BGPMon On Illegitimate Route Announcement
In November I posted BGPMon on BGP Table Leak by Companhia de Telecomunicacoes do Brasil Central. A lot of people saw that activity but the overall effect was negligible to nonexistent.
Yesterday I received a more personalized alert from BGPMon:
Checking WHOIS data for AS15475 shows:
So, an ISP in Giza, Egypt announced a 3.3.3.3/32 route to the Internet. That looks like some kind of test. I used to be amazed to see a /32 route appear like this in global BGP tables, but now that I know most ISPs don't filter anything I am not so surprised anymore. Previously I would have thought one of the AS in the AS path would have filtered this.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.
Yesterday I received a more personalized alert from BGPMon:
You Receive this email because you are subscribed to BGPmon.net.
For more details about these updates please visit:
http://bgpmon.net/showupdates.php
====================
WithDraw of More Specific (Code: 23)
2 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2009-01-01 08:33 (UTC)
3.3.3.3/32
====================
Possible Prefix Hijack (Code: 11)
2 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2009-01-01 08:31 (UTC)
3.3.3.3/32
Announced by: AS15475 (NOL)
Transit AS: 8452 (TEDATA TEDATA)
ASpath: 29073 9009 19151 4788 8452 15475
Checking WHOIS data for AS15475 shows:
% Information related to 'AS15475'
aut-num: AS15475
as-name: NOL
descr: Nile Online
descr: Giza,Egypt
descr: For any abuse complain contact abuse@nile-online.com
So, an ISP in Giza, Egypt announced a 3.3.3.3/32 route to the Internet. That looks like some kind of test. I used to be amazed to see a /32 route appear like this in global BGP tables, but now that I know most ISPs don't filter anything I am not so surprised anymore. Previously I would have thought one of the AS in the AS path would have filtered this.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.
Comments
It seems they the leaked a bunch of more specifics including a number of Bogons, Such as 100.100.100.0/30 and 2.2.2.2/32
This was all just for a few minutes.