Re: an IP hijacking attempt

[Paul Emmons <paul () emmons mx>]

RPKI can be very useful to mitigate an attempt.

I used to process IP LOAs all the time.  I never saw a RR attached but 
usually we did a check against the RIR just to make sure (because we 
made access-list per interface as well)

On 3/9/2021 1:42 PM, Mel Beckman wrote:
> Not everyone uses RRs, and there is also the possibility that their 
> upstream would register it. Having an RR doesn’t seem definitive 
> either way. I can see reasons to wait on the RR until  ready to 
> receive traffic.
>
> -mel via cell
>
> > On Mar 9, 2021, at 11:14 AM, Brian Turnbow <b.turnbow () twt it> wrote:
> >
> > 
> > If they had a route record that was close, I Would give them the 
> > benefit of doubt.
> > They do not however as the only records start with 217. And our IPs 
> > are 45.
> >
> > So It Is very strange. Would you send a LOA without a route record?
> >
> > Brian Turnbow
> > ------------------------------------------------------------------------
> > *Da:* Mel Beckman <mel () beckman org>
> > *Inviato:* martedì 9 marzo 2021 19:17
> > *A:* Brian Turnbow
> > *Cc:* North American Network Operators' Group
> > *Oggetto:* Re: an IP hijacking attempt
> >
> > It could just be a typo on the LOA. It seems unlikely any ISP would 
> > approve a forged LOA that could readily be debunked by contacting the 
> > IP space owner. The whole point of LOA’s is to facilitate this 
> > verification.
> >
> > -mel via cell
> >
> > > On Mar 9, 2021, at 10:01 AM, Brian Turnbow via NANOG 
> > <nanog () nanog org> wrote:
> > >
> > > Hello everyone,
> > >
> > > We received a strange request that I wanted to share.
> > > An email was sent to us asking to confirm a LOA from a diligent ISP.
> > > The Loa was a request to open bgp for an AS , that is not ours, to 
> > announce a /23 prefix that is ours.
> > > So basically this entity sent to their upstream a request to 
> > announce a prefix from one our allocated ranges.
> > > We have the allocation correctly registered and ROAs in place , but 
> > it is worrisome that someone would attempt this.
> > > Obviously we have informed the ISP that the LOA is not valid and 
> > are trying to contact the originating party.
> > > Aside from RIRs for the offending AS and our IPs,  Is there 
> > anywhere to report this type of activity?
> > > We have dealt with hijacking technically speaking in the past but 
> > this is the first time, to my knowledge, of someone forging a LOA 
> > with our IPs.
> > >
> > > Thanks in advance for any advice
> > >
> > > Brian
> > >
> > > P.S. a big thanks to Chris for checking the boxes before activating 
> > the filter if you are on the list!
> > >
> > >
> > >
> > >