That's awesome Jodi. Realistically you've now got two more jobs to do. 1) Make sure that you have registered your prefixes in the global RPKI. 2) Make sure that your routers are using the global RPKI to validate routes that you are learning from others. Having a look at Michael Fincham's awesome APRICOT talk is a good RPKI primer. PDF: https://conference.apnic.net/data/37/rpki-apricot-2014,-michael-fincham_1392... VIDEO: http://apnic.adobeconnect.com/p7wo9eesyl5/ Post to the list if you need anymore help. On Thu, Apr 3, 2014 at 11:13 AM, Jodi Thomson wrote:

Saw it on AusNog too - prompted me to setup external prefix monitoring. Appear to be safe so far

JT ________________________________ From: nznog-bounces(a)list.waikato.ac.nz [nznog-bounces(a)list.waikato.ac.nz] on behalf of Tristram Cheer [tristram.cheer(a)ubergroup.co.nz] Sent: Thursday, 3 April 2014 10:45 To: Tony Wicks; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] IP Hijack out of Indosat Thailand

Yep, It's all over AusNog and NANog, Seems to be about 320k of prefix's affected

--

Tristram Cheer Network Architect - Most problems are the result of previous solutions...

09 438 5472 Ext 803 |022 412 1985 | PO Box 5083, Whangarei, 0140 tristram.cheer(a)ubergroup.co.nz |www.ubergroup.co.nz

From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Tony Wicks Sent: Thursday, 3 April 2014 10:40 a.m. To: nznog(a)list.waikato.ac.nz Subject: [nznog] IP Hijack out of Indosat Thailand

Is anyone else seeing their IP ranges hijacked out of Thailand ?

http://seclists.org/nanog/2014/Apr/49

http://seclists.org/nanog/2014/Apr/55

You received this email because you are subscribed to BGPmon.net.

For more details about these updates please visit:

https://portal.bgpmon.net/myalerts.php

====================================================================

Possible Prefix Hijack (Code: 10)

====================================================================

Your prefix: 103.9.40.0/22:

Prefix Description: FLIP-AS-AP

Update time: 2014-04-02 20:29 (UTC)

Detected by #peers: 1

Detected prefix: 103.9.40.0/22

Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID)

Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH)

ASpath: 18356 38794 4651 4761

====================================================================

Possible Prefix Hijack (Code: 10)

====================================================================

Your prefix: 103.224.128.0/22:

Prefix Description: Flip

Update time: 2014-04-02 19:42 (UTC)

Detected by #peers: 1

Detected prefix: 103.224.128.0/22

Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID)

Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH)

ASpath: 18356 9931 4651 4761

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Hi Team, Confirmation from my team talking directly to Indosat - self inflected with a bad update during a maintenance window. Nothing malicious or intentional. Barry PS - in case you didn't know, I'm back in Asia in Indonesia. On Apr 3, 2014, at 10:12 AM, Jodi Thomson wrote:

Thanks Dean :)

I'm in the process of transitioning back into the job after an 18mth hiatus. Got a bit of work ahead of me to tidy things up. Will add that into the mix once I've settled a few other issues

Cheers JT

________________________________________ From: dean(a)deanpemberton.com [dean(a)deanpemberton.com] on behalf of Dean Pemberton [nznog(a)deanpemberton.com] Sent: Thursday, 3 April 2014 15:23 To: Jodi Thomson Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] IP Hijack out of Indosat Thailand

That's awesome Jodi.

Realistically you've now got two more jobs to do.

1) Make sure that you have registered your prefixes in the global RPKI. 2) Make sure that your routers are using the global RPKI to validate routes that you are learning from others.

Having a look at Michael Fincham's awesome APRICOT talk is a good RPKI primer.

PDF: https://conference.apnic.net/data/37/rpki-apricot-2014,-michael-fincham_1392... VIDEO: http://apnic.adobeconnect.com/p7wo9eesyl5/

Post to the list if you need anymore help.

On Thu, Apr 3, 2014 at 11:13 AM, Jodi Thomson wrote:

...

Saw it on AusNog too - prompted me to setup external prefix monitoring. Appear to be safe so far

JT ________________________________ From: nznog-bounces(a)list.waikato.ac.nz [nznog-bounces(a)list.waikato.ac.nz] on behalf of Tristram Cheer [tristram.cheer(a)ubergroup.co.nz] Sent: Thursday, 3 April 2014 10:45 To: Tony Wicks; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] IP Hijack out of Indosat Thailand

Yep, It's all over AusNog and NANog, Seems to be about 320k of prefix's affected

--

Tristram Cheer Network Architect - Most problems are the result of previous solutions...

09 438 5472 Ext 803 |022 412 1985 | PO Box 5083, Whangarei, 0140 tristram.cheer(a)ubergroup.co.nz |www.ubergroup.co.nz

From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Tony Wicks Sent: Thursday, 3 April 2014 10:40 a.m. To: nznog(a)list.waikato.ac.nz Subject: [nznog] IP Hijack out of Indosat Thailand

Is anyone else seeing their IP ranges hijacked out of Thailand ?

http://seclists.org/nanog/2014/Apr/49

http://seclists.org/nanog/2014/Apr/55

You received this email because you are subscribed to BGPmon.net.

For more details about these updates please visit:

https://portal.bgpmon.net/myalerts.php

====================================================================

Possible Prefix Hijack (Code: 10)

====================================================================

Your prefix: 103.9.40.0/22:

Prefix Description: FLIP-AS-AP

Update time: 2014-04-02 20:29 (UTC)

Detected by #peers: 1

Detected prefix: 103.9.40.0/22

Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID)

Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH)

ASpath: 18356 38794 4651 4761

====================================================================

Possible Prefix Hijack (Code: 10)

====================================================================

Your prefix: 103.224.128.0/22:

Prefix Description: Flip

Update time: 2014-04-02 19:42 (UTC)

Detected by #peers: 1

Detected prefix: 103.224.128.0/22

Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID)

Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH)

ASpath: 18356 9931 4651 4761

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Perhaps it's time to ask the question about why we can't choose the Internet number registry that provides the service we need regardless of geography.

Would certainly make my life an awful lot easier :-) On 2014-04-04 11:09, Andy Linton wrote:

On Thu, Apr 3, 2014 at 3:23 PM, Dean Pemberton wrote:

That's awesome Jodi.

Realistically you've now got two more jobs to do.

1)  Make sure that you have registered your prefixes in the global RPKI.

  Of course, all those NZ holders of IP address space who aren't full APNIC members won't be able to do this. APNIC unlike RIPE in Europe have decided that they'll use their monopoly position to force you into full membership if you want to do this.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog