RE: AS3549 NOC contacts? Another BGP hijack
Our info is up to date on the whois with ARIN where the issuance is from https://whois.arin.net/rest/asn/AS3549/pft?s=3549 Preferred is ipad...@centurylink.com<mailto:ipad...@centurylink.com> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Bolitho Sent: Friday, July 19, 2019 4:33 PM To: Dmitry A.Deineka Cc: nanog@nanog.org Subject: Re: AS3549 NOC contacts? Another BGP hijack NOC is 877-453-8353. That will get you the legacy Global Crossing (Level 3) teams. On Fri, Jul 19, 2019, 2:12 PM Dmitry A.Deineka mailto:dmi...@deineka.net>> wrote: Greetings, Unfortunately, n...@gblx.net<mailto:n...@gblx.net> is not accepting emails anymore. Someone from AS3549 announced one of our network (more specific route) 46.28.67.0/24<http://46.28.67.0/24>. It's not major impact but it's like that at least RIPE whois has outdated contact information about responsive persons. Can someone kindly share contact email of AS3549 (Centurylink?) NOC or other direct contacts? Regards, Dmitry -- Dmitry A.Deineka ITLDC This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Re: AS3549 NOC contacts? Another BGP hijack
NOC is 877-453-8353. That will get you the legacy Global Crossing (Level 3) teams. On Fri, Jul 19, 2019, 2:12 PM Dmitry A.Deineka wrote: > Greetings, > > Unfortunately, n...@gblx.net is not accepting emails anymore. Someone from > AS3549 announced one of our network (more specific route) 46.28.67.0/24. > > It's not major impact but it's like that at least RIPE whois has outdated > contact information about responsive persons. > > Can someone kindly share contact email of AS3549 (Centurylink?) NOC or > other direct contacts? > > Regards, > Dmitry > > -- > Dmitry A.Deineka > ITLDC >
AS3549 NOC contacts? Another BGP hijack
Greetings, Unfortunately, n...@gblx.net is not accepting emails anymore. Someone from AS3549 announced one of our network (more specific route) 46.28.67.0/24. It's not major impact but it's like that at least RIPE whois has outdated contact information about responsive persons. Can someone kindly share contact email of AS3549 (Centurylink?) NOC or other direct contacts? Regards, Dmitry -- Dmitry A.Deineka ITLDC
Level3 (AS3549) BGP contact off-list
Hi, Currently experiencing trouble with BGP session between 49463 and 3549. Relevant router: cdg2.gblx.net Can you please contact me off-list for resolution ? Thanks
Level3 - AS3549 US IPv6 Routing
I have noticed for the last couple of weeks that Level3 is routing IPV6
traffic to Global Crossing AS via Seattle. Seeing it from multiple
connection's we have in the US plus Level3 Looking Glass also shows the
routes learned in Seattle from DC. I can't see them only peering in
Seattle from US location's, Europe is different seems to be routing
correctly from what I see on the looking glass.
Route results for 2001:450::/32 from Washington, DC
BGP routing table entry for 2001:450::/32
Paths: (2 available, best #1)
3549, (aggregated by 3549 err41.sea1.gblx.mgmt)
AS-path translation: { GBLX }
2001:1900::3:91 (metric 7502)
Origin IGP, localpref 100, valid, internal, atomic-aggregate, best
Community: 3549:5001 3549:30840
Originator: edge1.Seattle3
3549, (aggregated by 3549 err41.sea1.gblx.mgmt)
AS-path translation: { GBLX }
2001:1900::3:91 (metric 7502)
Origin IGP, localpref 100, valid, internal, atomic-aggregate
Community: 3549:5001 3549:30840
Originator: edge1.Seattle3
Route results for 2001:450::/32 from Frankfurt, Germany
BGP routing table entry for 2001:450::/32
Paths: (2 available, best #1)
3549, (aggregated by 3549 err41.fra4.gblx.mgmt)
AS-path translation: { GBLX }
2001:1900:2::3:8 (metric 40)
Origin IGP, metric 10, localpref 86, valid, internal,
atomic-aggregate, best
Community: Europe Lclprf_86 Germany IPv6-valid Level3_Peer
Community_ERROR Frankfurt
Originator: edge4.Frankfurt1
3549, (aggregated by 3549 err41.fra4.gblx.mgmt)
AS-path translation: { GBLX }
2001:1900:2::3:8 (metric 40)
Origin IGP, metric 10, localpref 86, valid, internal,
atomic-aggregate
Community: Europe Lclprf_86 Germany IPv6-valid Level3_Peer
Community_ERROR Frankfurt
Originator: edge4.Frankfurt1
Traceroute from one of my connections in DC. Doesn't matter what I source
the route from. I have also seen this to customers behind AS3549 too.
4. vl-4081.edge2.washington1.level3 0.0% 71.6 1.6 1.6 1.6
0.0
5. vl-4061.car1.newyork2.level3.net 0.0% 76.9 7.5 6.9 10.6
1.4
6. vl-4081.car2.newyork2.level3.net 0.0% 77.0 41.0 7.0 158.2
61.0
7. vl-4061.car1.chicago1.level3.net 0.0% 7 27.7 27.5 27.4 27.7
0.1
8. vl-4040.edge1.chicago2.level3.ne 0.0% 7 27.7 30.0 27.6 44.3
6.3
9. vl-4042.edge6.denver1.level3.net 0.0% 7 51.9 51.9 51.8 52.0
0.1
10. vl-4060.car2.seattle1.level3.net 0.0% 6 186.2 119.0 78.5 186.2
51.6
11. 2001:1900:1b:1::9 0.0% 6 78.4 78.4 78.3 78.6
0.1
12. 2001:450:2008:100::1350.0% 6 86.4 87.2 86.4 90.0
1.4
13. 2001:450:2002:288::2 0.0% 6 85.2 85.3 85.1 85.5
0.1
If I route this traffic via Telia it goes direct to Global Crossing's with
a much lower latency. Has anyone else seen this issue with Level3?
Thanks,
Adam
RE: AS3549 Level3/GBLX carrying routing for 10.0.0.0/8
This should now be fixed. As a general matter of policy, we do filter out 10/8, but somehow the filter list for a customer was empty which then defaults to an implicit accept. We're in the process of improving our config audits to catch this in the future. Dave -Original Message- From: Larry Sheldon [mailto:larryshel...@cox.net] Sent: Saturday, July 20, 2013 10:31 PM To: nanog@nanog.org Subject: Re: AS3549 Level3/GBLX carrying routing for 10.0.0.0/8 On 7/20/2013 11:26 PM, Yang Yu wrote: It appears AS3549 is announcing 10.0.0.0/8. I noticed it from an AS3549 customer. I wonder why people don't drop any update that contains stuff like RFC 1918 space. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: AS3549 Level3/GBLX carrying routing for 10.0.0.0/8
On Mon, Jul 22, 2013 at 3:36 PM, Siegel, David david.sie...@level3.com wrote: This should now be fixed. As a general matter of policy, we do filter out 10/8, but somehow the filter list for a customer was empty which then defaults to an implicit accept. We're in the process of improving our config audits to catch this in the future. what happens if they register a route object for 10/8? :) Dave -Original Message- From: Larry Sheldon [mailto:larryshel...@cox.net] Sent: Saturday, July 20, 2013 10:31 PM To: nanog@nanog.org Subject: Re: AS3549 Level3/GBLX carrying routing for 10.0.0.0/8 On 7/20/2013 11:26 PM, Yang Yu wrote: It appears AS3549 is announcing 10.0.0.0/8. I noticed it from an AS3549 customer. I wonder why people don't drop any update that contains stuff like RFC 1918 space. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: AS3549 Level3/GBLX carrying routing for 10.0.0.0/8
Perhaps we should all take a moment and review RFC 5735, 6598, 6890, and 5156 and implement filtering in the appropriate places and help make the Internet a safer place to play. Think of the children! ...heh --chip On Mon, Jul 22, 2013 at 3:44 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Mon, Jul 22, 2013 at 3:36 PM, Siegel, David david.sie...@level3.com wrote: This should now be fixed. As a general matter of policy, we do filter out 10/8, but somehow the filter list for a customer was empty which then defaults to an implicit accept. We're in the process of improving our config audits to catch this in the future. what happens if they register a route object for 10/8? :) Dave -Original Message- From: Larry Sheldon [mailto:larryshel...@cox.net] Sent: Saturday, July 20, 2013 10:31 PM To: nanog@nanog.org Subject: Re: AS3549 Level3/GBLX carrying routing for 10.0.0.0/8 On 7/20/2013 11:26 PM, Yang Yu wrote: It appears AS3549 is announcing 10.0.0.0/8. I noticed it from an AS3549 customer. I wonder why people don't drop any update that contains stuff like RFC 1918 space. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker) -- Just my $.02, your mileage may vary, batteries not included, etc
AS3549 Level3/GBLX carrying routing for 10.0.0.0/8
It appears AS3549 is announcing 10.0.0.0/8. I noticed it from an AS3549 customer. From GBLX looking glass, ATL1 traceroute Protocol [ip]: ip Target IP address: 10.0.0.1 Source address: Numeric display [n]: n Timeout in seconds [3]: 1 Probe count [3]: 2 Minimum Time to Live [1]: 1 Maximum Time to Live [30]: 30 Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to 10.0.0.1 VRF info: (vrf in name/id, vrf out name/id) 1 te3-1-10G.par9.CTA1.GRU.gblx.net (67.16.142.26) 120 msec 124 msec 2 122.5.125.189.static.impsat.net.br (189.125.5.122) 120 msec 120 msec 3 10.0.0.1 [AS 262487] 124 msec 120 msec Apparently the customer didn't have proper inbound filter.. Reply from 10.0.0.1: bytes=32 time=132ms TTL=61
Re: AS3549 Level3/GBLX carrying routing for 10.0.0.0/8
On 7/20/2013 11:26 PM, Yang Yu wrote: It appears AS3549 is announcing 10.0.0.0/8. I noticed it from an AS3549 customer. I wonder why people don't drop any update that contains stuff like RFC 1918 space. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Is Level(3) AS3356 absorbing GBLX AS3549
Overnight BGPmon reports that 3356 was adjacent to our AS, but it is not. Only plausible situation I can think of is Level(3) absorbing the 3549 GlobalCrossing AS. Is this going on? Or am I suffering from insufficient caffeination? -cjp
Re: Is Level(3) AS3356 absorbing GBLX AS3549
Yep, http://www.nanog.org/meetings/nanog56/presentations/Monday/mon.lightning.siegel.pdf On Thu, Jan 24, 2013 at 6:03 AM, Christopher J. Pilkington c...@0x1.netwrote: Overnight BGPmon reports that 3356 was adjacent to our AS, but it is not. Only plausible situation I can think of is Level(3) absorbing the 3549 GlobalCrossing AS. Is this going on? Or am I suffering from insufficient caffeination? -cjp
Re: HIJACKED: AS18466, courtesy of Global Crossing (AS3549)
Hello Ronald, disclaimerI do work for LACNIC/disclaimer sorryi'm really late in my NANOG followups/sorry P.P.S. Although I have previously bemoaned ARIN's lack of agressivness in reclaiming abandoned ASNs and IP blocks that have been hijacked, I feel compelled to note that at least they (ARIN) do have a proccess in place for doing so, i.e. when and if they are motivated in that direction. I have it on good authority however that LACNIC does not even have an established process for reclaiming abandoned number resources. Given that the problem of hijacked number resources, rather than disappearing, is in fact accelerating, over time, I do believe that it would behove LACNIC and other RiRs to develop processes for reclaiming abandoned resources, in particular when and where it becomes evident that these resources have been hijacked. I would like to get in touch with the good authority you mention as he/she seems to be quite misinformed. LACNIC has, and has applied in the past, policies and procedures for resource recovery due to abandonment and other issues. The original resource recovery policy is LACNIC-2009-06 and the English text can be found here: http://www.lacnic.net/en/politicas/manual7-1.html You can also find the list of recovered prefixes and ASNs here http://www.lacnic.net/en/registro/revocacion.html I am not the expert on how the recovery process actually works but I can get you or the person who mentioned this alleged lack of process to you in touch with the staff who actually do work with resource recovery. regards Carlos -- -- = Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =
HIJACKED: AS18466, courtesy of Global Crossing (AS3549)
Abundant evidence indicates that AS18466, allocated by LACNIC, has been hijacked. All of the routes currently announced by this AS, i.e.: 170.25.0.0/19 170.25.32.0/19 170.25.160.0/19 170.25.192.0/19 are currently routing IP blocks, also allocated by LACNIC, which have also themselves appear to have been hijacked. As you can see below, AS18466 was first allocated (apparently by ARIN) on 2000-08-31 and its WHOIS record was last updated on 2006-06-16. Note however that the domain associated with the contact e-mail address for this ASN, i.e. geminicom.net was apparently re-registered on 2010-11-01, unboubtedly by the hijacker. (This is the mostly commonly used approach to AS and IP block hijacking, i.e. find an abandoned AS or IP block whose contact domain has become unregistered and then simply re-register it and then pretend that you are the original party to whom the resource was allocated. In short, fraud and identity theft.) = aut-num: AS18466 owner: Geminicommunications Limited ownerid: BZ-GELI-LACNIC address: 13 1/2 Northern Highway address: Belize City, country: BZ owner-c: HC170-ARIN created: 2831 changed: 20060616 source: ARIN-HISTORIC nic-hdl: HC170-ARIN person: Hans Cardenas e-mail: hcarde...@geminicom.net address: 13 1/2 Northern Highway address: Belize City, country: BZ phone: 501254011 source: ARIN-HISTORIC = As shown here: http://www.robtex.com/as/as18466.html#graph AS18466 is connected to the Internet only via Global Crossing. In my opinion, and based on the available evidence, there appear to me to be only two possibilities. Either (1) Global Crossing is consciously and in- tentionally participating in this fraud and identity theft scheme or else (2) Global Crossing has allowed itself to be hoodwinked by crooks who con- vinced one or more decision makers at Global Crossing to allow fradulent route announcements to pass to the wider Internet via Global Crossing's network. I look forward to Global Crossing's clarification of this event. Additional evidence of this hijacking may be found here: ftp://ftp.tristatelogic.com/pub/AS18466-rDNS.txt and also here: ftp://ftp.tristatelogic.com/pub/AS18466-nameservers.txt Both of these files show an abundance of snowshoe spamming domains which are associated with the IPv4 space currently routed by AS18466. All of these domains have been registered in the relatively recent past, and all of them have been registered either with WHOIS anonymity cloaking or with clearly fradulent WHOIS information. Additional supporting evidence of this hijacking is also readily available in teh form of the following fradulent web site: http://geminicom.net/ This false front web site, intended to serve as part of the clever deception surrounding the miraculous rebirth of Geminicommunications Limited, is in fact nothing more than a thin veneer, much of which appears to have been simply stolen/copied from the web site of a legitimate UK company, i.e. http://www.8el.com/ (That copying itself represents yet another fradulent and illegal act, i.e. blatant copyright violation.) As was true with the prior group of IP hijackings that I reported on back on April 14th[1], in this case also the majority of the snowshoe spamming domains involved in this incident (as shown in the AS18466-rDNS.txt file, see above) have been registered via the ICANN accredited registrar named Dynamic Dolphin, Inc. It is, I believe, well and widely know by this time that Dynamic Dolphin, Inc. is among the past and/or present business interests of the notorious Scott Richter, interests which include, or which have included bulk e-mail advertising firm Media Breakaway LLC, aka OptInRealBig. Other evidence I have in hand also indicates a clear connection between this hijacked IP space and another of Richter's business interests, specifically a company called WholesaleBandwidth, Inc. (I am not dis- closing this additional evidence publically at the present time. I have my reasons.) FULL DISCLOSURE: Previously, in 2005, my company filed a legal claim in the bankruptcy proceeding of Media Breakaway LLC, said bankruptcy having been largely if not entirely precipitated by a multi-million dollar legal action initiated by Microsoft against Media Breakaway LLC and Scott Richter personally for various alleged mass violations of various anti-spam laws. My company's claim was subsequently dismissed by the bankruptcy judge in that case (improperly, in my view) and following the later dismissal of the bankruptcy case, the Richters (Scott and father Steve) sued myself, my company, and my attorney for alleged abuse of process, specifically for having had the gumption to show up in the bankruptcy case and make a claim not too awfully different
Re: Global Crossing/GBLX tech needed - AS3549
location? - Original Message From: Matt Disuko gourmetci...@hotmail.com To: NANOG nanog@nanog.org Sent: Thu, December 9, 2010 3:02:59 PM Subject: Global Crossing/GBLX tech needed - AS3549 Can a Global Crossing IP engineer please contact me off-list? Thanks, Matt
Global Crossing/GBLX tech needed - AS3549
Can a Global Crossing IP engineer please contact me off-list? Thanks, Matt
Re: AS3549
We had some problems with them too between their NYC and Sunnyvale pops from Jan 21 1000h UTC to 1700h UTC. Edge began dropping packets. No RFO as of yet. On Friday, 22 January, 2010 01:58 AM, Hans Goes wrote: Just wondering if other people on this list experience similar problems with BGP sessions behind AS3549 ? It seems our trouble ticket is currently being taken care of and the GlobalCrossing NOC is investigating. If other people experience the same thing please let me know. PS: we are located in Amsterdam, Netherlands Hans Goes Senior Network Engineer IS Interned Services - PROUD AND CLEAR. www.is.nl +31 299 476 185 Gorslaan 18 1441 RG Purmerend The Netherlands cr1.ams2#sho ip bgp flap-stat inc 208.50.59.105 * 4.23.88.0/24 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.23.89.0/24 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.23.92.0/23 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.23.94.0/23 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.38.0.0/21 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.38.8.0/21 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.43.50.0/24 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.43.51.0/24 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.67.96.0/21 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.67.104.0/21 208.50.59.105 1 00:17:43 3549 7018 46164 * 8.14.0.0/20 208.50.59.105 1 00:17:43 3549 7018 46164 * 8.14.16.0/20 208.50.59.105 1 00:17:43 3549 7018 46164 * 24.49.84.0/23 208.50.59.105 1 00:01:22 3549 3356 7843 * 24.49.89.0/24 208.50.59.105 1 00:01:22 3549 3356 7843 * 38.97.109.0/24 208.50.59.105 2 00:25:18 3549 701 20417 * 41.0.144.0/20 208.50.59.105 2 00:21:47 3549 5713 36994
AS3549
Just wondering if other people on this list experience similar problems with BGP sessions behind AS3549 ? It seems our trouble ticket is currently being taken care of and the GlobalCrossing NOC is investigating. If other people experience the same thing please let me know. PS: we are located in Amsterdam, Netherlands Hans Goes Senior Network Engineer IS Interned Services - PROUD AND CLEAR. www.is.nl +31 299 476 185 Gorslaan 18 1441 RG Purmerend The Netherlands cr1.ams2#sho ip bgp flap-stat inc 208.50.59.105 * 4.23.88.0/24 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.23.89.0/24 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.23.92.0/23 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.23.94.0/23 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.38.0.0/21 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.38.8.0/21 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.43.50.0/24 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.43.51.0/24 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.67.96.0/21 208.50.59.105 1 00:17:43 3549 7018 46164 * 4.67.104.0/21 208.50.59.105 1 00:17:43 3549 7018 46164 * 8.14.0.0/20 208.50.59.105 1 00:17:43 3549 7018 46164 * 8.14.16.0/20 208.50.59.105 1 00:17:43 3549 7018 46164 * 24.49.84.0/23 208.50.59.105 1 00:01:22 3549 3356 7843 * 24.49.89.0/24 208.50.59.105 1 00:01:22 3549 3356 7843 * 38.97.109.0/24 208.50.59.105 2 00:25:18 3549 701 20417 * 41.0.144.0/20 208.50.59.105 2 00:21:47 3549 5713 36994 smime.p7s Description: S/MIME cryptographic signature
