Ah. Orange Spain has had their /12 (and likely others) broken by (what appears to be) someone breaking into their RIPE account and making RPKI ROA's to somewhere else. Current reachability of impacted prefixes is pretty poor The current ROA is pointing to AS49581 ("Ferdinand Zink trading as Tube-Hosting") Someone has already claimed responsibility for this: https://twitter.com/Ms_Snow_OwO/status/1742357282917109928 Shout out to @tstrickx for informing me of this
flangey@chaos.social
replied 03 Jan 2024 18:47 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/r1zj333N4L6cF7P1xv
benjojo
replied 03 Jan 2024 17:29 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/r1zj333N4L6cF7P1xv
Here is a full list of impacted prefixes, that's a lot of broken traffic I suspect...
benjojo
replied 03 Jan 2024 17:31 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/69w66xSkFsw73KS8k3
In case it disappears here is the screenshots of the tweet from the alleged person who did the mis-signing
benjojo
replied 03 Jan 2024 18:01 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/29dBSKgf66c2D1mvnD
The bad ROAs are now being withdrawn, as far as I can see only these remain with bad ROAs: IP address blocks: 145.1.240.0/20 maxlen: 20 149.74.0.0/16 maxlen: 16 1.178.232.0/21 maxlen: 21 Using the RPKI CRL File we can see rough estimates to when things where changed/timeline