<div dir="auto"><div dir="auto">Hi, all communities </div><div dir="auto"><br></div><div dir="auto"><div dir="auto">It was said that the hijacking of AS37353 was a configuration mistake, coupled with poor oversight in checking the right to use of the ASN by a certain IPDC customer. </div><div dir="auto"><br></div><div dir="auto">It was also said that this would have been facilitated by old and stalled IRR objects from MacroLAN before the service contract ended in December 2019. </div><div dir="auto"><br></div><div dir="auto">It was also stated that the BGP announcement was stopped and some actions taken to delete the stalled routing registry object from IRR. </div><div dir="auto"><br></div><div dir="auto">Below are some data which gives some extra information and confirm previous claim that this incident was not accidental. </div><div dir="auto"><br></div><div dir="auto">NB: All data are collected from their source, Today, 28 May 2020, at 10:00 UTC. </div><div dir="auto"><br></div><div dir="auto">IRRs created in March 2020 with AS37353 as Origin for <a href="http://156.241.3.0/24">156.241.3.0/24</a> by HGC </div><div dir="auto"><br></div><div dir="auto"> $ whois -h <a href="http://whois.radb.net">whois.radb.net</a> '<a href="http://156.241.3.0/24">156.241.3.0/24</a>' </div><div dir="auto"><br></div><div dir="auto">route: <a href="http://156.241.3.0/24">156.241.3.0/24</a> descr: Proxy-registered route object origin: AS37353 notify: <a href="mailto:matthew.chan@hgc.com.hk">matthew.chan@hgc.com.hk</a> mnt-by: MAINT-HGC-INTL changed: <a href="mailto:matthew.chan@hgc.com.hk">matthew.chan@hgc.com.hk</a> 20200304 source: RADB </div><div dir="auto"><br></div><div dir="auto">===== </div><div dir="auto">route: <a href="http://156.241.3.0/24">156.241.3.0/24</a> </div><div dir="auto">descr: Proxy-registered route object origin: AS37353 </div><div dir="auto">remarks: This is a HGC customer route-object </div><div dir="auto">remarks: which is being exported under this origin AS. </div><div dir="auto">remarks: </div><div dir="auto">remarks: This route object was created because no existing remarks: route object with the same origin was found. </div><div dir="auto">remarks: </div><div dir="auto">remarks: Please contact <a href="mailto:radb@hutchcity.com">radb@hutchcity.com</a> if you have any remarks: questions regarding this object. </div><div dir="auto">notify: <a href="mailto:radb@hutchcity.com">radb@hutchcity.com</a> </div><div dir="auto">mnt-by: MAINT-AS9304 </div><div dir="auto">changed: <a href="mailto:radb@hutchcity.com">radb@hutchcity.com</a> 20200304 </div><div dir="auto">source: NTTCOM </div><div dir="auto">====</div><div dir="auto"><br></div><div dir="auto"><a href="https://www.radb.net/query?advanced_query=1&keywords=156.241.3.0%2F24&-T+option=&ip_option=&-i+option=">https://www.radb.net/query?advanced_query=1&keywords=156.241.3.0%2F24&-T+option=&ip_option=&-i+option=</a></div><div dir="auto"><br></div><div dir="auto">These objects havent been deleted. </div><div dir="auto"><br></div><div dir="auto">An in-depth check of the routing status of <a href="http://156.241.3.0/24">156.241.3.0/24</a> shows the followings: </div><div dir="auto"><br></div><div dir="auto">Hurricane Electric BGP tool </div><div dir="auto"><br></div><div dir="auto"><a href="https://bgp.he.net/net/156.241.3.0/24">https://bgp.he.net/net/156.241.3.0/24</a> </div><div dir="auto"><br></div><div dir="auto">Origin AS Announcement Description AS37353 <a href="http://156.241.3.0/24">156.241.3.0/24</a> IRR Valid HONGKONG LINK INFINITY TECHNOLOGY LIMITED </div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">RIPESTAT </div><div dir="auto"><br></div><div dir="auto"><a href="https://stat.ripe.net/widget/looking-glass#w.resource=156.241.3.0%2F24">https://stat.ripe.net/widget/looking-glass#w.resource=156.241.3.0%2F24</a></div><div dir="auto"><br></div><div dir="auto">AS37353 is seen as the origin by 1 peer.</div><div dir="auto"><br></div><div dir="auto">103.200.115.1 ►103.200.115.1 is announcing route AS64271 AS9304 AS4809 AS4809 AS4809 AS134190 AS37353. </div><div dir="auto"><br></div><div dir="auto">Even with the limited view, the prefix is still being originated and routed and the route objects still exist. </div><div dir="auto"><br></div><div dir="auto">Regards </div><div dir="auto"><br></div><div dir="auto">--</div><div dir="auto">Arnaud </div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le sam. 9 mai 2020 à 10:02, Lu Heng <<a href="mailto:h.lu@anytimechinese.com">h.lu@anytimechinese.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Due to size of attachment the attachment is not in this list, but you may easily find in all the others.</div><div><br></div><div>To whom it may concern,<div><br></div><div>On May 8, Mark Think posted a claim to multiple lists that Cloud Innovation was abusing an ASN (37353) that didn’t belong to them (Cloud Innovation) but rather belonged to Seacom through their acquisition of MacroLAN.</div><div><br></div><div>While we regret this unfortunate incident, Mark’s claims that it was criminal or bad netizenship on the part of Cloud Innovation is without foundation and utterly incorrect.</div><div><br></div><div><div style="font-family:Lato;font-size:14px">As shown below in the attached document from Paul Wollner(Ex-CTO of Macrolan who created IRR routes to allow Macrolan to announce Cloud Innovation's prefix); letter from Link Infinity International Ltd. (Link Infinity), A customer of Cloud Innovation; and attached LOA from LARUS authorizing IPDC Solutions to announce the prefix with origin AS134190. And a Letter from IPDC. This was an innocent mistake committed by third parties and had nothing to do with any action by Cloud Innovation or LARUS.</div></div></div></div><div><div><div style="font-family:Lato;font-size:14px"><br></div><div style="font-family:Lato;font-size:14px">Here’s what happened:<br></div><div style="font-family:Lato;font-size:14px"><br></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:Lato;font-size:14px">Cloud Innovation delegated a /24 to Link Infinity, an ISP in December 2019.</div></div></blockquote></div><div><br></div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div>Link Infinity further delegated that same /24 to IPDC and asked Cloud innovation to issue an LOA, which we did. The LOA specifically required IPDC to use its own ASN to announce the space (AS134190).</div><div style="font-family:Lato;font-size:14px"><br></div></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:Lato;font-size:14px">IPDC subsequently authorized one of its customers to use the said prefix.</div></div></blockquote><div><div style="font-family:Lato;font-size:14px"><br></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:Lato;font-size:14px">For reasons still unknown to Cloud Innovation, IPDC and their customer set up a BGP session wherein their customer used AS37353 as the origin to advertise prefix <a href="http://156.241.3.0/24" target="_blank" rel="noreferrer">156.241.3.0/24</a>.</div></div></blockquote><div><div style="font-family:Lato;font-size:14px"><br></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style="font-family:Lato;font-size:14px">Upon discovering the announcement, rather than contact Cloud Innovation, Mark contacted IPDC who provided him with an incomplete explanation blaming their customer and Mark, not realizing that Cloud Innovation was not the customer in question posted far and wide about the event. It is unclear to us why he chose to do this rather than contact us to try and resolve the issue.</div></div></blockquote><div><div style="font-family:Lato;font-size:14px"><br></div><div style="font-family:Lato;font-size:14px">A contributing factor to the erroneous BGP configuration by IPDC's customer may have been data contained in some outdated IRR route objects for <a href="http://156.241.0.0/16" target="_blank" rel="noreferrer">156.241.0.0/16</a> which have subsequently been deleted.</div><div style="font-family:Lato;font-size:14px"><br></div><div style="font-family:Lato;font-size:14px">As soon as we became aware of the problem (via Mark’s email), we began to investigate the situation. As soon as it was clear that this was the result of third-party actions, we reached out to Mark privately to let him know what we knew and that we were still investigating. We delayed making a public statement in order to try and ascertain all of the facts of the situation. We prefer not to make public statements based on incomplete information.</div><div style="font-family:Lato;font-size:14px"><br></div><div style="font-family:Lato;font-size:14px">We apologize to the community for our small part in this unfortunate incident and assure you that we work very hard to remain good netizens and will address any concerns promptly when they come to our attention.</div><div style="font-family:Lato;font-size:14px"><br></div><div style="font-family:Lato;font-size:14px"><br></div><div style="font-family:Lato;font-size:14px">Sincerely,<br></div><div style="font-family:Lato;font-size:14px"><br></div><div style="font-family:Lato;font-size:14px">Lu Heng<br></div><div style="font-family:Lato;font-size:14px">CEO<br></div><div style="font-family:Lato;font-size:14px">Cloud Innovations<br></div></div><div><br></div></div></div>Attached:<div><span style="white-space:pre-wrap"> </span>1.<span style="white-space:pre-wrap"> </span>Letter from Paul Wollner</div><div><span style="white-space:pre-wrap"> </span>2.<span style="white-space:pre-wrap"> </span>Letter from Link Infinity</div><div><span style="white-space:pre-wrap"> </span>3.<span style="white-space:pre-wrap"> </span>LOA Issued to IPDC Solutions for announcing <a href="http://156.241.3.0/24" target="_blank" rel="noreferrer">156.241.3.0/24</a> from AS134190</div><div> 4. Letter from IPDC</div><div><br></div><div>FYI: LARUS is proving IP management service for Cloud Innovation, while LARUS is also providing IP management service to other third parties in all regions, for full disclosure, LARUS and Cloud Innovation are headed by same CEO.</div><div><br></div><div>Content of those letters have been posted here for your convince:</div><div><br></div><div><div><b>IPDC:</b></div><div><b><br></b></div><font color="#888888"><div><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)">FOR IMMEDIATE RELEASE [Perusal of Cloud Innovation Ltd]</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)">IPDC Solutions Pte Ltd (IPDC) is a customer of Cloud Innovation Ltd and over the course of our corporate relationship we were given the authority to use address block <a href="http://156.241.3.0/24" target="_blank" rel="noreferrer">156.241.3.0/24</a> since 9th December 2019. </p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)">On 12th December 2019, we have delegated that address block to our client. Following which our client further instructed us to announce the prefix with AS37353. In good will after minimal verification through WHOIS’ IP Prefix we have proceeded to execute our client’s request. </p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)">On 7th May 2020 IPDC was then contacted by SEACOM, the legitimate holder of record for that ASN and have since learned that the customer’s use of that ASN was erroneous and not permitted by SEACOM and immediate action has been taken to rectify this situation. </p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)">IPDC would like to apologize for our lack of attention in conducting thorough verification and wish to highlight that the involvement of Cloud Innovation Ltd in the entire process was providing the addresses to us and that we truly apologize as we understand that this incident may have indirectly implicated Cloud Innovation Ltd. </p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)">IPDC however, does not wish to disclose our client information and our client information shall remain confidential under present circumstances. Once again, we apologize for our shortcomings. <br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><b>Link Infinity:</b></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)">To whom it may concern,<br><br>We at HK Infinity International Ltd are a customer of Cloud Innovation and in the course received rights to use <a href="http://156.241.3.0/24" target="_blank" rel="noreferrer">156.241.3.0/24</a> from them. Beginning December, 2019, we delegated the right to announce this prefix to IPDC Solutions Pte Ltd. (IPDC). We asked Cloud Innovation to provide an LOA authorizing them to announce the space which was subsequently received. IPDC subsequently and without our knowledge delegated this space to one of their customers and allowed them to originate it from AS37353.<br><br>This announcement was not authorized by us, nor is it permitted by the LOA provided by Cloud Innovation.<br><br>Unfortunately, we were not aware of the situation until after it had already been resolved.<br><br>It was never our intent to violate the LOA or to allow the prefix to be announced from a hijacked ASN. We do not condone this and apologize sincerely to the community for what has happened here.<br><br>Sincere Apologies,<br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><b>Paul Wollner:</b></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)">8 May 2020<br><br>TO WHOM IT MAY CONCERN <br><br>In the light of the recent email on NAPAfrica mailing list, I would just like to clear the air. </p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br>The IP route objects were created by myself for Cloud Innovation when they signed up as a client of Macrolan ( now SEACOM) as they didn't have their own AS.<br><br>At the time I was working for Macrolan (now SEACOM). I left the employment of SEACOM in October 2019.<br><br>It appears that when Cloud Innovation's contract with SEACOM came to an end, the route objects were never cleaned up.<br><br>This occurred after I left SEACOM's employment. Since leaving, I have no access to these objects.<br><br>Regards<br><br>Paul Wollner<br>082-786-9776<br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Times;color:rgb(0,0,0)"><br></p></div></font></div><div><br></div>-- <br><div dir="ltr" data-smartmail="gmail_signature"><div dir="ltr"><div>--<br>Kind regards.<br>Lu<br><br></div></div></div></div>
_______________________________________________<br>
RPKI-Discuss mailing list<br>
<a href="mailto:RPKI-Discuss@afrinic.net" target="_blank" rel="noreferrer">RPKI-Discuss@afrinic.net</a><br>
<a href="https://lists.afrinic.net/mailman/listinfo/rpki-discuss" rel="noreferrer noreferrer" target="_blank">https://lists.afrinic.net/mailman/listinfo/rpki-discuss</a><br>
</blockquote></div>