benjojo.co.uk

benjojo posted 03 Jan 2024 17:18 +0000

Ah. Orange Spain has had their /12 (and likely others) broken by (what appears to be) someone breaking into their RIPE account and making RPKI ROA's to somewhere else.

Current reachability of impacted prefixes is pretty poor

The current ROA is pointing to AS49581 ("Ferdinand Zink trading as Tube-Hosting")

Someone has already claimed responsibility for this: https://twitter.com/Ms_Snow_OwO/status/1742357282917109928

Shout out to @tstrickx for informing me of this

benjojo replied 03 Jan 2024 17:29 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/r1zj333N4L6cF7P1xv

Here is a full list of impacted prefixes, that's a lot of broken traffic I suspect...

benjojo replied 03 Jan 2024 17:31 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/69w66xSkFsw73KS8k3

In case it disappears here is the screenshots of the tweet from the alleged person who did the mis-signing

benjojo replied 03 Jan 2024 18:01 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/29dBSKgf66c2D1mvnD

The bad ROAs are now being withdrawn, as far as I can see only these remain with bad ROAs:

IP address blocks:

145.1.240.0/20 maxlen: 20

149.74.0.0/16 maxlen: 16

1.178.232.0/21 maxlen: 21

Using the RPKI CRL File we can see rough estimates to when things where changed/timeline

flangey@chaos.social replied 03 Jan 2024 18:47 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/r1zj333N4L6cF7P1xv

@benjojo @tstrickx the RIPE NCC Access available MFA options and auditability are not really good enough.