https://benjojo.co.uk/u/benjojo/h/r1zj333N4L6cF7P1xv home tags events about login one honk maybe more [a] benjojo posted 03 Jan 2024 17:18 +0000 Ah. Orange Spain has had their /12 (and likely others) broken by (what appears to be) someone breaking into their RIPE account and making RPKI ROA's to somewhere else. Current reachability of impacted prefixes is pretty poor The current ROA is pointing to AS49581 ("Ferdinand Zink trading as Tube-Hosting") Someone has already claimed responsibility for this: https:// twitter.com/Ms_Snow_OwO/status/1742357282917109928 Shout out to @tstrickx for informing me of this JSs668h6KPWs7x1KP7.png [a] benjojo replied 03 Jan 2024 17:29 +0000 in reply to: https://benjojo.co.uk/u/benjojo/h/r1zj333N4L6cF7P1xv Here is a full list of impacted prefixes, that's a lot of broken traffic I suspect... A screenshot of bgp.tools showing many /16's worth of IP space signed to the wrong ASN [a] benjojo replied 03 Jan 2024 17:31 +0000 in reply to: https://benjojo.co.uk/u/benjojo/h/69w66xSkFsw73KS8k3 In case it disappears here is the screenshots of the tweet from the alleged person who did the mis-signing A screenshot of twitter with a censored user name, saying @orange_es " Meow meow meow! I have fixed your RIPE admin account security. Message me to get the new credentials :^)" [a] benjojo replied 03 Jan 2024 18:01 +0000 in reply to: https://benjojo.co.uk/u/benjojo/h/29dBSKgf66c2D1mvnD The bad ROAs are now being withdrawn, as far as I can see only these remain with bad ROAs: IP address blocks: 145.1.240.0/20 maxlen: 20 149.74.0.0/16 maxlen: 16 1.178.232.0/21 maxlen: 21 --------------------------------------------------------------------- Using the RPKI CRL File we can see rough estimates to when things where changed/timeline A list of timestamps, with a flurry of activity around 13:59:48 and 09:38:58 [a] flangey@chaos.social replied 03 Jan 2024 18:47 +0000 in reply to: https://benjojo.co.uk/u/benjojo/h/r1zj333N4L6cF7P1xv @benjojo @tstrickx the RIPE NCC Access available MFA options and auditability are not really good enough.