-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Dear Trevor,
I just a notification from my data center that someone is trying to hijack the IP of my exit node. Seems like the sort of thing someone might do when trying to attack Tor. I'm in a very remote area with limited access but any suggestions on actions I should take?
====================================================================
Possible Prefix Hijack (Code: 10)
====================================================================
Your prefix: 204.17.32.0/19 http://204.17.32.0/19:
Prefix Description: GBLX-US-BGP Update time: 2018-05-09 12:11 (UTC) Detected by #peers: 1 Detected prefix: 204.17.56.42/32 http://204.17.56.42/32 Announced by: AS200005 (Asavie Technologies Limited) Upstream AS: AS200005 (Asavie Technologies Limited) ASpath: 200005
I took a look through our BGP data and peering routers, and I didn't see the /32 being announced. I'm not saying it didn't happen, but rather it may not have carried very far. /32 prefix announcements rarely propagate very far. There are still a great many filters in place that restrict announcements more specific than /24 (or /21, or /19, or ...).
It may be the case that this /32 prefix is a null route that leaked out, which we've seen happen somewhat frequently. The most notorious example was an attempted, and unwittingly leaked, null route in Pakistan (/24s, IIRC) that impacted YouTube.
It appears Asavie does a bit of security and networking work, so possibly this is attributable to that?
Be well, Rabbi Rob. - -- Rabbi Rob Thomas Team Cymru "It is easy to believe in freedom of speech for those with whom we agree." - Leo McKern