Search RPD Archives
[rpd] Reserved Space/Available Space and potential hijacking
Fernando Frediani
fhfrediani at gmail.com
Wed Oct 15 12:14:00 UTC 2025
Would it be possible to get detailed information about AfriNic prefixes
that are currently being announced by different ASNs they are linked to
and potentially being used out of the Africa region as well ? That would
be a pretty interesting information to see.
Regards
Fernando
On 10/15/2025 8:40 AM, Andrew Alston wrote:
> Hi Guys,
>
> So - Firstly a few notes on using the code I'm going to paste below.
>
> I created the BGP dump file on a juniper router by running a "show
> route protocol bgp | save bgp.dump.txt" and then copying that dump
> file to my local system from the Juniper router. Note - this produces
> a roughly 400meg file on a full table router and it takes quite a
> while to run the command.
> Then - I used the delegated-afrinic-extended-latest file downloaded
> from the stats ftp server.
>
> In the code below - if you wish to run similar - change the char
> BGP_DUMP[256] and char AFRINIC_EXT[256] global variables to match the
> pathing to the relevant files.
>
> Note that there is some weirdness in this code to deal with endianness
> - and I will openly admit its not the cleanest (or probably most
> efficient) code - but it does work and I've verified the results.
>
> I've pasted the code below the results section.
>
> So - first the results:
>
> Found 824064 total available addresses and 4482304 total reserved
> addresses
> 41.57.124.0/22 <http://41.57.124.0/22> fell between reserved range
> 41.57.124.0 -> 41.57.127.255 [Adding 1024 addresses to potential hijack]
> 41.57.124.0/23 <http://41.57.124.0/23> fell between reserved range
> 41.57.124.0 -> 41.57.127.255 [Adding 512 addresses to potential hijack]
> 41.57.124.0/24 <http://41.57.124.0/24> fell between reserved range
> 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to potential hijack]
> 41.57.125.0/24 <http://41.57.125.0/24> fell between reserved range
> 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to potential hijack]
> 41.57.126.0/24 <http://41.57.126.0/24> fell between reserved range
> 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to potential hijack]
> 41.57.127.0/24 <http://41.57.127.0/24> fell between reserved range
> 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to potential hijack]
> 41.77.64.0/21 <http://41.77.64.0/21> fell between reserved range
> 41.77.64.0 -> 41.77.71.255 [Adding 2048 addresses to potential hijack]
> 41.138.192.0/24 <http://41.138.192.0/24> fell between reserved range
> 41.138.192.0 -> 41.138.223.255 [Adding 256 addresses to potential hijack]
> 41.204.224.0/24 <http://41.204.224.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.225.0/24 <http://41.204.225.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.226.0/24 <http://41.204.226.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.227.0/24 <http://41.204.227.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.228.0/24 <http://41.204.228.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.229.0/24 <http://41.204.229.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.230.0/24 <http://41.204.230.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.231.0/24 <http://41.204.231.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.232.0/24 <http://41.204.232.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.233.0/24 <http://41.204.233.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.234.0/24 <http://41.204.234.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.235.0/24 <http://41.204.235.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.236.0/24 <http://41.204.236.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.237.0/24 <http://41.204.237.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.238.0/24 <http://41.204.238.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.239.0/24 <http://41.204.239.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.240.0/24 <http://41.204.240.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.241.0/24 <http://41.204.241.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.242.0/24 <http://41.204.242.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.243.0/24 <http://41.204.243.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.244.0/24 <http://41.204.244.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.245.0/24 <http://41.204.245.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.246.0/24 <http://41.204.246.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.247.0/24 <http://41.204.247.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.248.0/24 <http://41.204.248.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.249.0/24 <http://41.204.249.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.250.0/24 <http://41.204.250.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.251.0/24 <http://41.204.251.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.254.0/24 <http://41.204.254.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.204.255.0/24 <http://41.204.255.0/24> fell between reserved range
> 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to potential hijack]
> 41.205.224.0/19 <http://41.205.224.0/19> fell between reserved range
> 41.205.224.0 -> 41.205.255.255 [Adding 8192 addresses to potential hijack]
> 41.205.225.0/24 <http://41.205.225.0/24> fell between reserved range
> 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to potential hijack]
> 41.205.232.0/24 <http://41.205.232.0/24> fell between reserved range
> 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to potential hijack]
> 41.205.234.0/24 <http://41.205.234.0/24> fell between reserved range
> 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to potential hijack]
> 41.205.235.0/24 <http://41.205.235.0/24> fell between reserved range
> 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to potential hijack]
> 41.205.237.0/24 <http://41.205.237.0/24> fell between reserved range
> 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to potential hijack]
> 41.205.238.0/24 <http://41.205.238.0/24> fell between reserved range
> 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to potential hijack]
> 41.205.239.0/24 <http://41.205.239.0/24> fell between reserved range
> 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to potential hijack]
> 41.220.48.0/20 <http://41.220.48.0/20> fell between reserved range
> 41.220.48.0 -> 41.220.63.255 [Adding 4096 addresses to potential hijack]
> 80.88.6.0/24 <http://80.88.6.0/24> fell between reserved range
> 80.88.6.0 -> 80.88.6.255 [Adding 256 addresses to potential hijack]
> 102.128.74.0/24 <http://102.128.74.0/24> fell between reserved range
> 102.128.72.0 -> 102.128.75.255 [Adding 256 addresses to potential hijack]
> 102.135.164.0/24 <http://102.135.164.0/24> fell between reserved range
> 102.135.164.0 -> 102.135.167.255 [Adding 256 addresses to potential
> hijack]
> 102.135.165.0/24 <http://102.135.165.0/24> fell between reserved range
> 102.135.164.0 -> 102.135.167.255 [Adding 256 addresses to potential
> hijack]
> 102.135.166.0/24 <http://102.135.166.0/24> fell between reserved range
> 102.135.164.0 -> 102.135.167.255 [Adding 256 addresses to potential
> hijack]
> 102.219.128.0/24 <http://102.219.128.0/24> fell between reserved range
> 102.219.128.0 -> 102.219.131.255 [Adding 256 addresses to potential
> hijack]
> 102.219.129.0/24 <http://102.219.129.0/24> fell between reserved range
> 102.219.128.0 -> 102.219.131.255 [Adding 256 addresses to potential
> hijack]
> 102.219.130.0/24 <http://102.219.130.0/24> fell between reserved range
> 102.219.128.0 -> 102.219.131.255 [Adding 256 addresses to potential
> hijack]
> 102.221.148.0/22 <http://102.221.148.0/22> fell between reserved range
> 102.221.144.0 -> 102.221.151.255 [Adding 1024 addresses to potential
> hijack]
> 156.0.254.0/24 <http://156.0.254.0/24> fell between reserved range
> 156.0.254.0 -> 156.0.254.255 [Adding 256 addresses to potential hijack]
> 160.119.208.0/24 <http://160.119.208.0/24> fell between reserved range
> 160.119.208.0 -> 160.119.211.255 [Adding 256 addresses to potential
> hijack]
> 160.119.209.0/24 <http://160.119.209.0/24> fell between reserved range
> 160.119.208.0 -> 160.119.211.255 [Adding 256 addresses to potential
> hijack]
> 164.160.192.0/21 <http://164.160.192.0/21> fell between reserved range
> 164.160.192.0 -> 164.160.223.255 [Adding 2048 addresses to potential
> hijack]
> 169.255.164.0/22 <http://169.255.164.0/22> fell between reserved range
> 169.255.164.0 -> 169.255.167.255 [Adding 1024 addresses to potential
> hijack]
> 193.188.7.0/24 <http://193.188.7.0/24> fell between reserved range
> 193.188.7.0 -> 193.188.7.255 [Adding 256 addresses to potential hijack]
> 196.13.203.0/24 <http://196.13.203.0/24> fell between reserved range
> 196.13.203.0 -> 196.13.203.255 [Adding 256 addresses to potential hijack]
> 196.20.60.0/24 <http://196.20.60.0/24> fell between reserved range
> 196.20.32.0 -> 196.20.63.255 [Adding 256 addresses to potential hijack]
> 196.20.61.0/24 <http://196.20.61.0/24> fell between reserved range
> 196.20.32.0 -> 196.20.63.255 [Adding 256 addresses to potential hijack]
> 196.20.62.0/24 <http://196.20.62.0/24> fell between reserved range
> 196.20.32.0 -> 196.20.63.255 [Adding 256 addresses to potential hijack]
> 196.41.74.0/24 <http://196.41.74.0/24> fell between reserved range
> 196.41.74.0 -> 196.41.74.255 [Adding 256 addresses to potential hijack]
> 196.43.252.0/24 <http://196.43.252.0/24> fell between reserved range
> 196.43.252.0 -> 196.43.252.255 [Adding 256 addresses to potential hijack]
> 196.46.18.0/24 <http://196.46.18.0/24> fell between reserved range
> 196.46.18.0 -> 196.46.19.255 [Adding 256 addresses to potential hijack]
> 196.46.19.0/24 <http://196.46.19.0/24> fell between reserved range
> 196.46.18.0 -> 196.46.19.255 [Adding 256 addresses to potential hijack]
> 196.46.152.0/24 <http://196.46.152.0/24> fell between reserved range
> 196.46.152.0 -> 196.46.159.255 [Adding 256 addresses to potential hijack]
> 196.46.153.0/24 <http://196.46.153.0/24> fell between reserved range
> 196.46.152.0 -> 196.46.159.255 [Adding 256 addresses to potential hijack]
> 196.46.154.0/23 <http://196.46.154.0/23> fell between reserved range
> 196.46.152.0 -> 196.46.159.255 [Adding 512 addresses to potential hijack]
> 196.50.21.0/24 <http://196.50.21.0/24> fell between reserved range
> 196.50.21.0 -> 196.50.21.255 [Adding 256 addresses to potential hijack]
> 196.53.113.0/24 <http://196.53.113.0/24> fell between reserved range
> 196.52.0.0 -> 196.55.255.255 [Adding 256 addresses to potential hijack]
> 196.54.72.0/23 <http://196.54.72.0/23> fell between reserved range
> 196.52.0.0 -> 196.55.255.255 [Adding 512 addresses to potential hijack]
> 196.55.102.0/23 <http://196.55.102.0/23> fell between reserved range
> 196.52.0.0 -> 196.55.255.255 [Adding 512 addresses to potential hijack]
> 196.63.243.0/24 <http://196.63.243.0/24> fell between reserved range
> 196.62.0.0 -> 196.63.255.255 [Adding 256 addresses to potential hijack]
> 196.195.4.0/24 <http://196.195.4.0/24> fell between reserved range
> 196.194.0.0 -> 196.195.255.255 [Adding 256 addresses to potential hijack]
> 196.195.15.0/24 <http://196.195.15.0/24> fell between reserved range
> 196.194.0.0 -> 196.195.255.255 [Adding 256 addresses to potential hijack]
> 196.195.253.0/24 <http://196.195.253.0/24> fell between reserved range
> 196.194.0.0 -> 196.195.255.255 [Adding 256 addresses to potential hijack]
> 197.157.200.0/22 <http://197.157.200.0/22> fell between reserved range
> 197.157.200.0 -> 197.157.203.255 [Adding 1024 addresses to potential
> hijack]
> 197.231.248.0/22 <http://197.231.248.0/22> fell between reserved range
> 197.231.248.0 -> 197.231.251.255 [Adding 1024 addresses to potential
> hijack]
> 197.231.248.0/24 <http://197.231.248.0/24> fell between reserved range
> 197.231.248.0 -> 197.231.251.255 [Adding 256 addresses to potential
> hijack]
> 197.231.249.0/24 <http://197.231.249.0/24> fell between reserved range
> 197.231.248.0 -> 197.231.251.255 [Adding 256 addresses to potential
> hijack]
> 197.231.250.0/24 <http://197.231.250.0/24> fell between reserved range
> 197.231.248.0 -> 197.231.251.255 [Adding 256 addresses to potential
> hijack]
> 197.231.251.0/24 <http://197.231.251.0/24> fell between reserved range
> 197.231.248.0 -> 197.231.251.255 [Adding 256 addresses to potential
> hijack]
> 197.234.208.0/24 <http://197.234.208.0/24> fell between reserved range
> 197.234.208.0 -> 197.234.215.255 [Adding 256 addresses to potential
> hijack]
> 212.12.224.0/24 <http://212.12.224.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.225.0/24 <http://212.12.225.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.226.0/24 <http://212.12.226.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.227.0/24 <http://212.12.227.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.229.0/24 <http://212.12.229.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.231.0/24 <http://212.12.231.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.232.0/24 <http://212.12.232.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.233.0/24 <http://212.12.233.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.234.0/24 <http://212.12.234.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.235.0/24 <http://212.12.235.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.236.0/24 <http://212.12.236.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.237.0/24 <http://212.12.237.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.238.0/24 <http://212.12.238.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.239.0/24 <http://212.12.239.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.240.0/24 <http://212.12.240.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.241.0/24 <http://212.12.241.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.242.0/24 <http://212.12.242.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.243.0/24 <http://212.12.243.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.244.0/24 <http://212.12.244.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.245.0/24 <http://212.12.245.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.246.0/24 <http://212.12.246.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.247.0/24 <http://212.12.247.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.248.0/24 <http://212.12.248.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.249.0/24 <http://212.12.249.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.250.0/24 <http://212.12.250.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.251.0/24 <http://212.12.251.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.252.0/24 <http://212.12.252.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.254.0/24 <http://212.12.254.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> 212.12.255.0/24 <http://212.12.255.0/24> fell between reserved range
> 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to potential hijack]
> Found 50176 potentially hijacked addresses
>
> --- Below here is the code (I didn't know if I could send attachments
> to the RPD list so I just pasted the code straight) ---
>
> //
> // main.c
> // AfrinicAudit
> //
> // Created by Andrew Alston on 15/10/2025.
> // Code is considered open use with no restrictions.
> //
>
> #include <stdlib.h>
> #include <stdio.h>
> #include <string.h>
> #include <arpa/inet.h>
>
> char BGP_DUMP[256] = "/Users/aalston/audit/bgp.dump.txt";
> char AFRINIC_EXT[256] =
> "/Users/aalston/audit/delegated-afrinic-extended-latest";
>
> struct routes {
> unsigned int network;
> unsigned int broadcast;
> unsigned int mask;
> unsigned short cidr;
> };
>
> struct audit {
> struct routes *dfz;
> int dfz_count;
> struct routes *reserved;
> int total_resv;
> int rc;
> struct routes *available;
> int total_avail;
> int ac;
> };
>
> int parse_afrinic_extended(char *afext, struct audit *output) {
> FILE *dump = fopen(afext, "r");
> if(!dump)
> return -1;
> char buffer[1024] = {0};
> char *delim;
> output->rc = 0;
> while(fgets(buffer, 1024, dump)) {
> if(strstr(buffer, "ZZ") && strstr(buffer, "reserved") &&
> strstr(buffer, "ipv4")) {
> output->rc++;
> }
> }
> output->reserved = calloc(output->rc, sizeof(struct routes));
> if(!output->reserved)
> return -1;
> output->rc = 0;
> struct routes *resv = output->reserved;
> rewind(dump);
> while(fgets(buffer, 1024, dump)) {
> if(strstr(buffer, "ZZ") && strstr(buffer, "reserved") &&
> strstr(buffer, "ipv4")) {
> delim = strtok(buffer, "|");
> for(int i = 0; i < 3; i++)
> delim = strtok(NULL, "|");
> inet_pton(AF_INET, delim, &resv[output->rc].network);
> resv[output->rc].network =
> __builtin_bswap32(resv[output->rc].network);
> delim = strtok(NULL, "|");
> unsigned int addr_count = atoi(delim);
> output->total_resv += addr_count;
> resv[output->rc].broadcast =
> resv[output->rc].network+(addr_count-1);
> resv[output->rc].network =
> __builtin_bswap32(resv[output->rc].network);
> resv[output->rc].broadcast =
> __builtin_bswap32(resv[output->rc].broadcast);
> resv[output->rc].mask = ~__builtin_bswap32((unsigned
> int)addr_count-1);
> output->rc++;
> }
> }
> rewind(dump);
> while(fgets(buffer, 1024, dump)) {
> if(strstr(buffer, "ZZ") && strstr(buffer, "available") &&
> strstr(buffer, "ipv4")) {
> output->ac++;
> }
> }
> output->available = calloc(output->ac, sizeof(struct routes));
> if(!output->available)
> return -1;
> struct routes *avail = output->available;
> rewind(dump);
> while(fgets(buffer, 1024, dump)) {
> if(strstr(buffer, "ZZ") && strstr(buffer, "available") &&
> strstr(buffer, "ipv4")) {
> delim = strtok(buffer, "|");
> for(int i = 0; i < 3; i++)
> delim = strtok(NULL, "|");
> inet_pton(AF_INET, delim, &avail[output->ac].network);
> avail[output->ac].network =
> __builtin_bswap32(avail[output->ac].network);
> delim = strtok(NULL, "|");
> unsigned int addr_count = atoi(delim);
> output->total_avail += addr_count;
> avail[output->ac].broadcast =
> avail[output->ac].network+(addr_count-1);
> avail[output->ac].mask = ~__builtin_bswap32((unsigned
> int)addr_count-1);
> output->ac++;
> }
> }
> fclose(dump);
> return 0;
> }
>
> int parse_dfz(char *dfz_dump, struct audit *output) {
> FILE *dump = fopen(dfz_dump, "r");
> char buffer[1024] = {0};
> int rc = 0, mult = 0, cidr = 0;
> char *delim;
> if(!dump) {
> return -1;
> }
> while(fgets(buffer, 1024, dump)) {
> if(buffer[0] >= '1' && buffer[0] <= '9' && strtok(buffer, "/")
> && strchr(buffer, '.')) {
> rc++;
> }
> }
> output->dfz = calloc(rc, sizeof(struct routes));
> output->dfz_count = rc;
> if(!output->dfz) {
> return -1;
> }
> rewind(dump);
> rc = 0;
> while(fgets(buffer, 1024, dump)) {
> if(buffer[0] >= '1' && buffer[0] <= '9') {
> cidr = 0;
> delim = strtok(buffer, "/");
> delim = strtok(NULL, "/");
> if(!delim) {
> memset(buffer, 0, 1024);
> continue;
> }
> mult = 1;
> for(int i = 0; i < 3; i++) {
> if(delim[i] >= '0' && delim[i] <= '9') {
> cidr = cidr * mult+(9-('9'-delim[i]));
> mult*=10;
> }
> }
> delim = strchr(buffer, '.');
> if(!delim) {
> memset(buffer, 0, 1024);
> continue;
> }
> output->dfz[rc].cidr = cidr;
> inet_pton(AF_INET, buffer, &output->dfz[rc].network);
> output->dfz[rc].cidr = cidr;
> output->dfz[rc].network = __builtin_bswap32((unsigned
> int)output->dfz[rc].network);
> output->dfz[rc].mask = (~(unsigned int)0) << (32-cidr);
> output->dfz[rc].broadcast = output->dfz[rc].network +
> ((~(unsigned int)0) >> cidr);
> output->dfz[rc].network = __builtin_bswap32((unsigned
> int)output->dfz[rc].network);
> output->dfz[rc].broadcast = __builtin_bswap32((unsigned
> int)output->dfz[rc].broadcast);
> rc++;
> memset(buffer, 0, 1024);
> }
> }
> fclose(dump);
> return 0;
> }
>
> int audit_reserved(struct audit *data) {
> int hijack_count = 0;
> for(int i = 0; i < data->dfz_count; i++) {
> unsigned int dfz_net = __builtin_bswap32((unsigned
> int)data->dfz[i].network);
> unsigned int dfz_bcast = __builtin_bswap32((unsigned
> int)data->dfz[i].broadcast);
> for(int r = 0; r < data->rc; r++) {
> unsigned int resv_net = __builtin_bswap32((unsigned
> int)data->reserved[r].network);
> unsigned int resv_bcast = __builtin_bswap32((unsigned
> int)data->reserved[r].broadcast);
> if(dfz_net >= resv_net && dfz_net <= resv_bcast) {
> hijack_count += ((dfz_bcast-dfz_net)+1);
> char dfz_route[INET_ADDRSTRLEN] = {0};
> char resv_network[INET_ADDRSTRLEN] = {0};
> char resv_broadcast[INET_ADDRSTRLEN] = {0};
> inet_ntop(AF_INET, &data->dfz[i].network, dfz_route,
> INET_ADDRSTRLEN);
> inet_ntop(AF_INET, &data->reserved[r].network,
> resv_network, INET_ADDRSTRLEN);
> inet_ntop(AF_INET, &data->reserved[r].broadcast,
> resv_broadcast, INET_ADDRSTRLEN);
> printf("%s/%d fell between reserved range %s -> %s
> [Adding %d addresses to potential hijack]\n",
> dfz_route, data->dfz[i].cidr, resv_network,
> resv_broadcast, (dfz_bcast-dfz_net)+1);
> }
> }
> for(int a = 0; a < data->ac; a++) {
> unsigned int avail_net = __builtin_bswap32((unsigned
> int)data->available[a].network);
> unsigned int avail_bcast = __builtin_bswap32((unsigned
> int)data->available[a].broadcast);
> if(dfz_net >= data->available[a].network && dfz_net <=
> data->available[a].broadcast) {
> hijack_count +=
> ((data->available[a].broadcast-data->available[a].network)+1);
> char dfz_route[INET_ADDRSTRLEN] = {0};
> char avail_network[INET_ADDRSTRLEN] = {0};
> char avail_broadcast[INET_ADDRSTRLEN] = {0};
> inet_ntop(AF_INET, &data->dfz[i].network, dfz_route,
> INET_ADDRSTRLEN);
> inet_ntop(AF_INET, &avail_net, avail_network,
> INET_ADDRSTRLEN);
> inet_ntop(AF_INET, &avail_bcast, avail_broadcast,
> INET_ADDRSTRLEN);
> printf("%s/%d fell between available range %s ->
> %s\n", dfz_route, data->dfz[i].cidr, avail_network, avail_broadcast);
> }
> }
> }
> printf("Found %d potentially hijacked addresses\n", hijack_count);
> return 0;
> }
>
> int main(int argc, const char * argv[]) {
> struct audit data = {0};
> if(parse_dfz(BGP_DUMP, &data))
> return EXIT_FAILURE;
> if(parse_afrinic_extended(AFRINIC_EXT, &data))
> return EXIT_FAILURE;
> printf("Found %d total available addresses and %d total reserved
> addresses\n", data.total_avail, data.total_resv);
> audit_reserved(&data);
> return EXIT_SUCCESS;
> }
>
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/rpd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20251015/447ba97a/attachment-0001.html>
More information about the RPD
mailing list