://radar.qrator.net/blog/as10990-routing-optimization-tale <https://radar.qrator.net/blog/as10990-routing-optimization-tale>
>
> --
> Töma
>

On Thu, 30 Jul 2020, at 13:09, Patrick Schultz wrote:
> so, bgp optimizers... again?
>
> --
> Patrick

More like shame on Telia for not filtering properly.

If Tulix used a so called BGP "optimizer" and didn't have a proper export filter in place it is their mistake but as a major transit provider, Telia bears the brunt of the responsibility of making sure that Tulix's mistake doesn't affect the rest of us.

--
Sadiq Saif
https://sadiqsaif.com/

On Thu, Jul 30, 2020 at 07:09:07PM +0200, Patrick Schultz wrote:
> so, bgp optimizers... again?

We should stop calling them 'optimizers'... perhaps "BGP Polluters"?

Kind regards,

Job

Peace,

On Thu, Jul 30, 2020, 8:09 PM Patrick Schultz <lists-nanog@schultz.top>
wrote:

> so, bgp optimizers... again?
>

Looks so. Upstream filters are also to blame, though, but BGP optimization
is the root of all evil.

--
Töma

>

It's not like there are scorecards, but there's a lot of fault to go
around.

However, again, BGP "Optimizers" are bad. The conditions by which the
inadvertent leak occur need to be fixed , no question. But in scenarios
like this, as-path length generally limits impact to "Oh crap, I'll fix
that, sorry!." Once you start squirting out more specifics, you get to own
some of the egg on the face.

On Thu, Jul 30, 2020 at 1:35 PM Sadiq Saif <lists@sadiqsaif.com> wrote:

> On Thu, 30 Jul 2020, at 13:09, Patrick Schultz wrote:
> > so, bgp optimizers... again?
> >
> > --
> > Patrick
>
> More like shame on Telia for not filtering properly.
>
> If Tulix used a so called BGP "optimizer" and didn't have a proper export
> filter in place it is their mistake but as a major transit provider, Telia
> bears the brunt of the responsibility of making sure that Tulix's mistake
> doesn't affect the rest of us.
>
> --
> Sadiq Saif
> https://sadiqsaif.com/
>

> On Jul 30, 2020, at 09:45 , Yang Yu <yang.yu.list@gmail.com> wrote:
>
> On Thu, Jul 30, 2020 at 9:37 AM Owen DeLong <owen@delong.com> wrote:
>>
>> Looks like the real question here is why doesn’t 7219 do a better job of filtering what they accept.
>>
>> Has anyone reached out to them?
>
> You mean 1299? 7219 and 10990 are the same entity.

In that case, sure, up to 1299.

Owen

I'd like to direct you to Job's writeup on this :) https://mailman.nanog.org/pipermail/nanog/2017-August/191897.html
While these "optimizers" CAN be beneficial to the individual operator, they're apparently used incorrectly in some instances.
Telia should've filtered, that's for sure. But the leak shouldn't have occured in the first place.

Am 30.07.2020 um 20:09 schrieb Florian Brandstetter:
> Never read something that silly, bgp optimizers are perfectly fine
> and every network operator is well within the right to run optimizers,
> you should much more ask Telia as to why they accepted the prefixes,
> and EVEN MORE ask the operator of 7219 for what specific reason they
> are blowing out their full table to 1299. Anyone with a sane mind has
> export filters where a specific community or tag serves as some kind
> of "do advertise" sign, as opposed to announcing anything BUT external.
>
> May I know the specific reason for such poor attempt of shifting
> responsibility for this incident to bgp optimizers instead of those
> who clearly don't have a single clue about proper filtering policies?
>
> -- 
> Greetings,
>
> Florian Brandstetter
> Chief Executive Officer
> SquareFlow Corporation
> www.squareflow.net
>
> Confidential: Please be advised that the information contained in this
> email message, including all attached documents or files, is privileged
> and confidential and is intended only for the use of the individual or
> individuals addressed. Any other use, dissemination, distribution or
> copying of this communication is strictly prohibited.
>
> On 2020-07-30 19:09, Patrick Schultz wrote:
>> so, bgp optimizers... again?
>>
>> --
>> Patrick
>> Am 30.07.2020 um 18:58 schrieb Töma Gavrichenkov:
>>
>>> Peace,
>>>
>>> On Thu, Jul 30, 2020, 5:48 AM Clinton Work <clinton@scripty.com>
>>> wrote:
>>>
>>>> We saw a bunch of our IP blocks hijacked by AS10990 from 19:15 MDT
>>>> until 20:23 MDT.   Anybody else have problems with that.
>>>
>>> Here's what we discovered about the incident.  Hope that brings some
>>> clarity.
>>>
>>> https://radar.qrator.net/blog/as10990-routing-optimization-tale
>>>
>>> --
>>> Töma
>>>
>>>>

Telia implements RPKI filtering so the question is did it work? Were any
affected prefixes RPKI signed? Would any prefixes have avoided being
hijacked if RPKI signing had been in place?

Regards

Baldur - who had to turn off RPKI filtering at the request of JTAC to stop
our mx204s from crashing :-(

tor. 30. jul. 2020 18.59 skrev Töma Gavrichenkov <ximaera@gmail.com>:

> Peace,
>
> On Thu, Jul 30, 2020, 5:48 AM Clinton Work <clinton@scripty.com> wrote:
>
>> We saw a bunch of our IP blocks hijacked by AS10990 from 19:15 MDT until
>> 20:23 MDT. Anybody else have problems with that.
>>
>
> Here's what we discovered about the incident. Hope that brings some
> clarity.
>
> https://radar.qrator.net/blog/as10990-routing-optimization-tale
>
> --
> Töma
>
>>

Not a single prefix was signed, what I saw. May be good reason for Rogers,
Charter, TWC etc to do that now. It would have stopped the propagation at
Telia.

On Fri, 31 Jul 2020 at 8:40 am, Baldur Norddahl <baldur.norddahl@gmail.com>
wrote:

> Telia implements RPKI filtering so the question is did it work? Were any
> affected prefixes RPKI signed? Would any prefixes have avoided being
> hijacked if RPKI signing had been in place?
>
> Regards
>
> Baldur - who had to turn off RPKI filtering at the request of JTAC to stop
> our mx204s from crashing :-(
>
> tor. 30. jul. 2020 18.59 skrev Töma Gavrichenkov <ximaera@gmail.com>:
>
>> Peace,
>>
>> On Thu, Jul 30, 2020, 5:48 AM Clinton Work <clinton@scripty.com> wrote:
>>
>>> We saw a bunch of our IP blocks hijacked by AS10990 from 19:15 MDT until
>>> 20:23 MDT. Anybody else have problems with that.
>>>
>>
>> Here's what we discovered about the incident. Hope that brings some
>> clarity.
>>
>> https://radar.qrator.net/blog/as10990-routing-optimization-tale
>>
>> --
>> Töma
>>
>>> --
Regards,

Aftab A. Siddiqui

On 30/07/2020 20:32, Sadiq Saif wrote:

On Thu, 30 Jul 2020, at 13:09, Patrick Schultz wrote:

so, bgp optimizers... again? -- Patrick

More like shame on Telia for not filtering properly.

But wait - MANRS indicates that Telia does everything right:

https://www.manrs.org/isps/participants/?gv_search=telia&mode=any"]https://www.manrs.org/isps/participants/?gv_search=telia&mode=any

How can that be?




-Hank

Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer

Hank Nussbacher wrote on 31/07/2020 08:21:
> But wait - MANRS indicates that Telia does everything right:

Not only that, Telia indicates that Telia does everything right:

> https://www.teliacarrier.com/our-network/bgp-routing/routing-security-.html

"We reject RPKI Invalids on all BGP Sessions; for both Peers and Customers."

> How can that be?

Misconfig or oversight?

Nick

On 31.07.2020 10.47, Nick Hilliard wrote:
> Hank Nussbacher wrote on 31/07/2020 08:21:
>> But wait - MANRS indicates that Telia does everything right:
>
> Not only that, Telia indicates that Telia does everything right:
>
>> https://www.teliacarrier.com/our-network/bgp-routing/routing-security-.html
>>
>
> "We reject RPKI Invalids on all BGP Sessions; for both Peers and
> Customers."

If true that none of the affected prefixes where signed, this is a good
case to get some people to sign their prefixes. Everyone affected will
have to accepted shared blame, because they could have prevented the
issue by following best practice by doing their RPKI signing.

Regards,

Baldur

On 31/Jul/20 10:47, Nick Hilliard wrote:
 
>
> Misconfig or oversight?

We started using Telia as an upstream back in 2014. When we had new
prefixes to announce to the Internet, we always sent them (as we do to
all our upstreams) a request to update their filters to support the
same. The standard response we got back from them, in those days, was a
list of ASN's permitted in an inbound filter applied to our eBGP session
with them, that showed all the ASN's that belonged to us and transited
through us.

I am not entirely sure whether this was backed up by a prefix filter,
but my feeling is that it wasn't. To them, as long as the AS we wanted
to get through them was included in the list, we basically took 10
minutes away from their day with the request.

If I check an e-mail from the Telia NOC as recently as 2018, I see this
(verbatim; our customer AS masked out with XXXX):

*****

    Dear Customer,

    Please be advised that the BGP filter that is applied to you is
AS-based and the AS XXXX is included in the BGP filter. Therefore, the
reported prefixes should be accepted. Can you please check and inform us
    accordingly?

*****

Is it at all possible that this is still their current filtering policy?

Mark.

On 31/Jul/20 03:57, Aftab Siddiqui wrote:
> Not a single prefix was signed, what I saw. May be good reason for
> Rogers, Charter, TWC etc to do that now. It would have stopped the
> propagation at Telia.

While I am a huge proponent for ROA's and ROV, it is a massive
expectation to req filtering to work on the basis of all BGP
participants creating their ROA's. It's what I would like, but there is
always going to be a lag on this one.

If none of the prefixes had a ROA, no amount of Telia's shiny new "we
drop invalids" machine would have helped, as we saw with this incident.
ROV really only comes into its own when the majority of the Internet has
correct ROA's setup. In the absence of that, it's a powerful but
toothless feature.

So while I will continue pushing for the rest of the world to create
ROA's, turn on RPKI and enable ROV, I'll also advocate that operators
continue to have both AS- and prefix-based filters. Not either/or, but
both. Also, max-prefix as a matter of course.

Mark.

On 30/Jul/20 19:44, Tom Beecher wrote:
> It's not like there are scorecards, but there's a lot of fault to go
> around. 
>
> However, again, BGP "Optimizers" are bad. The conditions by which the
> inadvertent leak occur need to be fixed , no question. But in
> scenarios like this, as-path length generally limits impact to "Oh
> crap, I'll fix that, sorry!." Once you start squirting out more
> specifics, you get to own some of the egg on the face.

For about a year or so, I've been saying that the next generation of
network engineers are being trained for a GUI-based point & click world,
as opposed to understanding what protocols and CLI do.

There is no shortage of annual workshops that teach BGP Multi-Homing.

Despite the horror BGP optimizers have displayed in recent years, they
seem to be flying off the shelves, still. Is this a clear example of the
next generation of network engineers that we are breeding?

Mark.

How do you know that none of the prefixes had ROA? The ones that had got
stopped by Telias filter, so we would never know.

This is exactly the situation where RPKI already works. My and yours
prefixes, provided you like me have ROAs, will not be leaked through Telia
and a number of other large transits. Even if they did not have proper
filters in place.

Driving without RPKI / ROA is like driving without a seatbelt. You are fine
until the day someone makes a mistake and then you wish you did your job at
signing those prefixes sooner.

Regards,

Baldur


On Fri, Jul 31, 2020 at 3:35 PM Mark Tinka <mark.tinka@seacom.com> wrote:

>
>
> On 31/Jul/20 03:57, Aftab Siddiqui wrote:
> > Not a single prefix was signed, what I saw. May be good reason for
> > Rogers, Charter, TWC etc to do that now. It would have stopped the
> > propagation at Telia.
>
> While I am a huge proponent for ROA's and ROV, it is a massive
> expectation to req filtering to work on the basis of all BGP
> participants creating their ROA's. It's what I would like, but there is
> always going to be a lag on this one.
>
> If none of the prefixes had a ROA, no amount of Telia's shiny new "we
> drop invalids" machine would have helped, as we saw with this incident.
> ROV really only comes into its own when the majority of the Internet has
> correct ROA's setup. In the absence of that, it's a powerful but
> toothless feature.
>
> So while I will continue pushing for the rest of the world to create
> ROA's, turn on RPKI and enable ROV, I'll also advocate that operators
> continue to have both AS- and prefix-based filters. Not either/or, but
> both. Also, max-prefix as a matter of course.
>
> Mark.
>

On Fri, Jul 31, 2020 at 03:34:47PM +0200, Mark Tinka wrote:
> On 31/Jul/20 03:57, Aftab Siddiqui wrote:
> > Not a single prefix was signed, what I saw. May be good reason for
> > Rogers, Charter, TWC etc to do that now. It would have stopped the
> > propagation at Telia.
>
> If none of the prefixes had a ROA, no amount of Telia's shiny new "we
> drop invalids" machine would have helped, as we saw with this incident.

Could it be ... we didn't see any RPKI Invalids through Telia *because*
they are rejecting RPKI invalids?

As far as I know the BGP Polluter software does not have a configuration
setting to only ruin the day of operators without ROAs. :-)

I think the system worked as designed: without RPKI ROV @ Telia the
damage might have been worse.

Kind regards,

Job