Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
Let us put it this way. There might be several simultaneous leaks of this same private asn because multiple country netblocks are being announced. Or this is actually malicious. I have no way to tell without checking what abuse is coming from there. I'm sure RFG is researching that part of it, and won't ask him about it till he's ready to disclose. On 15/04/19, 10:02 AM, "anti-abuse-wg on behalf of ac" wrote: On Mon, 15 Apr 2019 09:40:35 +0530 Suresh Ramasubramanian wrote: > On 15/04/19, 9:26 AM, "anti-abuse-wg on behalf of ac" > wrote: > >Sorry for top posting, but I fail to see how any of this is > > abuse related? > > Given that it is RFG raising this, I think it is a pretty safe bet > that this ASN is associated with some abusive activity that he has > seen. > Okay, but this is not yet clear? pvt asn is leaked often (and sometimes voluminous) - so is common/frequent and in itself means nothing, if this is that, - but as this affects that network, there is no abuse? or I am missing something?
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
On 15/04/19, 9:26 AM, "anti-abuse-wg on behalf of ac" wrote: >Sorry for top posting, but I fail to see how any of this is abuse related? Given that it is RFG raising this, I think it is a pretty safe bet that this ASN is associated with some abusive activity that he has seen.
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
Sorry for top posting, but I fail to see how any of this is abuse related? On Mon, 15 Apr 2019 04:39:10 +0100 "Sascha Luck [ml]" wrote: > On Sun, Apr 14, 2019 at 06:30:50PM -0700, Ronald F. Guilmette wrote: > >Even if I accept that one of these explanation is accurate and > >correct, I am still left with one question: Who is "they" in this > >context? > > If it's a leaked internal private ASN, the next ASN upstream in > the path should be the correct one. So, in essence, they are > doing it to themselves. > > It could also actually be a private peering that was never > supposed to be visible in the DFZ. IIRC it is common practice to > use private ASNs for this. In which case it is the peer leaking > it. > > >P.S. There are three reasons why I am not prepared to believe that > >this is all just some "fat fingered" or merely incompetent mistake. > >The first is the number of different national flags I am seeing on > >this page: > > > >https://bgp.he.net/AS65000#_prefixes > > > >That doesn't look much like an "internal network" to me! > > It just means that a lot of networks leak private ASNs. Why does > that surprise you? > > >But we can debate these points later on. First I'd like to know who > >"they" is. If somebody can figure out who "they" is in this > >context, then someone, perhaps even me, can shoot a polite and > >friendly inquiry via email to whatever "they" are actually doing > >this stuff, asking them what's up and how come they thought that it > >was a Good Idea to use a reserved ASN, and whether or not "they" > >plan to continue doing so. > > "They" are the admins of the advertised networks (if this *is* > failure-to-remove-private-ASNs) > > >But right now I can't even do that, because I have no idea who is > >actually responsible for any of this. If you do, then please do > >enlighten me. > > Probably the actual owners of the advertised prefixes. > > rgds, > SL >
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
On Sun, Apr 14, 2019 at 06:30:50PM -0700, Ronald F. Guilmette wrote: Even if I accept that one of these explanation is accurate and correct, I am still left with one question: Who is "they" in this context? If it's a leaked internal private ASN, the next ASN upstream in the path should be the correct one. So, in essence, they are doing it to themselves. It could also actually be a private peering that was never supposed to be visible in the DFZ. IIRC it is common practice to use private ASNs for this. In which case it is the peer leaking it. P.S. There are three reasons why I am not prepared to believe that this is all just some "fat fingered" or merely incompetent mistake. The first is the number of different national flags I am seeing on this page: https://bgp.he.net/AS65000#_prefixes That doesn't look much like an "internal network" to me! It just means that a lot of networks leak private ASNs. Why does that surprise you? But we can debate these points later on. First I'd like to know who "they" is. If somebody can figure out who "they" is in this context, then someone, perhaps even me, can shoot a polite and friendly inquiry via email to whatever "they" are actually doing this stuff, asking them what's up and how come they thought that it was a Good Idea to use a reserved ASN, and whether or not "they" plan to continue doing so. "They" are the admins of the advertised networks (if this *is* failure-to-remove-private-ASNs) But right now I can't even do that, because I have no idea who is actually responsible for any of this. If you do, then please do enlighten me. Probably the actual owners of the advertised prefixes. rgds, SL
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
In message , Richard Clayton wrote: >Hurricane Electric is seeing announcements from other ASs some of which >have AS65000 declared to be origin of the prefix I understand. The announcements are, in effect, mislabled. >Best practice is to remove internal use AS's from announcements -- not >much bad happens if you don't (well, you might not get as much >reachability if other folk are also using that reserved AS within their >networks...) Is anybody anywhere filtering out this kind of malarkey? >>The only other thing I feel compelled to say, or ask right now, is just >>this: Who should I be notifying if there is an issue with this ASN? > >the NOC for the people making the incorrect announcement Yes. And can you tell me who that is please? I'm asking for a bit of help here, because I'm out of my depth. But judging from the short bio sketch of you that I just now read on your personal web page, this would seem to be right up your alley. Regards, rfg
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
In message <5c95b9d5-58b4-4a86-8052-e928f1d8a...@incibe.es>, =?utf-8?B?w4FuZ2VsIEdvbnrDoWxleiBCZXJkYXNjbw==?= wrote: >Well, someone is announcing those prefixes as linked to AS65000... Yes. Who?
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
In message <20190415010759.ga51...@cilantro.c4inet.net>, "Sascha Luck [ml]" wrote: >Most likely this is either used in error as an advertising ASN by >someone who doesn't know what they are doing (like the RFC1918 >space that crops up in the DFZ now and again) or it's used >internally in their networks and they have omitted to configure >their routers to strip private ASNs from their advertisements >(yes, I've forgotten this myself on occasion). OK, so let's just say, for the sake of argument, that I believe that one or the other of these explanations is the "correct" one. (I don't, actually, but we can ignore that for the moment.) Even if I accept that one of these explanation is accurate and correct, I am still left with one question: Who is "they" in this context? Regards, rfg P.S. There are three reasons why I am not prepared to believe that this is all just some "fat fingered" or merely incompetent mistake. The first is the number of different national flags I am seeing on this page: https://bgp.he.net/AS65000#_prefixes That doesn't look much like an "internal network" to me! The second is the evident activity spikes that I am seeing on this page: https://stat.ripe.net/AS65000#tabId=routing The third reason is one that I am not prepared to go into right now. Let's just say that I didn't find this ASN totally by accident. But we can debate these points later on. First I'd like to know who "they" is. If somebody can figure out who "they" is in this context, then someone, perhaps even me, can shoot a polite and friendly inquiry via email to whatever "they" are actually doing this stuff, asking them what's up and how come they thought that it was a Good Idea to use a reserved ASN, and whether or not "they" plan to continue doing so. But right now I can't even do that, because I have no idea who is actually responsible for any of this. If you do, then please do enlighten me.
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
In message <44806.1555289...@segfault.tristatelogic.com>, Ronald F. Guilmette writes >Here is what I am hoping some actual expert can explain to me: > >https://bgp.he.net/AS65000#_asinfo >https://bgp.he.net/AS65000#_prefixes >https://bgp.he.net/AS65000#_prefixes6 >https://bgp.he.net/AS65000#_peers >https://bgp.he.net/AS65000#_peers6 > >I will save all further comment until someone offers me some kind of an >explanation of this apparently strange stuff. For now, I will only add >that whereas bgp.he.net is showing there as being a total of 66 IPv4 >prefixes announced by this (reserved) ASN Hurricane Electric is seeing announcements from other ASs some of which have AS65000 declared to be origin of the prefix Which may sound the same as what you said, but isn't >I am unable to fathom how and why a reserved ASN should be >announcing -anything- at -any- place or point where anybody on the outside >can see it. Best practice is to remove internal use AS's from announcements -- not much bad happens if you don't (well, you might not get as much reachability if other folk are also using that reserved AS within their networks...) >The only other thing I feel compelled to say, or ask right now, is just >this: Who should I be notifying if there is an issue with this ASN? the NOC for the people making the incorrect announcement -- if there is a question as to how valid the rest of the path might be, then that may take you a little while to establish (and you may get lied to when you make enquiries) BTW: great though HE's portal is, you really should be picking apart the mass of data held by RIPE if you want to form a view as to might be doing bad things (that's not the only place you need to look, but it's a good start and in this case the number of detectors seeing this origin and the timeline puts it rather more in perspective) -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 signature.asc Description: PGP signature
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
Well, someone is announcing those prefixes as linked to AS65000. If he itself was using AS65000 internally with those prefixes, and that leaked to their public interface, it would be a false positive, but lacking some agreement between the receiver and their peer involving AS65000, imho those entries were used internally by some party, which then inadvertently shared them to peers that didn't filter it, etc. With the end result that such entries could made these prefixes unreachable. Here, one side will be the owners of those ip ranges, but there's not an owner of the AS as such. Who should be complaining that they are 'advettising their AS' incorrectly? What if a prefix was 10.0.0.0/8 ? Would IANA need to state that it didn't allow AS x to advertise a private range? Maybe that step should be skipped for reserved ranges. Most likely, this case is a self-inflicted damage, though. Best regards
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
Apologies for following up on myself, but I did just ant to mention that in addition to the very limited "snapshots" of thw routes being announced by AS65000 that can be obtained from bgp.he.net, I am also looking at this page: https://stat.ripe.net/AS65000#tabId=routing which shows that in the quite recent past (this month) AS65000 has had several rather dramatic spikes in BGP update activity amounting to hundreds of routes announced, and then, almost as quickly, withdrawn. Am I the only person who thinks this might be even a bit noteworthy? Regards, rfg
Re: [anti-abuse-wg] Mysteries of the Internet: AS65000
On Sun, Apr 14, 2019 at 05:43:55PM -0700, Ronald F. Guilmette wrote: https://bgp.he.net/AS65000#_asinfo https://bgp.he.net/AS65000#_prefixes https://bgp.he.net/AS65000#_prefixes6 https://bgp.he.net/AS65000#_peers https://bgp.he.net/AS65000#_peers6 The only other thing I feel compelled to say, or ask right now, is just this: Who should I be notifying if there is an issue with this ASN? It has no WHOIS reords, and thus, no contacts... no email addresses, no phone numbers, no snail-mail addresses. Nothing... ... and yet this thing has, according to bgp.he.net, no fewer than 27 IPv4 peers and another 2 for IPv6 only! I await an explanation from some actual expert. For myself, I can only say that none of this makes a damn bit of sense to me. But I am willing and eager to be educated. Most likely this is either used in error as an advertising ASN by someone who doesn't know what they are doing (like the RFC1918 space that crops up in the DFZ now and again) or it's used internally in their networks and they have omitted to configure their routers to strip private ASNs from their advertisements (yes, I've forgotten this myself on occasion). rgds, SL
[anti-abuse-wg] Mysteries of the Internet: AS65000
As I believe I have made abundantly clear, I am in favor of the proposal 2019-03, and more generally, I am supportive of the notion that order is preferable to chaos, particularly when it comes to routing on the Internet. The reasons for this preference of mine are so manifest that they do not even warrant recitation here. My hope is that I have made Carlos and Jordi aware, via my postings here, of at least some of the particular points on which we may differ, and which I would like to see changed in the next draft of 2019-03. There is one important point of disagreement on which I have not yet spoken however, and that is Carlos' belief, which may or may not be shared also by Jordi, that I personally qualify as an "expert" (for purposes of 2019-03) simply because I have, in some small number of instances, become aware of what have appeared to be quite deliberate and malevolent hijackings. I need to state for the record that this is just wrong. I am NOT an "expert" with regard to Internet routing, either legitimate or otherwise. I do not run a network. Nor have I ever done so, with the only exception being my own tiny little network here at home . I do not own any equipment that speaks BGP, nor have I ever done so. I am just a simple end-luser who has been mad as hell about spammers for about the past 20 years, and who has simply educated himself, as best as he could, to follow clues and to try to figure how what the spammers are doing and how they are doing it. In this process, I have been required to learn a small bit about routing along the way, but that does not in any sense qualify me as an "expert" in the area of Internet routing. In fact, there are and have been, up to and including the present day, things that I see happening on the Internet that make absolutely no sense to me whatsoever, and that I cannot for the life of me explain. I have just seen one such thing today, and I would like to ask those on this list who actually -are- qualified experts to please explain it to me, because all I see here is a mystery wrapped inside of a riddle and stuffed inside of an enigma. Here is what I am hoping some actual expert can explain to me: https://bgp.he.net/AS65000#_asinfo https://bgp.he.net/AS65000#_prefixes https://bgp.he.net/AS65000#_prefixes6 https://bgp.he.net/AS65000#_peers https://bgp.he.net/AS65000#_peers6 I will save all further comment until someone offers me some kind of an explanation of this apparently strange stuff. For now, I will only add that whereas bgp.he.net is showing there as being a total of 66 IPv4 prefixes announced by this (reserved) ASN, the data I am getting from RIPEstat is indicating a much smaller number of IPv4 announcements (35). Either way, I am unable to fathom how and why a reserved ASN should be announcing -anything- at -any- place or point where anybody on the outside can see it. (And at least some of those blocks -can- be successfully tracerout'd to from where I am sitting here in California, so this is by no means a merely local phenomenon.) The only other thing I feel compelled to say, or ask right now, is just this: Who should I be notifying if there is an issue with this ASN? It has no WHOIS reords, and thus, no contacts... no email addresses, no phone numbers, no snail-mail addresses. Nothing... ... and yet this thing has, according to bgp.he.net, no fewer than 27 IPv4 peers and another 2 for IPv6 only! I await an explanation from some actual expert. For myself, I can only say that none of this makes a damn bit of sense to me. But I am willing and eager to be educated. Regards, rfg P.S. If I have seems self-effacing about the limits of my knowledge above, that was entirely intentional and deliberate. Upon looking at this case of AS65000, I was convinced rather quickly that something is horribly wrong here. But trying to figure out who should be held accountable for this mess is, I confess, utterly beyond me.
