Possible BGP hijack of 1.1.1.1

I'm using AnchNet's services. And We've asked AnchNet when I recieved a e-mail from our BGPMon. They said their staff was configured a wrong config on router. Also they don't know 1.1.1.0/24 is used by CloudFlare&APNIC. So they used this prefix to test.

Does anyone else find it sort of beautiful watching replays of events like this? It's amazing to watch how the routers organise themselves, making and breaking connections when needed.

ASN 58879 belongs to Shanghai Anchang Network Security Technology Co.,Ltd (China) according to <a href="https:&#x2F;&#x2F;ipinfo.io&#x2F;AS58879" rel="nofollow">https:&#x2F;&#x2F;ipinfo.io&#x2F;AS58879</a><p>website: <a href="https:&#x2F;&#x2F;www.anchnet.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.anchnet.com&#x2F;</a>

Ah! That may have been the reason why my site wasn&#x27;t resolving earlier today. It was the weirdest situation with people from all over the planet complaining without any apparent pattern, a RIPE check of the site from 10 different locations showed no issues in connectivity.<p>Thanks for posting this.

Large companies misuse &quot;unassigned&quot; space all the time. I have heard engineers at my work propose using the non public routed DOD &#x2F;8 before. Not on my watch!

Network engineer here: I&#x27;m going to guess that this is a mistaken effort on the part of a Chinese ISP or the GFW to hijack traffic to 1.1.1.1 internally within China, but probably not intended to propagate beyond the major Chinese international-transit-ISP&#x27;s connections to the global Internet. BCP38 is your friend.

I doubt that this is a genuine hijacking attempt. All it takes is a Cisco router and some IT admin making up an address.

How effective is this? Looking at <a href="https:&#x2F;&#x2F;bgp.he.net&#x2F;ip&#x2F;1.1.1.1" rel="nofollow">https:&#x2F;&#x2F;bgp.he.net&#x2F;ip&#x2F;1.1.1.1</a>, 1.1.1.0&#x2F;24 is apparently &quot;ROA Signed and Valid&quot;. I don&#x27;t know a lot about BGP. Does this mean hijacking this subnet is a bit harder than unsigned ones because some or all ISPs verify this announcement? Or is it faster&#x2F;easier to detect?<p>Maybe a wider question: is there some way to prevent BGP hijacking?

Interesting!<p>My ping to that address went terrible for a brief window today - <a href="https:&#x2F;&#x2F;i.imgur.com&#x2F;KjCcBeT.png" rel="nofollow">https:&#x2F;&#x2F;i.imgur.com&#x2F;KjCcBeT.png</a><p>Wonder if this was the cause.<p>*edit: I&#x27;m in Cape Town and the ping looks what was routing to a DC down the road decided to go to Europe instead.

What does this mean for those unfamiliar?

Would this affect certificate-validating clients doing DNS-over-HTTPS to 1.1.1.1 — doesn’t it have an ipAddress certificate and demand HTTPS resolution only?

So who is going to tell the 13 peers that they should not accept BGP path advertisements for 1.1.1.0 from anyone but Cloudflare?

I use 1.1.1.1 Do I need to do anything? Can I just continue using it or do I need to clear some cache etc?

That awkward moment when you read an IP and the first thought is &quot;But that belongs to Cloudflare I read about this&quot;

Are people here really using 1.1.1.1 as a DNS server...? Do people here _really_ think that Cloudflare isn&#x27;t giving your data away to _someone_? I have been using DNS servers from OpenNIC for sometime now, and I will continue to.

And that is why I&#x27;m using dns over tls :)

Curious how is this different than the similar? issue with Amazon route 53 getting hijacked not too long ago?