home tags events about login
one honk maybe more

benjojo posted 03 Jan 2024 17:18 +0000

Ah. Orange Spain has had their /12 (and likely others) broken by (what appears to be) someone breaking into their RIPE account and making RPKI ROA's to somewhere else.

Current reachability of impacted prefixes is pretty poor

The current ROA is pointing to AS49581 ("Ferdinand Zink trading as Tube-Hosting")

Someone has already claimed responsibility for this: https://twitter.com/Ms_Snow_OwO/status/1742357282917109928

Shout out to @tstrickx for informing me of this

JSs668h6KPWs7x1KP7.png

benjojo replied 03 Jan 2024 18:01 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/29dBSKgf66c2D1mvnD

The bad ROAs are now being withdrawn, as far as I can see only these remain with bad ROAs:

IP address blocks:

145.1.240.0/20 maxlen: 20

149.74.0.0/16 maxlen: 16

1.178.232.0/21 maxlen: 21


Using the RPKI CRL File we can see rough estimates to when things where changed/timeline

A list of timestamps, with a flurry of activity around 13:59:48 and 09:38:58