Search RPD Archives
[rpd] Reserved Space/Available Space and potential hijacking
Jaco Kroon
jaco at uls.co.za
Thu Oct 16 19:08:37 UTC 2025
Hi,
> Your count of two prefixes originated by a different AS counts a /22
> superset and a /23 more specific in the same block. Perhaps we should
> only count the largest aggregates (minimum equivalent prefixes)
> announced by each non-matching ASN.
Sorry if I was unclear. We originate the /23, but it forms part of the
larger /22, so the /23 should get counted here, but yes, if we also
originated the two /24s or one of them only, all of that since it's more
specifics of the /23 should only be counted once, so you're still right
in that only the largest aggregates should be counted.
>
> As you pointed out, there are plenty of legitimate cases for this. For
> example, some ISPs will issue space to multi-homed customers who will
> then originate more specifics assigned to them from their own ASN
> while the covering aggregate would be announced by the ISP, but not
> the more specifics.
I'd like to get an idea of prevalent this really is.
Kind regards,
Jaco
>
> Owen
>
>
>> On Oct 16, 2025, at 00:03, Jaco Kroon <jaco at uls.co.za> wrote:
>>
>>
>>
>> Hi,
>>
>> Two notes from my side:
>>
>> 1. Isn't this (in part) what the whole AS0 policy was about? Such
>> that space that's reserved/not issued by Afrinic can be protected?
>> (Having inherited previously abused space ... I'm 100% behind such a
>> policy).
>>
>> 2. Whilst I agree with Andrew that it's difficult to determine the
>> exact Geographical location of originations, and I like his concept
>> of looking at reserved/available ASNs, I do think something that
>> makes an equal amount of sense is to get an idea of the space issued
>> to an org not originated by that org ... there are legitimate cases
>> (eg, we originate space on behalf of one of our customers, used
>> exclusively by that client), so I'm more interested in cases like
>> "space issued to org X originated from Y non-X ASNs" (ie, don't count
>> space where both the ASN and the space is assigned to the same ORG).
>> As concrete examples:
>>
>> 154.73.32.0/22 => org: ORG-ULSC1-AFRINIC
>> AS327767 => org: ORG-ULSC1-AFRINIC
>>
>> That need not be counted.
>>
>> 102.214.182.0/23 => 102.214.180.0/22 => org: ORG-DCC1-AFRINIC
>> AS327767 => org: ORG-ULSC1-AFRINIC
>>
>> Count these cases, and group by ORG. So the above would result in:
>>
>> ORG-DCC1-AFRINIC originates 1 prefix from 1 alternative ASN.
>>
>> Andrew - I'd be happy to assist with some code for counting this if
>> you throw the base on github and don't mind making that dump of yours
>> for the DFZ data available.
>>
>> Kind regards,
>> Jaco
>>
>> On 2025/10/15 14:35, Fernando Frediani wrote:
>>>
>>> Yeah it could be, but I would say that alone is already something
>>> that can bring attention to resources because it is not what is
>>> widely expected. I would easily believe that a fair amount of space
>>> announce by other ASNs other than the one linked to it in the whois
>>> may not be what was desired or justified at the same resources were
>>> allocated. There are valid examples as you mentioned, but I would
>>> say they are the fewer.
>>>
>>> I think the most important in this context is find out if the
>>> resources are being use in Africa or not which it is slightly more
>>> complex to asses than matching with whois data.
>>>
>>> Fernando
>>>
>>> On 10/15/2025 9:24 AM, Andrew Alston wrote:
>>>> Hi Fernando,
>>>>
>>>> It's unfortunately extremely difficult to do this - because while
>>>> an ASN may be allocated by AfriNIC it could be announced from
>>>> anywhere, and even in the case of where an ASN is allocated by
>>>> RIPE, it may be used in Africa to announce AfriNIC space (Liquid
>>>> Telecom is an example of this, where 30844 is a RIPE ASN but almost
>>>> all the space under it is afrinic allocated and announced in Africa).
>>>>
>>>> It would be possible to extend the code I wrote to show the source
>>>> ASN of the prefix's that are reserved - and then potentially to
>>>> match that against other AfriNIC data to show who the ASN is owned
>>>> by (if the ASN itself is allocated, in my verification I found that
>>>> many of these prefix's are being announced by ASN's that are marked
>>>> as available or reserved)
>>>>
>>>> I will see what I can do about adding that extra code at some point
>>>> when I find the time.
>>>>
>>>> Thanks
>>>>
>>>> Andrew
>>>>
>>>>
>>>> On Wed, Oct 15, 2025 at 3:14 PM Fernando Frediani
>>>> <fhfrediani at gmail.com> wrote:
>>>>
>>>> Would it be possible to get detailed information about AfriNic
>>>> prefixes that are currently being announced by different ASNs
>>>> they are linked to and potentially being used out of the Africa
>>>> region as well ? That would be a pretty interesting information
>>>> to see.
>>>>
>>>> Regards
>>>> Fernando
>>>>
>>>> On 10/15/2025 8:40 AM, Andrew Alston wrote:
>>>>> Hi Guys,
>>>>>
>>>>> So - Firstly a few notes on using the code I'm going to paste
>>>>> below.
>>>>>
>>>>> I created the BGP dump file on a juniper router by running a
>>>>> "show route protocol bgp | save bgp.dump.txt" and then copying
>>>>> that dump file to my local system from the Juniper router.
>>>>> Note - this produces a roughly 400meg file on a full table
>>>>> router and it takes quite a while to run the command.
>>>>> Then - I used the delegated-afrinic-extended-latest file
>>>>> downloaded from the stats ftp server.
>>>>>
>>>>> In the code below - if you wish to run similar - change the
>>>>> char BGP_DUMP[256] and char AFRINIC_EXT[256] global variables
>>>>> to match the pathing to the relevant files.
>>>>>
>>>>> Note that there is some weirdness in this code to deal with
>>>>> endianness - and I will openly admit its not the cleanest (or
>>>>> probably most efficient) code - but it does work and I've
>>>>> verified the results.
>>>>>
>>>>> I've pasted the code below the results section.
>>>>>
>>>>> So - first the results:
>>>>>
>>>>> Found 824064 total available addresses and 4482304 total
>>>>> reserved addresses
>>>>> 41.57.124.0/22 <http://41.57.124.0/22> fell between reserved
>>>>> range 41.57.124.0 -> 41.57.127.255 [Adding 1024 addresses to
>>>>> potential hijack]
>>>>> 41.57.124.0/23 <http://41.57.124.0/23> fell between reserved
>>>>> range 41.57.124.0 -> 41.57.127.255 [Adding 512 addresses to
>>>>> potential hijack]
>>>>> 41.57.124.0/24 <http://41.57.124.0/24> fell between reserved
>>>>> range 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.57.125.0/24 <http://41.57.125.0/24> fell between reserved
>>>>> range 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.57.126.0/24 <http://41.57.126.0/24> fell between reserved
>>>>> range 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.57.127.0/24 <http://41.57.127.0/24> fell between reserved
>>>>> range 41.57.124.0 -> 41.57.127.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.77.64.0/21 <http://41.77.64.0/21> fell between reserved
>>>>> range 41.77.64.0 -> 41.77.71.255 [Adding 2048 addresses to
>>>>> potential hijack]
>>>>> 41.138.192.0/24 <http://41.138.192.0/24> fell between reserved
>>>>> range 41.138.192.0 -> 41.138.223.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.224.0/24 <http://41.204.224.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.225.0/24 <http://41.204.225.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.226.0/24 <http://41.204.226.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.227.0/24 <http://41.204.227.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.228.0/24 <http://41.204.228.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.229.0/24 <http://41.204.229.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.230.0/24 <http://41.204.230.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.231.0/24 <http://41.204.231.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.232.0/24 <http://41.204.232.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.233.0/24 <http://41.204.233.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.234.0/24 <http://41.204.234.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.235.0/24 <http://41.204.235.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.236.0/24 <http://41.204.236.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.237.0/24 <http://41.204.237.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.238.0/24 <http://41.204.238.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.239.0/24 <http://41.204.239.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.240.0/24 <http://41.204.240.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.241.0/24 <http://41.204.241.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.242.0/24 <http://41.204.242.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.243.0/24 <http://41.204.243.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.244.0/24 <http://41.204.244.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.245.0/24 <http://41.204.245.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.246.0/24 <http://41.204.246.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.247.0/24 <http://41.204.247.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.248.0/24 <http://41.204.248.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.249.0/24 <http://41.204.249.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.250.0/24 <http://41.204.250.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.251.0/24 <http://41.204.251.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.254.0/24 <http://41.204.254.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.204.255.0/24 <http://41.204.255.0/24> fell between reserved
>>>>> range 41.204.224.0 -> 41.204.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.205.224.0/19 <http://41.205.224.0/19> fell between reserved
>>>>> range 41.205.224.0 -> 41.205.255.255 [Adding 8192 addresses to
>>>>> potential hijack]
>>>>> 41.205.225.0/24 <http://41.205.225.0/24> fell between reserved
>>>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.205.232.0/24 <http://41.205.232.0/24> fell between reserved
>>>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.205.234.0/24 <http://41.205.234.0/24> fell between reserved
>>>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.205.235.0/24 <http://41.205.235.0/24> fell between reserved
>>>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.205.237.0/24 <http://41.205.237.0/24> fell between reserved
>>>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.205.238.0/24 <http://41.205.238.0/24> fell between reserved
>>>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.205.239.0/24 <http://41.205.239.0/24> fell between reserved
>>>>> range 41.205.224.0 -> 41.205.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 41.220.48.0/20 <http://41.220.48.0/20> fell between reserved
>>>>> range 41.220.48.0 -> 41.220.63.255 [Adding 4096 addresses to
>>>>> potential hijack]
>>>>> 80.88.6.0/24 <http://80.88.6.0/24> fell between reserved range
>>>>> 80.88.6.0 -> 80.88.6.255 [Adding 256 addresses to potential
>>>>> hijack]
>>>>> 102.128.74.0/24 <http://102.128.74.0/24> fell between reserved
>>>>> range 102.128.72.0 -> 102.128.75.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 102.135.164.0/24 <http://102.135.164.0/24> fell between
>>>>> reserved range 102.135.164.0 -> 102.135.167.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 102.135.165.0/24 <http://102.135.165.0/24> fell between
>>>>> reserved range 102.135.164.0 -> 102.135.167.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 102.135.166.0/24 <http://102.135.166.0/24> fell between
>>>>> reserved range 102.135.164.0 -> 102.135.167.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 102.219.128.0/24 <http://102.219.128.0/24> fell between
>>>>> reserved range 102.219.128.0 -> 102.219.131.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 102.219.129.0/24 <http://102.219.129.0/24> fell between
>>>>> reserved range 102.219.128.0 -> 102.219.131.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 102.219.130.0/24 <http://102.219.130.0/24> fell between
>>>>> reserved range 102.219.128.0 -> 102.219.131.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 102.221.148.0/22 <http://102.221.148.0/22> fell between
>>>>> reserved range 102.221.144.0 -> 102.221.151.255 [Adding 1024
>>>>> addresses to potential hijack]
>>>>> 156.0.254.0/24 <http://156.0.254.0/24> fell between reserved
>>>>> range 156.0.254.0 -> 156.0.254.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 160.119.208.0/24 <http://160.119.208.0/24> fell between
>>>>> reserved range 160.119.208.0 -> 160.119.211.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 160.119.209.0/24 <http://160.119.209.0/24> fell between
>>>>> reserved range 160.119.208.0 -> 160.119.211.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 164.160.192.0/21 <http://164.160.192.0/21> fell between
>>>>> reserved range 164.160.192.0 -> 164.160.223.255 [Adding 2048
>>>>> addresses to potential hijack]
>>>>> 169.255.164.0/22 <http://169.255.164.0/22> fell between
>>>>> reserved range 169.255.164.0 -> 169.255.167.255 [Adding 1024
>>>>> addresses to potential hijack]
>>>>> 193.188.7.0/24 <http://193.188.7.0/24> fell between reserved
>>>>> range 193.188.7.0 -> 193.188.7.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.13.203.0/24 <http://196.13.203.0/24> fell between reserved
>>>>> range 196.13.203.0 -> 196.13.203.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.20.60.0/24 <http://196.20.60.0/24> fell between reserved
>>>>> range 196.20.32.0 -> 196.20.63.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.20.61.0/24 <http://196.20.61.0/24> fell between reserved
>>>>> range 196.20.32.0 -> 196.20.63.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.20.62.0/24 <http://196.20.62.0/24> fell between reserved
>>>>> range 196.20.32.0 -> 196.20.63.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.41.74.0/24 <http://196.41.74.0/24> fell between reserved
>>>>> range 196.41.74.0 -> 196.41.74.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.43.252.0/24 <http://196.43.252.0/24> fell between reserved
>>>>> range 196.43.252.0 -> 196.43.252.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.46.18.0/24 <http://196.46.18.0/24> fell between reserved
>>>>> range 196.46.18.0 -> 196.46.19.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.46.19.0/24 <http://196.46.19.0/24> fell between reserved
>>>>> range 196.46.18.0 -> 196.46.19.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.46.152.0/24 <http://196.46.152.0/24> fell between reserved
>>>>> range 196.46.152.0 -> 196.46.159.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.46.153.0/24 <http://196.46.153.0/24> fell between reserved
>>>>> range 196.46.152.0 -> 196.46.159.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.46.154.0/23 <http://196.46.154.0/23> fell between reserved
>>>>> range 196.46.152.0 -> 196.46.159.255 [Adding 512 addresses to
>>>>> potential hijack]
>>>>> 196.50.21.0/24 <http://196.50.21.0/24> fell between reserved
>>>>> range 196.50.21.0 -> 196.50.21.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.53.113.0/24 <http://196.53.113.0/24> fell between reserved
>>>>> range 196.52.0.0 -> 196.55.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.54.72.0/23 <http://196.54.72.0/23> fell between reserved
>>>>> range 196.52.0.0 -> 196.55.255.255 [Adding 512 addresses to
>>>>> potential hijack]
>>>>> 196.55.102.0/23 <http://196.55.102.0/23> fell between reserved
>>>>> range 196.52.0.0 -> 196.55.255.255 [Adding 512 addresses to
>>>>> potential hijack]
>>>>> 196.63.243.0/24 <http://196.63.243.0/24> fell between reserved
>>>>> range 196.62.0.0 -> 196.63.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.195.4.0/24 <http://196.195.4.0/24> fell between reserved
>>>>> range 196.194.0.0 -> 196.195.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.195.15.0/24 <http://196.195.15.0/24> fell between reserved
>>>>> range 196.194.0.0 -> 196.195.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 196.195.253.0/24 <http://196.195.253.0/24> fell between
>>>>> reserved range 196.194.0.0 -> 196.195.255.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 197.157.200.0/22 <http://197.157.200.0/22> fell between
>>>>> reserved range 197.157.200.0 -> 197.157.203.255 [Adding 1024
>>>>> addresses to potential hijack]
>>>>> 197.231.248.0/22 <http://197.231.248.0/22> fell between
>>>>> reserved range 197.231.248.0 -> 197.231.251.255 [Adding 1024
>>>>> addresses to potential hijack]
>>>>> 197.231.248.0/24 <http://197.231.248.0/24> fell between
>>>>> reserved range 197.231.248.0 -> 197.231.251.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 197.231.249.0/24 <http://197.231.249.0/24> fell between
>>>>> reserved range 197.231.248.0 -> 197.231.251.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 197.231.250.0/24 <http://197.231.250.0/24> fell between
>>>>> reserved range 197.231.248.0 -> 197.231.251.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 197.231.251.0/24 <http://197.231.251.0/24> fell between
>>>>> reserved range 197.231.248.0 -> 197.231.251.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 197.234.208.0/24 <http://197.234.208.0/24> fell between
>>>>> reserved range 197.234.208.0 -> 197.234.215.255 [Adding 256
>>>>> addresses to potential hijack]
>>>>> 212.12.224.0/24 <http://212.12.224.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.225.0/24 <http://212.12.225.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.226.0/24 <http://212.12.226.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.227.0/24 <http://212.12.227.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.229.0/24 <http://212.12.229.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.231.0/24 <http://212.12.231.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.232.0/24 <http://212.12.232.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.233.0/24 <http://212.12.233.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.234.0/24 <http://212.12.234.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.235.0/24 <http://212.12.235.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.236.0/24 <http://212.12.236.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.237.0/24 <http://212.12.237.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.238.0/24 <http://212.12.238.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.239.0/24 <http://212.12.239.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.240.0/24 <http://212.12.240.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.241.0/24 <http://212.12.241.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.242.0/24 <http://212.12.242.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.243.0/24 <http://212.12.243.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.244.0/24 <http://212.12.244.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.245.0/24 <http://212.12.245.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.246.0/24 <http://212.12.246.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.247.0/24 <http://212.12.247.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.248.0/24 <http://212.12.248.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.249.0/24 <http://212.12.249.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.250.0/24 <http://212.12.250.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.251.0/24 <http://212.12.251.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.252.0/24 <http://212.12.252.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.254.0/24 <http://212.12.254.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> 212.12.255.0/24 <http://212.12.255.0/24> fell between reserved
>>>>> range 212.12.224.0 -> 212.12.255.255 [Adding 256 addresses to
>>>>> potential hijack]
>>>>> Found 50176 potentially hijacked addresses
>>>>>
>>>>> --- Below here is the code (I didn't know if I could send
>>>>> attachments to the RPD list so I just pasted the code
>>>>> straight) ---
>>>>>
>>>>> //
>>>>> // main.c
>>>>> // AfrinicAudit
>>>>> //
>>>>> // Created by Andrew Alston on 15/10/2025.
>>>>> // Code is considered open use with no restrictions.
>>>>> //
>>>>>
>>>>> #include <stdlib.h>
>>>>> #include <stdio.h>
>>>>> #include <string.h>
>>>>> #include <arpa/inet.h>
>>>>>
>>>>> char BGP_DUMP[256] = "/Users/aalston/audit/bgp.dump.txt";
>>>>> char AFRINIC_EXT[256] =
>>>>> "/Users/aalston/audit/delegated-afrinic-extended-latest";
>>>>>
>>>>> struct routes {
>>>>> unsigned int network;
>>>>> unsigned int broadcast;
>>>>> unsigned int mask;
>>>>> unsigned short cidr;
>>>>> };
>>>>>
>>>>> struct audit {
>>>>> struct routes *dfz;
>>>>> int dfz_count;
>>>>> struct routes *reserved;
>>>>> int total_resv;
>>>>> int rc;
>>>>> struct routes *available;
>>>>> int total_avail;
>>>>> int ac;
>>>>> };
>>>>>
>>>>> int parse_afrinic_extended(char *afext, struct audit *output) {
>>>>> FILE *dump = fopen(afext, "r");
>>>>> if(!dump)
>>>>> return -1;
>>>>> char buffer[1024] = {0};
>>>>> char *delim;
>>>>> output->rc = 0;
>>>>> while(fgets(buffer, 1024, dump)) {
>>>>> if(strstr(buffer, "ZZ") && strstr(buffer, "reserved")
>>>>> && strstr(buffer, "ipv4")) {
>>>>> output->rc++;
>>>>> }
>>>>> }
>>>>> output->reserved = calloc(output->rc, sizeof(struct routes));
>>>>> if(!output->reserved)
>>>>> return -1;
>>>>> output->rc = 0;
>>>>> struct routes *resv = output->reserved;
>>>>> rewind(dump);
>>>>> while(fgets(buffer, 1024, dump)) {
>>>>> if(strstr(buffer, "ZZ") && strstr(buffer, "reserved")
>>>>> && strstr(buffer, "ipv4")) {
>>>>> delim = strtok(buffer, "|");
>>>>> for(int i = 0; i < 3; i++)
>>>>> delim = strtok(NULL, "|");
>>>>> inet_pton(AF_INET, delim, &resv[output->rc].network);
>>>>> resv[output->rc].network =
>>>>> __builtin_bswap32(resv[output->rc].network);
>>>>> delim = strtok(NULL, "|");
>>>>> unsigned int addr_count = atoi(delim);
>>>>> output->total_resv += addr_count;
>>>>> resv[output->rc].broadcast =
>>>>> resv[output->rc].network+(addr_count-1);
>>>>> resv[output->rc].network =
>>>>> __builtin_bswap32(resv[output->rc].network);
>>>>> resv[output->rc].broadcast =
>>>>> __builtin_bswap32(resv[output->rc].broadcast);
>>>>> resv[output->rc].mask =
>>>>> ~__builtin_bswap32((unsigned int)addr_count-1);
>>>>> output->rc++;
>>>>> }
>>>>> }
>>>>> rewind(dump);
>>>>> while(fgets(buffer, 1024, dump)) {
>>>>> if(strstr(buffer, "ZZ") && strstr(buffer, "available")
>>>>> && strstr(buffer, "ipv4")) {
>>>>> output->ac++;
>>>>> }
>>>>> }
>>>>> output->available = calloc(output->ac, sizeof(struct routes));
>>>>> if(!output->available)
>>>>> return -1;
>>>>> struct routes *avail = output->available;
>>>>> rewind(dump);
>>>>> while(fgets(buffer, 1024, dump)) {
>>>>> if(strstr(buffer, "ZZ") && strstr(buffer, "available")
>>>>> && strstr(buffer, "ipv4")) {
>>>>> delim = strtok(buffer, "|");
>>>>> for(int i = 0; i < 3; i++)
>>>>> delim = strtok(NULL, "|");
>>>>> inet_pton(AF_INET, delim, &avail[output->ac].network);
>>>>> avail[output->ac].network =
>>>>> __builtin_bswap32(avail[output->ac].network);
>>>>> delim = strtok(NULL, "|");
>>>>> unsigned int addr_count = atoi(delim);
>>>>> output->total_avail += addr_count;
>>>>> avail[output->ac].broadcast =
>>>>> avail[output->ac].network+(addr_count-1);
>>>>> avail[output->ac].mask =
>>>>> ~__builtin_bswap32((unsigned int)addr_count-1);
>>>>> output->ac++;
>>>>> }
>>>>> }
>>>>> fclose(dump);
>>>>> return 0;
>>>>> }
>>>>>
>>>>> int parse_dfz(char *dfz_dump, struct audit *output) {
>>>>> FILE *dump = fopen(dfz_dump, "r");
>>>>> char buffer[1024] = {0};
>>>>> int rc = 0, mult = 0, cidr = 0;
>>>>> char *delim;
>>>>> if(!dump) {
>>>>> return -1;
>>>>> }
>>>>> while(fgets(buffer, 1024, dump)) {
>>>>> if(buffer[0] >= '1' && buffer[0] <= '9' &&
>>>>> strtok(buffer, "/") && strchr(buffer, '.')) {
>>>>> rc++;
>>>>> }
>>>>> }
>>>>> output->dfz = calloc(rc, sizeof(struct routes));
>>>>> output->dfz_count = rc;
>>>>> if(!output->dfz) {
>>>>> return -1;
>>>>> }
>>>>> rewind(dump);
>>>>> rc = 0;
>>>>> while(fgets(buffer, 1024, dump)) {
>>>>> if(buffer[0] >= '1' && buffer[0] <= '9') {
>>>>> cidr = 0;
>>>>> delim = strtok(buffer, "/");
>>>>> delim = strtok(NULL, "/");
>>>>> if(!delim) {
>>>>> memset(buffer, 0, 1024);
>>>>> continue;
>>>>> }
>>>>> mult = 1;
>>>>> for(int i = 0; i < 3; i++) {
>>>>> if(delim[i] >= '0' && delim[i] <= '9') {
>>>>> cidr = cidr * mult+(9-('9'-delim[i]));
>>>>> mult*=10;
>>>>> }
>>>>> }
>>>>> delim = strchr(buffer, '.');
>>>>> if(!delim) {
>>>>> memset(buffer, 0, 1024);
>>>>> continue;
>>>>> }
>>>>> output->dfz[rc].cidr = cidr;
>>>>> inet_pton(AF_INET, buffer, &output->dfz[rc].network);
>>>>> output->dfz[rc].cidr = cidr;
>>>>> output->dfz[rc].network =
>>>>> __builtin_bswap32((unsigned int)output->dfz[rc].network);
>>>>> output->dfz[rc].mask = (~(unsigned int)0) <<
>>>>> (32-cidr);
>>>>> output->dfz[rc].broadcast =
>>>>> output->dfz[rc].network + ((~(unsigned int)0) >> cidr);
>>>>> output->dfz[rc].network =
>>>>> __builtin_bswap32((unsigned int)output->dfz[rc].network);
>>>>> output->dfz[rc].broadcast =
>>>>> __builtin_bswap32((unsigned int)output->dfz[rc].broadcast);
>>>>> rc++;
>>>>> memset(buffer, 0, 1024);
>>>>> }
>>>>> }
>>>>> fclose(dump);
>>>>> return 0;
>>>>> }
>>>>>
>>>>> int audit_reserved(struct audit *data) {
>>>>> int hijack_count = 0;
>>>>> for(int i = 0; i < data->dfz_count; i++) {
>>>>> unsigned int dfz_net = __builtin_bswap32((unsigned
>>>>> int)data->dfz[i].network);
>>>>> unsigned int dfz_bcast = __builtin_bswap32((unsigned
>>>>> int)data->dfz[i].broadcast);
>>>>> for(int r = 0; r < data->rc; r++) {
>>>>> unsigned int resv_net =
>>>>> __builtin_bswap32((unsigned int)data->reserved[r].network);
>>>>> unsigned int resv_bcast =
>>>>> __builtin_bswap32((unsigned int)data->reserved[r].broadcast);
>>>>> if(dfz_net >= resv_net && dfz_net <= resv_bcast) {
>>>>> hijack_count += ((dfz_bcast-dfz_net)+1);
>>>>> char dfz_route[INET_ADDRSTRLEN] = {0};
>>>>> char resv_network[INET_ADDRSTRLEN] = {0};
>>>>> char resv_broadcast[INET_ADDRSTRLEN] = {0};
>>>>> inet_ntop(AF_INET, &data->dfz[i].network,
>>>>> dfz_route, INET_ADDRSTRLEN);
>>>>> inet_ntop(AF_INET, &data->reserved[r].network,
>>>>> resv_network, INET_ADDRSTRLEN);
>>>>> inet_ntop(AF_INET,
>>>>> &data->reserved[r].broadcast, resv_broadcast, INET_ADDRSTRLEN);
>>>>> printf("%s/%d fell between reserved range %s
>>>>> -> %s [Adding %d addresses to potential hijack]\n",
>>>>> dfz_route, data->dfz[i].cidr,
>>>>> resv_network, resv_broadcast, (dfz_bcast-dfz_net)+1);
>>>>> }
>>>>> }
>>>>> for(int a = 0; a < data->ac; a++) {
>>>>> unsigned int avail_net =
>>>>> __builtin_bswap32((unsigned int)data->available[a].network);
>>>>> unsigned int avail_bcast =
>>>>> __builtin_bswap32((unsigned int)data->available[a].broadcast);
>>>>> if(dfz_net >= data->available[a].network &&
>>>>> dfz_net <= data->available[a].broadcast) {
>>>>> hijack_count +=
>>>>> ((data->available[a].broadcast-data->available[a].network)+1);
>>>>> char dfz_route[INET_ADDRSTRLEN] = {0};
>>>>> char avail_network[INET_ADDRSTRLEN] = {0};
>>>>> char avail_broadcast[INET_ADDRSTRLEN] = {0};
>>>>> inet_ntop(AF_INET, &data->dfz[i].network,
>>>>> dfz_route, INET_ADDRSTRLEN);
>>>>> inet_ntop(AF_INET, &avail_net, avail_network,
>>>>> INET_ADDRSTRLEN);
>>>>> inet_ntop(AF_INET, &avail_bcast,
>>>>> avail_broadcast, INET_ADDRSTRLEN);
>>>>> printf("%s/%d fell between available range %s
>>>>> -> %s\n", dfz_route, data->dfz[i].cidr, avail_network,
>>>>> avail_broadcast);
>>>>> }
>>>>> }
>>>>> }
>>>>> printf("Found %d potentially hijacked addresses\n",
>>>>> hijack_count);
>>>>> return 0;
>>>>> }
>>>>>
>>>>> int main(int argc, const char * argv[]) {
>>>>> struct audit data = {0};
>>>>> if(parse_dfz(BGP_DUMP, &data))
>>>>> return EXIT_FAILURE;
>>>>> if(parse_afrinic_extended(AFRINIC_EXT, &data))
>>>>> return EXIT_FAILURE;
>>>>> printf("Found %d total available addresses and %d total
>>>>> reserved addresses\n", data.total_avail, data.total_resv);
>>>>> audit_reserved(&data);
>>>>> return EXIT_SUCCESS;
>>>>> }
>>>>>
>>>>> _______________________________________________
>>>>> RPD mailing list
>>>>> RPD at afrinic.net
>>>>> https://lists.afrinic.net/mailman/listinfo/rpd
>>>> _______________________________________________
>>>> RPD mailing list
>>>> RPD at afrinic.net
>>>> https://lists.afrinic.net/mailman/listinfo/rpd
>>>>
>>>
>>> _______________________________________________
>>> RPD mailing list
>>> RPD at afrinic.net
>>> https://lists.afrinic.net/mailman/listinfo/rpd
>> _______________________________________________
>> RPD mailing list
>> RPD at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/rpd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20251016/48d178b0/attachment-0001.html>
More information about the RPD
mailing list