AS 54271

Discussion:

AS 54271

(too old to reply)

Marshall Eubanks

2008-07-13 17:01:49 UTC

As of this morning, I am seeing BGP from AS 54271

*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 62.77.254.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 81.17.184.0/22 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 81.17.190.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 82.131.196.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 82.131.198.0/24 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 82.131.248.0/21 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.64.0/22 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.70.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.72.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.78.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.82.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.96.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.99.0/24 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i

This ASN has not been assigned to any RIR. Is this a bogon, or does
anyone know of a legitimate reason for this ?

Regards
Marshall

Patrick W. Gilmore

2008-07-13 17:04:29 UTC

Permalink

Post by Marshall Eubanks
As of this morning, I am seeing BGP from AS 54271

Maybe someone mistyped "65271"? Which is still bad, but not at bad
(IMHO).
--
TTFN,
patrick

Post by Marshall Eubanks
*> 62.77.196.0/22 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 62.77.254.0/23 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 81.17.184.0/22 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 81.17.190.0/23 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 82.131.196.0/23 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 82.131.198.0/24 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 82.131.248.0/21 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.64.0/22 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.70.0/23 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.72.0/23 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.78.0/23 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.82.0/23 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.96.0/23 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
*> 89.148.99.0/24 38.101.161.116 6991 0 174
3549 3549 3549 12301 8696 20922 54271 i
This ASN has not been assigned to any RIR. Is this a bogon, or does
anyone know of a legitimate reason for this ?
Regards
Marshall

Fredy Kuenzler

2008-07-13 17:24:21 UTC

Permalink

Post by Marshall Eubanks
As of this morning, I am seeing BGP from AS 54271

Maybe someone mistyped "65271"? Which is still bad, but not at bad
(IMHO).
46080-47103 Assigned by ARIN whois.arin.net 2008-03-27
47104-48127 Assigned by RIPE NCC whois.ripe.net 2008-04-07
48128-54271 Unassigned
54272-64511 Reserved by the IANA
64512-65534 Designated for private use (Allocated to the IANA)
65535 Reserved

http://www.iana.org/assignments/as-numbers

F.

Jon Kibler

2008-07-13 17:35:19 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Post by Marshall Eubanks
As of this morning, I am seeing BGP from AS 54271
*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i

I would be willing to bet that the IP netblocks being advertised are
unallocated (or, unused within an allocated block). In the past, before
botnets were so common, spammers would often hijack unused netblocks,
advertise routes to them, flood spam from them, then the routes would
disappear, making it impossible to track the spammers.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkh6PNcACgkQUVxQRc85QlNYcACfWKl/jxJNlt3xcSmK3A1B5/kq
QF0An31R/cHv0U0/u+E7mU/0RvjN+evW
=2AIk
-----END PGP SIGNATURE-----

==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

Joel Jaeggli

2008-07-13 17:35:47 UTC

Permalink

those prefixes all have ripe route object with origin AS 20922

all the routes I see for a given prefix look like the following:

2914 1299 12301 8696 20922 54271
129.250.0.171 from 129.250.0.171 (129.250.0.12)
Origin IGP, metric 1, localpref 100, valid, external
Community: 2914:420 2914:2000 2914:3000 65504:1299

2497 3257 12301 8696 20922 54271
202.232.0.2 from 202.232.0.2 (202.232.0.2)
Origin IGP, localpref 100, valid, external

7660 2516 3257 12301 8696 20922 54271
203.181.248.168 from 203.181.248.168 (203.181.248.168)
Origin IGP, localpref 100, valid, external
Community: 2516:1030

etc...

Post by Marshall Eubanks
As of this morning, I am seeing BGP from AS 54271
*> 62.77.196.0/22 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 62.77.254.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 81.17.184.0/22 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 81.17.190.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 82.131.196.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 82.131.198.0/24 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 82.131.248.0/21 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.64.0/22 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.70.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.72.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.78.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.82.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.96.0/23 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
*> 89.148.99.0/24 38.101.161.116 6991 0 174 3549
3549 3549 12301 8696 20922 54271 i
This ASN has not been assigned to any RIR. Is this a bogon, or does
anyone know of a legitimate reason for this ?
Regards
Marshall

manolo

2008-07-13 17:42:06 UTC

Permalink

This ip space is from Bahrain 89.148.0.0/19 but some how has ended up in
Hungary from an unknown owner. Definitely looks suspicious in my book.

Manolo

Post by Joel Jaeggli
those prefixes all have ripe route object with origin AS 20922
2914 1299 12301 8696 20922 54271
129.250.0.171 from 129.250.0.171 (129.250.0.12)
Origin IGP, metric 1, localpref 100, valid, external
Community: 2914:420 2914:2000 2914:3000 65504:1299
2497 3257 12301 8696 20922 54271
202.232.0.2 from 202.232.0.2 (202.232.0.2)
Origin IGP, localpref 100, valid, external
7660 2516 3257 12301 8696 20922 54271
203.181.248.168 from 203.181.248.168 (203.181.248.168)
Origin IGP, localpref 100, valid, external
Community: 2516:1030
etc...

Scott Morris

2008-07-13 19:02:48 UTC

Permalink

Wouldn't it be better to ask the folks in Hungary (AS20922) who are peering
with this site?

One side, I'd buy the typo. Both sides, mutual typos are a little more
difficult.

Not that conspiracy theories are all that much fun, but I'm finding the
one-sided mistake hard to believe. Either that or the folks at AS20922
haven't figured out that an open bgp peer isn't a great idea! :)

Scott

-----Original Message-----
From: Joel Jaeggli [mailto:***@bogus.com]
Sent: Sunday, July 13, 2008 1:36 PM
To: Marshall Eubanks
Cc: NANOG list
Subject: Re: AS 54271

those prefixes all have ripe route object with origin AS 20922

all the routes I see for a given prefix look like the following:

2914 1299 12301 8696 20922 54271
129.250.0.171 from 129.250.0.171 (129.250.0.12)
Origin IGP, metric 1, localpref 100, valid, external
Community: 2914:420 2914:2000 2914:3000 65504:1299

2497 3257 12301 8696 20922 54271
202.232.0.2 from 202.232.0.2 (202.232.0.2)
Origin IGP, localpref 100, valid, external

7660 2516 3257 12301 8696 20922 54271
203.181.248.168 from 203.181.248.168 (203.181.248.168)
Origin IGP, localpref 100, valid, external
Community: 2516:1030

etc...

Joel Jaeggli

2008-07-13 20:10:30 UTC

Permalink

Post by Scott Morris
Wouldn't it be better to ask the folks in Hungary (AS20922) who are peering
with this site?

These are or appear to be all 20922's prefixes...

54271 is a stub from my vantage points that only appears from behind 20992.

Post by Scott Morris
One side, I'd buy the typo. Both sides, mutual typos are a little more
difficult.

looks more like a lack of clue. off-hand I'd hazard that only one party
is involved.

Post by Scott Morris
Not that conspiracy theories are all that much fun, but I'm finding the
one-sided mistake hard to believe. Either that or the folks at AS20922
haven't figured out that an open bgp peer isn't a great idea! :)
Scott
-----Original Message-----
Sent: Sunday, July 13, 2008 1:36 PM
To: Marshall Eubanks
Cc: NANOG list
Subject: Re: AS 54271
those prefixes all have ripe route object with origin AS 20922
2914 1299 12301 8696 20922 54271
129.250.0.171 from 129.250.0.171 (129.250.0.12)
Origin IGP, metric 1, localpref 100, valid, external
Community: 2914:420 2914:2000 2914:3000 65504:1299
2497 3257 12301 8696 20922 54271
202.232.0.2 from 202.232.0.2 (202.232.0.2)
Origin IGP, localpref 100, valid, external
7660 2516 3257 12301 8696 20922 54271
203.181.248.168 from 203.181.248.168 (203.181.248.168)
Origin IGP, localpref 100, valid, external
Community: 2516:1030
etc...

Christian Koch

2008-07-13 20:40:10 UTC

Permalink

interestingly, before july 7th these prefixes were originating from another
private as - 65501, until sometime that day routes were withdrawn from 65501
and began being announced from 54271...

Post by Joel Jaeggli

Post by Scott Morris
Wouldn't it be better to ask the folks in Hungary (AS20922) who are peering
with this site?

These are or appear to be all 20922's prefixes...
54271 is a stub from my vantage points that only appears from behind 20992.
One side, I'd buy the typo. Both sides, mutual typos are a little more

Post by Scott Morris
difficult.

looks more like a lack of clue. off-hand I'd hazard that only one party is
involved.
Not that conspiracy theories are all that much fun, but I'm finding the

Post by Scott Morris
one-sided mistake hard to believe. Either that or the folks at AS20922
haven't figured out that an open bgp peer isn't a great idea! :)
Scott
-----Original Message-----
1:36 PM
To: Marshall Eubanks
Cc: NANOG list
Subject: Re: AS 54271
those prefixes all have ripe route object with origin AS 20922
2914 1299 12301 8696 20922 54271
129.250.0.171 from 129.250.0.171 (129.250.0.12)
Origin IGP, metric 1, localpref 100, valid, external
Community: 2914:420 2914:2000 2914:3000 65504:1299
2497 3257 12301 8696 20922 54271
202.232.0.2 from 202.232.0.2 (202.232.0.2)
Origin IGP, localpref 100, valid, external
7660 2516 3257 12301 8696 20922 54271
203.181.248.168 from 203.181.248.168 (203.181.248.168)
Origin IGP, localpref 100, valid, external
Community: 2516:1030
etc...

--
^christian$