nanog mailing list archives

RE: BGPMON Alert Questions

From: Lee Johnston <lee () wildcard net uk>
Date: Wed, 2 Apr 2014 19:27:54 +0000

Snap, announcing a few of our /21s and a /23. Seems they did something similar a few year ago: 
http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/

I can't make any contact with Indosat (website non responsive / email queuing). This is what I have back from Aware 
Corp. AS18356 (first AS in the path):

I can confirm that we are seeing your prefixes as advertised by AS4761, via one of our upstreams CAT AS4651 
(THAI-GATEWAY The Communications Authority of Thailand(CAT),TH)
We (Aware Corporation - AS18356) operate a BGPMon PeerMon node which is probably why you are seeing this alert from our 
AS.
It is likely that your highjacked prefixes are being advertised to all of CAT's customers. 
I suggest contacting  AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) directly for resolution as there is 
little we can do as a stub AS.



Regards,
Lee.



-----Original Message-----
From: Vlade Ristevski [mailto:vristevs () ramapo edu] 
Sent: 02 April 2014 20:05
To: nanog () nanog org
Subject: Re: BGPMON Alert Questions

I just got the same alert for one of my prefixes one minute ago.

On 4/2/2014 2:59 PM, Frank Bulk wrote:

I received a similar notification about one of our prefixes also a few 
minutes ago.  I couldn't find a looking glass for AS4761 or AS4651.  
But I also couldn't hit the websites for either AS, either.

Frank

-----Original Message-----
From: Joseph Jenkins [mailto:joe () breathe-underwater com]
Sent: Wednesday, April 02, 2014 1:52 PM
To: nanog () nanog org
Subject: BGPMON Alert Questions

So I setup BGPMON for my prefixes and got an alert about someone in 
Thailand announcing my prefix.  Everything looks fine to me and I've 
checked a bunch of different Looking Glasses and everything announcing 
correctly.

I am assuming I should be contacting the provider about their 
misconfiguration and announcing my prefixes and get them to fix it.  
Any other recommendations?

Is there a way I can verify what they are announcing just to make sure 
they are still doing it?

Here is the alert for reference:

Your prefix:          8.37.93.0/24:

Update time:          2014-04-02 18:26 (UTC)

Detected by #peers:   2

Detected prefix:      8.37.93.0/24

Announced by:         AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
Provider,ID)

Upstream AS:          AS4651 (THAI-GATEWAY The Communications Authority of
Thailand(CAT),TH)

ASpath:               18356 9931 4651 4761


--
Vlad

Current thread:

BGPMON Alert Questions Joseph Jenkins (Apr 02)
- Re: BGPMON Alert Questions Shawn L (Apr 02)
- RE: BGPMON Alert Questions Frank Bulk (Apr 02)
  - Re: BGPMON Alert Questions Vlade Ristevski (Apr 02)
    - RE: BGPMON Alert Questions Lee Johnston (Apr 02)
    - Re: BGPMON Alert Questions Andrew (Andy) Ashley (Apr 02)
    - Re: BGPMON Alert Questions Jason Baugher (Apr 02)
    - Re: BGPMON Alert Questions Aris Lambrianidis (Apr 02)
    - Re: BGPMON Alert Questions Andrew (Andy) Ashley (Apr 02)
    - Re: BGPMON Alert Questions Luca Simonetti (Apr 02)
    - Re: BGPMON Alert Questions Mark Keymer (Apr 02)
    - Re: BGPMON Alert Questions Joseph Jenkins (Apr 02)
    - Re: BGPMON Alert Questions Eric Dugas (Apr 02)
    - Re: BGPMON Alert Questions Adrian Minta (Apr 02)
    - Re: BGPMON Alert Questions Justin M. Streiner (Apr 02)

(Thread continues...)