Home page logo
/

nanog logo nanog mailing list archives

AS8300 - Swisscom hijacking.. Just what are you testing?
From: "Schiller, Heather A" <heather.schiller () verizon com>
Date: Wed, 1 Feb 2012 16:44:07 -0500


AS8300 started announcing one of the Rove Digital dns changer IP ranges. (The IP ranges the FBI is sending 'you are 
infected' letters about)  Swisscom's announcement is less specific than the prefixes being announced by ISC during the 
remediation effort, so it's not impacting traffic... But AS8300 seems to announce less specifics a lot.  Last fall they 
announced 63/8 and half of that is allocated to 701. AFAIK, we weren't notified they were going to announce a less 
specific of our space.  As long as folks have pullup routes, and don't have an outage that withdraws their 
announcements, then Swisscom should only be getting darknet traffic.  The record for AS8300 says 'Test' and the entry 
for it in CIDR report says "This AS is not currently used to announce prefixes in the global routing table, nor is it 
used as a visible transit AS."  .. But their announcements certainly do show up in the global routing table, whether 
they are transiting for someone or not, they could get traffic for anything that doesn't have a more specific.  Given 
the recent YAHT (yet another hijack thread) it's worth pointing out that hijacking more specifics is bad, but less 
specifics can be bad as well. (Not suggesting that is the case here..)  

I searched around and couldn't find any mention of what they might be testing.  Anyone know?  

route-views>sh ip bgp 85.255.112.0/20
BGP routing table entry for 85.255.112.0/20, version 2177063753
Paths: (11 available, no best path)
  Not advertised to any peer
  6079 3303 8300 (history entry)
    207.172.6.20 from 207.172.6.20 (207.172.6.20)
      Origin IGP, metric 85, localpref 100, external
      Dampinfo: penalty 495, flapped 2 times in 00:24:37
  3277 3267 174 3303 8300 (history entry)
    194.85.102.33 from 194.85.102.33 (194.85.4.4)
      Origin IGP, localpref 100, external
      Community: 3277:3267 3277:65321 3277:65323 3277:65330
      Dampinfo: penalty 501, flapped 2 times in 00:24:22
....

 --Heather

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]