Search RPD Archives
[rpd] Reserved Space/Available Space and potential hijacking
Jaco Kroon
jaco at uls.co.za
Thu Oct 16 07:01:55 UTC 2025
Hi,
Two notes from my side:
1. Isn't this (in part) what the whole AS0 policy was about? Such that
space that's reserved/not issued by Afrinic can be protected? (Having
inherited previously abused space ... I'm 100% behind such a policy).
2. Whilst I agree with Andrew that it's difficult to determine the
exact Geographical location of originations, and I like his concept of
looking at reserved/available ASNs, I do think something that makes an
equal amount of sense is to get an idea of the space issued to an org
not originated by that org ... there are legitimate cases (eg, we
originate space on behalf of one of our customers, used exclusively by
that client), so I'm more interested in cases like "space issued to org
X originated from Y non-X ASNs" (ie, don't count space where both the
ASN and the space is assigned to the same ORG). As concrete examples:
154.73.32.0/22 => org: ORG-ULSC1-AFRINIC
AS327767 => org: ORG-ULSC1-AFRINIC
That need not be counted.
102.214.182.0/23 => 102.214.180.0/22 => org: ORG-DCC1-AFRINIC
AS327767 => org: ORG-ULSC1-AFRINIC
Count these cases, and group by ORG. So the above would result in:
ORG-DCC1-AFRINIC originates 1 prefix from 1 alternative ASN.
Andrew - I'd be happy to assist with some code for counting this if you
throw the base on github and don't mind making that dump of yours for
the DFZ data available.
Kind regards,
Jaco
On 2025/10/15 14:35, Fernando Frediani wrote:
>
> Yeah it could be, but I would say that alone is already something that
> can bring attention to resources because it is not what is widely
> expected. I would easily believe that a fair amount of space announce
> by other ASNs other than the one linked to it in the whois may not be
> what was desired or justified at the same resources were allocated.
> There are valid examples as you mentioned, but I would say they are
> the fewer.
>
> I think the most important in this context is find out if the
> resources are being use in Africa or not which it is slightly more
> complex to asses than matching with whois data.
>
> Fernando
>
> On 10/15/2025 9:24 AM, Andrew Alston wrote:
>> Hi Fernando,
>>
>> It's unfortunately extremely difficult to do this - because while an
>> ASN may be allocated by AfriNIC it could be announced from anywhere,
>> and even in the case of where an ASN is allocated by RIPE, it may be
>> used in Africa to announce AfriNIC space (Liquid Telecom is an
>> example of this, where 30844 is a RIPE ASN but almost all the space
>> under it is afrinic allocated and announced in Africa).
>>
>> It would be possible to extend the code I wrote to show the source
>> ASN of the prefix's that are reserved - and then potentially to match
>> that against other AfriNIC data to show who the ASN is owned by (if
>> the ASN itself is allocated, in my verification I found that many of
>> these prefix's are being announced by ASN's that are marked as
>> available or reserved)
>>
>> I will see what I can do about adding that extra code at some point
>> when I find the time.
>>
>> Thanks
>>
>> Andrew
>>
>>
>> On Wed, Oct 15, 2025 at 3:14 PM Fernando Frediani
>> <fhfrediani at gmail.com> wrote:
>>
>> Would it be possible to get detailed information about AfriNic
>> prefixes that are currently being announced by different ASNs
>> they are linked to and potentially being used out of the Africa
>> region as well ? That would be a pretty interesting information
>> to see.
>>
>> Regards
>> Fernando
>>
>> On 10/15/2025 8:40 AM, Andrew Alston wrote:
>>> Hi Guys,
>>>
>>> So - Firstly a few notes on using the code I'm going to paste below.
>>>
>>> I created the BGP dump file on a juniper router by running a
>>> "show route protocol bgp | save bgp.dump.txt" and then copying
>>> that dump file to my local system from the Juniper router. Note
>>> - this produces a roughly 400meg file on a full table router and
>>> it takes quite a while to run the command.
>>> Then - I used the delegated-afrinic-extended-latest file
>>> downloaded from the stats ftp server.
>>>
>>> In the code below - if you wish to run similar - change the char
>>> BGP_DUMP[256] and char AFRINIC_EXT[256] global variables to
>>> match the pathing to the relevant files.
>>>
>>> Note that there is some weirdness in this code to deal with
>>> endianness - and I will openly admit its not the cleanest (or
>>> probably most efficient) code - but it does work and I've
>>> verified the results.
>>>
>>> I've pasted the code below the results section.
>>>
>>> So - first the results:
>>>
>>> Found 824064 total available addresses and 4482304 total
>>> reserved addresses
>>> 41.57.124.0/22 <http://41.57.124.0/22> fell between reserved
>>> range 41.57.124.0 -> 41.57.127.255 [Adding 1024 addresses to
>>> potential hijack]
>>> 41.57.124.0/23 <http://41.57.124.0/23> fell between reserved
>>> range 41.57.124.0 -> 41.57.127.255 [Adding 512 addresses to
>>> potential hijack]
>>> 41.57.124.0/24 <http://41.57.124.0/24> fell between reserved
>>> range 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.57.125.0/24 <http://41.57.125.0/24> fell between reserved
>>> range 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.57.126.0/24 <http://41.57.126.0/24> fell between reserved
>>> range 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.57.127.0/24 <http://41.57.127.0/24> fell between reserved
>>> range 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.77.64.0/21 <http://41.77.64.0/21> fell between reserved range
>>> 41.77.64.0 -> 41.77.71.255 [Adding 2048 addresses to potential
>>> hijack]
>>> 41.138.192.0/24 <http://41.138.192.0/24> fell between reserved
>>> range 41.138.192.0 -> 41.138.223.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.224.0/24 <http://41.204.224.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.225.0/24 <http://41.204.225.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.226.0/24 <http://41.204.226.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.227.0/24 <http://41.204.227.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.228.0/24 <http://41.204.228.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.229.0/24 <http://41.204.229.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.230.0/24 <http://41.204.230.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.231.0/24 <http://41.204.231.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.232.0/24 <http://41.204.232.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.233.0/24 <http://41.204.233.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.234.0/24 <http://41.204.234.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.235.0/24 <http://41.204.235.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.236.0/24 <http://41.204.236.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.237.0/24 <http://41.204.237.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.238.0/24 <http://41.204.238.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.239.0/24 <http://41.204.239.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.240.0/24 <http://41.204.240.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.241.0/24 <http://41.204.241.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.242.0/24 <http://41.204.242.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.243.0/24 <http://41.204.243.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.244.0/24 <http://41.204.244.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.245.0/24 <http://41.204.245.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.246.0/24 <http://41.204.246.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.247.0/24 <http://41.204.247.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.248.0/24 <http://41.204.248.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.249.0/24 <http://41.204.249.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.250.0/24 <http://41.204.250.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.251.0/24 <http://41.204.251.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.254.0/24 <http://41.204.254.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.204.255.0/24 <http://41.204.255.0/24> fell between reserved
>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.205.224.0/19 <http://41.205.224.0/19> fell between reserved
>>> range 41.205.224.0 -> 41.205.255.255 [Adding 8192 addresses to
>>> potential hijack]
>>> 41.205.225.0/24 <http://41.205.225.0/24> fell between reserved
>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.205.232.0/24 <http://41.205.232.0/24> fell between reserved
>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.205.234.0/24 <http://41.205.234.0/24> fell between reserved
>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.205.235.0/24 <http://41.205.235.0/24> fell between reserved
>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.205.237.0/24 <http://41.205.237.0/24> fell between reserved
>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.205.238.0/24 <http://41.205.238.0/24> fell between reserved
>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.205.239.0/24 <http://41.205.239.0/24> fell between reserved
>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 41.220.48.0/20 <http://41.220.48.0/20> fell between reserved
>>> range 41.220.48.0 -> 41.220.63.255 [Adding 4096 addresses to
>>> potential hijack]
>>> 80.88.6.0/24 <http://80.88.6.0/24> fell between reserved range
>>> 80.88.6.0 -> 80.88.6.255 [Adding 256 addresses to potential hijack]
>>> 102.128.74.0/24 <http://102.128.74.0/24> fell between reserved
>>> range 102.128.72.0 -> 102.128.75.255 [Adding 256 addresses to
>>> potential hijack]
>>> 102.135.164.0/24 <http://102.135.164.0/24> fell between reserved
>>> range 102.135.164.0 -> 102.135.167.255 [Adding 256 addresses to
>>> potential hijack]
>>> 102.135.165.0/24 <http://102.135.165.0/24> fell between reserved
>>> range 102.135.164.0 -> 102.135.167.255 [Adding 256 addresses to
>>> potential hijack]
>>> 102.135.166.0/24 <http://102.135.166.0/24> fell between reserved
>>> range 102.135.164.0 -> 102.135.167.255 [Adding 256 addresses to
>>> potential hijack]
>>> 102.219.128.0/24 <http://102.219.128.0/24> fell between reserved
>>> range 102.219.128.0 -> 102.219.131.255 [Adding 256 addresses to
>>> potential hijack]
>>> 102.219.129.0/24 <http://102.219.129.0/24> fell between reserved
>>> range 102.219.128.0 -> 102.219.131.255 [Adding 256 addresses to
>>> potential hijack]
>>> 102.219.130.0/24 <http://102.219.130.0/24> fell between reserved
>>> range 102.219.128.0 -> 102.219.131.255 [Adding 256 addresses to
>>> potential hijack]
>>> 102.221.148.0/22 <http://102.221.148.0/22> fell between reserved
>>> range 102.221.144.0 -> 102.221.151.255 [Adding 1024 addresses to
>>> potential hijack]
>>> 156.0.254.0/24 <http://156.0.254.0/24> fell between reserved
>>> range 156.0.254.0 -> 156.0.254.255 [Adding 256 addresses to
>>> potential hijack]
>>> 160.119.208.0/24 <http://160.119.208.0/24> fell between reserved
>>> range 160.119.208.0 -> 160.119.211.255 [Adding 256 addresses to
>>> potential hijack]
>>> 160.119.209.0/24 <http://160.119.209.0/24> fell between reserved
>>> range 160.119.208.0 -> 160.119.211.255 [Adding 256 addresses to
>>> potential hijack]
>>> 164.160.192.0/21 <http://164.160.192.0/21> fell between reserved
>>> range 164.160.192.0 -> 164.160.223.255 [Adding 2048 addresses to
>>> potential hijack]
>>> 169.255.164.0/22 <http://169.255.164.0/22> fell between reserved
>>> range 169.255.164.0 -> 169.255.167.255 [Adding 1024 addresses to
>>> potential hijack]
>>> 193.188.7.0/24 <http://193.188.7.0/24> fell between reserved
>>> range 193.188.7.0 -> 193.188.7.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.13.203.0/24 <http://196.13.203.0/24> fell between reserved
>>> range 196.13.203.0 -> 196.13.203.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.20.60.0/24 <http://196.20.60.0/24> fell between reserved
>>> range 196.20.32.0 -> 196.20.63.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.20.61.0/24 <http://196.20.61.0/24> fell between reserved
>>> range 196.20.32.0 -> 196.20.63.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.20.62.0/24 <http://196.20.62.0/24> fell between reserved
>>> range 196.20.32.0 -> 196.20.63.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.41.74.0/24 <http://196.41.74.0/24> fell between reserved
>>> range 196.41.74.0 -> 196.41.74.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.43.252.0/24 <http://196.43.252.0/24> fell between reserved
>>> range 196.43.252.0 -> 196.43.252.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.46.18.0/24 <http://196.46.18.0/24> fell between reserved
>>> range 196.46.18.0 -> 196.46.19.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.46.19.0/24 <http://196.46.19.0/24> fell between reserved
>>> range 196.46.18.0 -> 196.46.19.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.46.152.0/24 <http://196.46.152.0/24> fell between reserved
>>> range 196.46.152.0 -> 196.46.159.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.46.153.0/24 <http://196.46.153.0/24> fell between reserved
>>> range 196.46.152.0 -> 196.46.159.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.46.154.0/23 <http://196.46.154.0/23> fell between reserved
>>> range 196.46.152.0 -> 196.46.159.255 [Adding 512 addresses to
>>> potential hijack]
>>> 196.50.21.0/24 <http://196.50.21.0/24> fell between reserved
>>> range 196.50.21.0 -> 196.50.21.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.53.113.0/24 <http://196.53.113.0/24> fell between reserved
>>> range 196.52.0.0 -> 196.55.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.54.72.0/23 <http://196.54.72.0/23> fell between reserved
>>> range 196.52.0.0 -> 196.55.255.255 [Adding 512 addresses to
>>> potential hijack]
>>> 196.55.102.0/23 <http://196.55.102.0/23> fell between reserved
>>> range 196.52.0.0 -> 196.55.255.255 [Adding 512 addresses to
>>> potential hijack]
>>> 196.63.243.0/24 <http://196.63.243.0/24> fell between reserved
>>> range 196.62.0.0 -> 196.63.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.195.4.0/24 <http://196.195.4.0/24> fell between reserved
>>> range 196.194.0.0 -> 196.195.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.195.15.0/24 <http://196.195.15.0/24> fell between reserved
>>> range 196.194.0.0 -> 196.195.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 196.195.253.0/24 <http://196.195.253.0/24> fell between reserved
>>> range 196.194.0.0 -> 196.195.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 197.157.200.0/22 <http://197.157.200.0/22> fell between reserved
>>> range 197.157.200.0 -> 197.157.203.255 [Adding 1024 addresses to
>>> potential hijack]
>>> 197.231.248.0/22 <http://197.231.248.0/22> fell between reserved
>>> range 197.231.248.0 -> 197.231.251.255 [Adding 1024 addresses to
>>> potential hijack]
>>> 197.231.248.0/24 <http://197.231.248.0/24> fell between reserved
>>> range 197.231.248.0 -> 197.231.251.255 [Adding 256 addresses to
>>> potential hijack]
>>> 197.231.249.0/24 <http://197.231.249.0/24> fell between reserved
>>> range 197.231.248.0 -> 197.231.251.255 [Adding 256 addresses to
>>> potential hijack]
>>> 197.231.250.0/24 <http://197.231.250.0/24> fell between reserved
>>> range 197.231.248.0 -> 197.231.251.255 [Adding 256 addresses to
>>> potential hijack]
>>> 197.231.251.0/24 <http://197.231.251.0/24> fell between reserved
>>> range 197.231.248.0 -> 197.231.251.255 [Adding 256 addresses to
>>> potential hijack]
>>> 197.234.208.0/24 <http://197.234.208.0/24> fell between reserved
>>> range 197.234.208.0 -> 197.234.215.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.224.0/24 <http://212.12.224.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.225.0/24 <http://212.12.225.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.226.0/24 <http://212.12.226.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.227.0/24 <http://212.12.227.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.229.0/24 <http://212.12.229.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.231.0/24 <http://212.12.231.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.232.0/24 <http://212.12.232.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.233.0/24 <http://212.12.233.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.234.0/24 <http://212.12.234.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.235.0/24 <http://212.12.235.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.236.0/24 <http://212.12.236.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.237.0/24 <http://212.12.237.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.238.0/24 <http://212.12.238.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.239.0/24 <http://212.12.239.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.240.0/24 <http://212.12.240.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.241.0/24 <http://212.12.241.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.242.0/24 <http://212.12.242.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.243.0/24 <http://212.12.243.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.244.0/24 <http://212.12.244.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.245.0/24 <http://212.12.245.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.246.0/24 <http://212.12.246.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.247.0/24 <http://212.12.247.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.248.0/24 <http://212.12.248.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.249.0/24 <http://212.12.249.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.250.0/24 <http://212.12.250.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.251.0/24 <http://212.12.251.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.252.0/24 <http://212.12.252.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.254.0/24 <http://212.12.254.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> 212.12.255.0/24 <http://212.12.255.0/24> fell between reserved
>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>> potential hijack]
>>> Found 50176 potentially hijacked addresses
>>>
>>> --- Below here is the code (I didn't know if I could send
>>> attachments to the RPD list so I just pasted the code straight) ---
>>>
>>> //
>>> // main.c
>>> // AfrinicAudit
>>> //
>>> // Created by Andrew Alston on 15/10/2025.
>>> // Code is considered open use with no restrictions.
>>> //
>>>
>>> #include <stdlib.h>
>>> #include <stdio.h>
>>> #include <string.h>
>>> #include <arpa/inet.h>
>>>
>>> char BGP_DUMP[256] = "/Users/aalston/audit/bgp.dump.txt";
>>> char AFRINIC_EXT[256] =
>>> "/Users/aalston/audit/delegated-afrinic-extended-latest";
>>>
>>> struct routes {
>>> unsigned int network;
>>> unsigned int broadcast;
>>> unsigned int mask;
>>> unsigned short cidr;
>>> };
>>>
>>> struct audit {
>>> struct routes *dfz;
>>> int dfz_count;
>>> struct routes *reserved;
>>> int total_resv;
>>> int rc;
>>> struct routes *available;
>>> int total_avail;
>>> int ac;
>>> };
>>>
>>> int parse_afrinic_extended(char *afext, struct audit *output) {
>>> FILE *dump = fopen(afext, "r");
>>> if(!dump)
>>> return -1;
>>> char buffer[1024] = {0};
>>> char *delim;
>>> output->rc = 0;
>>> while(fgets(buffer, 1024, dump)) {
>>> if(strstr(buffer, "ZZ") && strstr(buffer, "reserved") &&
>>> strstr(buffer, "ipv4")) {
>>> output->rc++;
>>> }
>>> }
>>> output->reserved = calloc(output->rc, sizeof(struct routes));
>>> if(!output->reserved)
>>> return -1;
>>> output->rc = 0;
>>> struct routes *resv = output->reserved;
>>> rewind(dump);
>>> while(fgets(buffer, 1024, dump)) {
>>> if(strstr(buffer, "ZZ") && strstr(buffer, "reserved") &&
>>> strstr(buffer, "ipv4")) {
>>> delim = strtok(buffer, "|");
>>> for(int i = 0; i < 3; i++)
>>> delim = strtok(NULL, "|");
>>> inet_pton(AF_INET, delim, &resv[output->rc].network);
>>> resv[output->rc].network =
>>> __builtin_bswap32(resv[output->rc].network);
>>> delim = strtok(NULL, "|");
>>> unsigned int addr_count = atoi(delim);
>>> output->total_resv += addr_count;
>>> resv[output->rc].broadcast =
>>> resv[output->rc].network+(addr_count-1);
>>> resv[output->rc].network =
>>> __builtin_bswap32(resv[output->rc].network);
>>> resv[output->rc].broadcast =
>>> __builtin_bswap32(resv[output->rc].broadcast);
>>> resv[output->rc].mask = ~__builtin_bswap32((unsigned
>>> int)addr_count-1);
>>> output->rc++;
>>> }
>>> }
>>> rewind(dump);
>>> while(fgets(buffer, 1024, dump)) {
>>> if(strstr(buffer, "ZZ") && strstr(buffer, "available")
>>> && strstr(buffer, "ipv4")) {
>>> output->ac++;
>>> }
>>> }
>>> output->available = calloc(output->ac, sizeof(struct routes));
>>> if(!output->available)
>>> return -1;
>>> struct routes *avail = output->available;
>>> rewind(dump);
>>> while(fgets(buffer, 1024, dump)) {
>>> if(strstr(buffer, "ZZ") && strstr(buffer, "available")
>>> && strstr(buffer, "ipv4")) {
>>> delim = strtok(buffer, "|");
>>> for(int i = 0; i < 3; i++)
>>> delim = strtok(NULL, "|");
>>> inet_pton(AF_INET, delim, &avail[output->ac].network);
>>> avail[output->ac].network =
>>> __builtin_bswap32(avail[output->ac].network);
>>> delim = strtok(NULL, "|");
>>> unsigned int addr_count = atoi(delim);
>>> output->total_avail += addr_count;
>>> avail[output->ac].broadcast =
>>> avail[output->ac].network+(addr_count-1);
>>> avail[output->ac].mask =
>>> ~__builtin_bswap32((unsigned int)addr_count-1);
>>> output->ac++;
>>> }
>>> }
>>> fclose(dump);
>>> return 0;
>>> }
>>>
>>> int parse_dfz(char *dfz_dump, struct audit *output) {
>>> FILE *dump = fopen(dfz_dump, "r");
>>> char buffer[1024] = {0};
>>> int rc = 0, mult = 0, cidr = 0;
>>> char *delim;
>>> if(!dump) {
>>> return -1;
>>> }
>>> while(fgets(buffer, 1024, dump)) {
>>> if(buffer[0] >= '1' && buffer[0] <= '9' &&
>>> strtok(buffer, "/") && strchr(buffer, '.')) {
>>> rc++;
>>> }
>>> }
>>> output->dfz = calloc(rc, sizeof(struct routes));
>>> output->dfz_count = rc;
>>> if(!output->dfz) {
>>> return -1;
>>> }
>>> rewind(dump);
>>> rc = 0;
>>> while(fgets(buffer, 1024, dump)) {
>>> if(buffer[0] >= '1' && buffer[0] <= '9') {
>>> cidr = 0;
>>> delim = strtok(buffer, "/");
>>> delim = strtok(NULL, "/");
>>> if(!delim) {
>>> memset(buffer, 0, 1024);
>>> continue;
>>> }
>>> mult = 1;
>>> for(int i = 0; i < 3; i++) {
>>> if(delim[i] >= '0' && delim[i] <= '9') {
>>> cidr = cidr * mult+(9-('9'-delim[i]));
>>> mult*=10;
>>> }
>>> }
>>> delim = strchr(buffer, '.');
>>> if(!delim) {
>>> memset(buffer, 0, 1024);
>>> continue;
>>> }
>>> output->dfz[rc].cidr = cidr;
>>> inet_pton(AF_INET, buffer, &output->dfz[rc].network);
>>> output->dfz[rc].cidr = cidr;
>>> output->dfz[rc].network =
>>> __builtin_bswap32((unsigned int)output->dfz[rc].network);
>>> output->dfz[rc].mask = (~(unsigned int)0) << (32-cidr);
>>> output->dfz[rc].broadcast = output->dfz[rc].network
>>> + ((~(unsigned int)0) >> cidr);
>>> output->dfz[rc].network =
>>> __builtin_bswap32((unsigned int)output->dfz[rc].network);
>>> output->dfz[rc].broadcast =
>>> __builtin_bswap32((unsigned int)output->dfz[rc].broadcast);
>>> rc++;
>>> memset(buffer, 0, 1024);
>>> }
>>> }
>>> fclose(dump);
>>> return 0;
>>> }
>>>
>>> int audit_reserved(struct audit *data) {
>>> int hijack_count = 0;
>>> for(int i = 0; i < data->dfz_count; i++) {
>>> unsigned int dfz_net = __builtin_bswap32((unsigned
>>> int)data->dfz[i].network);
>>> unsigned int dfz_bcast = __builtin_bswap32((unsigned
>>> int)data->dfz[i].broadcast);
>>> for(int r = 0; r < data->rc; r++) {
>>> unsigned int resv_net = __builtin_bswap32((unsigned
>>> int)data->reserved[r].network);
>>> unsigned int resv_bcast =
>>> __builtin_bswap32((unsigned int)data->reserved[r].broadcast);
>>> if(dfz_net >= resv_net && dfz_net <= resv_bcast) {
>>> hijack_count += ((dfz_bcast-dfz_net)+1);
>>> char dfz_route[INET_ADDRSTRLEN] = {0};
>>> char resv_network[INET_ADDRSTRLEN] = {0};
>>> char resv_broadcast[INET_ADDRSTRLEN] = {0};
>>> inet_ntop(AF_INET, &data->dfz[i].network,
>>> dfz_route, INET_ADDRSTRLEN);
>>> inet_ntop(AF_INET, &data->reserved[r].network,
>>> resv_network, INET_ADDRSTRLEN);
>>> inet_ntop(AF_INET, &data->reserved[r].broadcast,
>>> resv_broadcast, INET_ADDRSTRLEN);
>>> printf("%s/%d fell between reserved range %s ->
>>> %s [Adding %d addresses to potential hijack]\n",
>>> dfz_route, data->dfz[i].cidr,
>>> resv_network, resv_broadcast, (dfz_bcast-dfz_net)+1);
>>> }
>>> }
>>> for(int a = 0; a < data->ac; a++) {
>>> unsigned int avail_net = __builtin_bswap32((unsigned
>>> int)data->available[a].network);
>>> unsigned int avail_bcast =
>>> __builtin_bswap32((unsigned int)data->available[a].broadcast);
>>> if(dfz_net >= data->available[a].network && dfz_net
>>> <= data->available[a].broadcast) {
>>> hijack_count +=
>>> ((data->available[a].broadcast-data->available[a].network)+1);
>>> char dfz_route[INET_ADDRSTRLEN] = {0};
>>> char avail_network[INET_ADDRSTRLEN] = {0};
>>> char avail_broadcast[INET_ADDRSTRLEN] = {0};
>>> inet_ntop(AF_INET, &data->dfz[i].network,
>>> dfz_route, INET_ADDRSTRLEN);
>>> inet_ntop(AF_INET, &avail_net, avail_network,
>>> INET_ADDRSTRLEN);
>>> inet_ntop(AF_INET, &avail_bcast,
>>> avail_broadcast, INET_ADDRSTRLEN);
>>> printf("%s/%d fell between available range %s ->
>>> %s\n", dfz_route, data->dfz[i].cidr, avail_network,
>>> avail_broadcast);
>>> }
>>> }
>>> }
>>> printf("Found %d potentially hijacked addresses\n",
>>> hijack_count);
>>> return 0;
>>> }
>>>
>>> int main(int argc, const char * argv[]) {
>>> struct audit data = {0};
>>> if(parse_dfz(BGP_DUMP, &data))
>>> return EXIT_FAILURE;
>>> if(parse_afrinic_extended(AFRINIC_EXT, &data))
>>> return EXIT_FAILURE;
>>> printf("Found %d total available addresses and %d total
>>> reserved addresses\n", data.total_avail, data.total_resv);
>>> audit_reserved(&data);
>>> return EXIT_SUCCESS;
>>> }
>>>
>>> _______________________________________________
>>> RPD mailing list
>>> RPD at afrinic.net
>>> https://lists.afrinic.net/mailman/listinfo/rpd
>> _______________________________________________
>> RPD mailing list
>> RPD at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/rpd
>>
>
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/rpd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20251016/74037828/attachment-0001.html>
More information about the RPD
mailing list