Den 2017-11-09 kl. 17:22, skrev Brian Rak via db-wg: > Hi, > > We've run into an issue where an unknown malicious party appears to > have hijacked some of our IP space. They created entries in the RIPE > database that they are using to actually get this space announced. > What's even worse is their carrier is trying to say these > announcements are legitimate because they have IRR entries (which is a > whole other issue) > > What is the process like for actually getting this fraudulent entry > removed? I've been in contact with RIPE NCC Support, and they have > been super unhelpful (ref case #14523) > > The fraudulent entry is: > > https://apps.db.ripe.net/search/lookup.html?source=ripe&key=198.13.32.0/19AS39967&type=route > > > route: 198.13.32.0/19 > descr: 2nd route > origin: AS39967 > mnt-by: ADMASTER-MNT > created: 2017-10-13T00:20:08Z > last-modified: 2017-10-13T00:20:08Z > source: RIPE > > I should also note that this ASN suspiciously appears to be announcing > other people's space as well, but I can only confirm that this > particular entry does not belong. I would suspect that their other > IRR entries are fake as well. > > You can verify my request by reaching out to any of the POCs > associated with this network: > https://whois.arin.net/rest/net/NET-198-13-32-0-1 > > Thanks, > Brian Rak > >
It seems that at least 4 ASes has announced this prefix (both /19 and /20) this year. https://stat.ripe.net/widget/routing-history#w.resource=198.13.32.0%2F19 -- Bengt Gördén Resilans AB