From rfg at tristatelogic.com Tue Jun 6 10:40:58 2017 From: rfg at tristatelogic.com (Ronald F. Guilmette) Date: Tue, 06 Jun 2017 01:40:58 -0700 Subject: [connect-wg] AS34991 -- hijacked Message-ID: <93070.1496738458@segfault.tristatelogic.com> Is there any chance that any of you might be persuaded to have a word or two with either or both of the upstreams for AS34991, specifically with respect to the fact that that whole and entire AS has quite obviously been hijacked, and that it is currently being used and abused to announce a total of 20 completely and transparently bogus routes into various bits of IPv4 space that are allocated to various parties within the nation of Columbia, including but not limited to the National University thereof? I have already attempted to make contact with both upstreams in this case with no success and no reply so far, perhaps because I am not a european, or perhaps because I myself am not a network operator, or perhaps because I do not speak (or write) bulgarian. Below is a listing of the currently hijacked routes. Please note that the hijacker in this case quite obviously planned this all, quite carefully, and in advance of the actual hijackings, and he tried (and succeded!) to effectively legitimize all of these bogus route announcement via the simple and easy ruse of also pre-creating a set of matching, and equally bogus route objects within the RIPE data base. (As I learned the last time a case like this came up, the RIPE community, in its infinite wisdom, had made it so easy to create such route objects in the data base, with no authority or authorization whatsoever, that any baboon with a keyboard and a pulse may easily do so.) Of course, as the more observant among you may note, the domain name used for the contact email address for AS34991 has recently been re-registered, presumably after having lapsed. This indicates rather clearly, I think, that it is not merely the IPv4 blocks listed below that have been and are being hijacked, but also the AS34991 ASN itself. covfefe P.S. For the record, yes, some of the hijacked blocks in this case have already been sub-leased out to snowshoe spammers, and are being actively used for snowshoe spamming as we speak. ===================================================================== 152.204.132.0/24 -- Columbia 152.204.133.0/24 -- Columbia 152.231.25.0/24 -- Columbia 152.231.28.0/24 -- Columbia 168.176.187.0/24 -- Columbia, National University of 168.176.192.0/24 -- Columbia, National University of 168.176.194.0/24 -- Columbia, National University of 168.176.218.0/24 -- Columbia, National University of 168.176.219.0/24 -- Columbia, National University of 179.1.71.0/24 -- Columbia 181.57.40.0/24 -- Columbia 186.113.13.0/24 -- Columbia 186.113.15.0/24 -- Columbia 186.147.230.0/24 -- Columbia 190.90.31.0/24 -- Columbia 190.90.88.0/24 -- Columbia 200.1.65.0/24 -- Columbia 200.14.44.0/24 -- Columbia 200.24.3.0/24 -- Columbia 200.24.5.0/24 -- Columbia