Possible BGP hijack

Prefix 31.148.149.0&#x2F;24 is normally announced by AS212463 HE shows belongs to <a href="https:&#x2F;&#x2F;dataline.ua&#x2F;en&#x2F;" rel="nofollow">https:&#x2F;&#x2F;dataline.ua&#x2F;en&#x2F;</a> which is a Ukrainian company. <a href="https:&#x2F;&#x2F;bgp.he.net&#x2F;AS35297" rel="nofollow">https:&#x2F;&#x2F;bgp.he.net&#x2F;AS35297</a><p>Is now being announced by AS35004 which HE shows is Ukrainian hosting provider <a href="https:&#x2F;&#x2F;netgroup.ua&#x2F;" rel="nofollow">https:&#x2F;&#x2F;netgroup.ua&#x2F;</a><p>But the &quot;Country of origin&quot; of the AS is listed as Russian, which is perhaps where the confusion comes from. <a href="https:&#x2F;&#x2F;bgp.he.net&#x2F;AS35004" rel="nofollow">https:&#x2F;&#x2F;bgp.he.net&#x2F;AS35004</a><p>About 95% of new AS35004&#x27;s traffic goes through this peer: (which is Ukrainian) <a href="https:&#x2F;&#x2F;bgp.he.net&#x2F;AS13249" rel="nofollow">https:&#x2F;&#x2F;bgp.he.net&#x2F;AS13249</a><p>And this peer: (which is Ukrainian) <a href="https:&#x2F;&#x2F;bgp.he.net&#x2F;AS3326" rel="nofollow">https:&#x2F;&#x2F;bgp.he.net&#x2F;AS3326</a><p>Both of which Peer with Cogent.<p>What is interesting is that Cogent today decided to cut service to Russia. <a href="https:&#x2F;&#x2F;www.reuters.com&#x2F;technology&#x2F;us-firm-cogent-cutting-internet-service-russia-2022-03-04&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reuters.com&#x2F;technology&#x2F;us-firm-cogent-cutting-in...</a><p>If I was an ISP had networks from UA and RU and my Cogent peering was removed from Russia, I might move some of my traffic through my partner in Ukraine, who does have a peering arrangement with Cogent. I haven&#x27;t confirmed that is what happened, but you would see this kind of shift I think if they did that.<p>I&#x27;m a security guy and not a CCIE so perhaps a Cisco engineer here can weigh in.

ELI5 &quot;in Paw Patrol terms&quot; from Stamos: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;alexstamos&#x2F;status&#x2F;1499873636500475904" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;alexstamos&#x2F;status&#x2F;1499873636500475904</a><p>It might be a false positive: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;mdhardeman&#x2F;status&#x2F;1499877247167209480" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;mdhardeman&#x2F;status&#x2F;1499877247167209480</a>

It is quite plausible that Russia would try to take down parts of Ukraine internet given everything going on.<p>Alternatively, could simply be someone fat-fingering things, given the insane numbers of blocks that RosKomNadzon has been putting in today (Facebook, Twitter, etc)

Gentle reminder: You can still generate valid TLS certificates for arbitrary domains with BGP hijack. Hide yo logins, hide yo passwords, and hide yo persistent sessions too, they hijackin&#x27; errrbudy up in here

This says the prefix being announced by two ASNs is only a &#x2F;24, which is kind of narrow for a hijack? Considering the countries involved, reporting this as a hijack will inevitably lead to people assuming it is related to the current conflict.

Is Raleigh Mann not still the canon state of truth on BGP?

I noticed reddit and other big websites were somewhat slower at one point those couples of days... I live in Europe and I wonder...