
Possible BGP hijack - v4n4d1s
https://bgpstream.com/event/17605
======
aroch
OMZ Global (AS34329) is an industrial process company (eg steel,
manufacturing, ship building, etc). I'm going to assume someone who shouldn't
have had access to BGP is trying to use it to block GoogleDNS or similar
inside the corporation.

That or some pretty hilariously heavy-handed state-sponsored hijacking.

~~~
Laforet
IIRC the only commonly access service hosted in that IP block is their DNS
servers. There are easier ways to hijack DNS traffic than trying to hijack the
entire prefix via BGP.

A casual browse through the other entries seems to suggest that people mess up
BGP announcements all the time. My favourite one below involves the AS
belonging to S & S Discount Market Pvt Ltd.

[https://bgpstream.com/event/18050](https://bgpstream.com/event/18050)

Edit: It has happened previously

[http://www.bgpmon.net/googles-services-redirected-to-
romania...](http://www.bgpmon.net/googles-services-redirected-to-romania-and-
austria/)

~~~
nmjohn
> A casual browse through the other entries seems to suggest that people mess
> up BGP announcements all the time.

While true, incorrect bgp announcements happen all the time, I think this is
one of the cases that Hanlon's Razor probably does not apply: most of the time
they are not a result of people messing up - rather the bad announcements come
from spammers/malware spreaders needing new IP space because their current
(likely hijacked) IP space has gotten blacklisted and is no longer effective.

------
nmjohn
Heads up this happened a few days ago, not currently hijacked.

Handy tool though, bookmarked it - using the event graph to display route
changes as detected over time is a great visualization - would be really cool
if there was the same event graph covering the entire internet (though I
suspect without some cleverness in both design and implementation, the
quantity of data would be prohibitively large for building a useful
visualization).

~~~
philip1209
There's a corresponding twitter feed:

[https://twitter.com/bgpstream](https://twitter.com/bgpstream)

------
ra1n85
Am I reading this right that leak lasted 2 hours?

These are often the result of mistakes. Even if OMZ were a tier 1 provider in
RU, the impact would still be limited - I can't see how this could be
intentional.

------
mpitt
BGPStream [1] and RIPEstat[2], indicate that they also briefly announced
prefix 87.23.14.0/24, belonging to a major Italian telco.

[1] [https://bgpstream.com/event/17606](https://bgpstream.com/event/17606)

[2] [https://stat.ripe.net/widget/announced-
prefixes#w.resource=A...](https://stat.ripe.net/widget/announced-
prefixes#w.resource=AS34329&w.starttime=2000-08-01T00%3A00)

------
zdw
The BGPlay visualization on that page appears to be open sourced:
[https://github.com/MaxCam/BGPlay](https://github.com/MaxCam/BGPlay)

------
joantune
* Edited: Disregard this comment *

Ok, so if OMZ is Russian, do know this:

Russia currently is 'blocking' several websites. I.e. blocking at a DNS level,
so this might be half witted attempt on keeping the censorship..

And as @swiley noted: some people only use the easier to remember 8.8.8.8 (I
do that for instance)

~~~
ryanlol
Unlikely.

Especially since that's not really how Roskomnadzors blocking works.

~~~
ycmbntrthrwaway
Roskomnadzor "works" by publishing a list of IP addresses and domain names for
ISPs to download. A copy of it is leaked to
[http://reestr.rublacklist.net/](http://reestr.rublacklist.net/) in real time.
Each ISP implements blocking in its own way: DNS blocking, transparent Squid
proxy, firewalls or nothing at all sometimes. Nobody really cares if something
is actually blocked. BGP hijacking for the purpose of blocking websites is
really unlikely at this point.

