BGP route hijack by AS10990

Clinton_Work · July 30, 2020, 2:46am

We saw a bunch of our IP blocks hijacked by AS10990 from 19:15 MDT until 20:23 MDT. Anybody else have problems with that.

ASpath: 1299 7219 10990

50.92.0.0/17 AS10990
198.166.0.0/17 AS10990
198.166.128.0/17 AS10990
162.157.128.0/17 AS10990
162.157.0.0/17 AS10990
50.92.128.0/17 AS10990

Jeff_Bilyk · July 30, 2020, 4:26am

We appeared to be impacted with some address space within 206.47.0.0/16 which AS577 normally advertises, but that was between 15:50 and 16:30 Eastern.

Jeff

Aftab_Siddiqui · July 30, 2020, 6:31am

Looks like the list is too long… none of them have any valid ROAs as well.

= 104.230.0.0/18 206313 6724 1299 7219 10990
= 104.230.64.0/18 206313 6724 1299 7219 10990
= 107.184.0.0/16 206313 6724 1299 7219 10990
= 107.185.0.0/16 206313 6724 1299 7219 10990
= 107.189.192.0/19 206313 6724 1299 7219 10990
= 107.189.224.0/19 206313 6724 1299 7219 10990
= 108.49.0.0/17 206313 6724 1299 7219 10990
= 108.49.128.0/17 206313 6724 1299 7219 10990
= 135.19.192.0/19 206313 6724 1299 7219 10990
= 135.19.224.0/19 206313 6724 1299 7219 10990
= 137.119.140.0/23 206313 6724 1299 7219 10990
= 137.119.142.0/23 206313 6724 1299 7219 10990
= 142.113.0.0/17 206313 6724 1299 7219 10990
= 142.113.128.0/17 206313 6724 1299 7219 10990
= 147.194.0.0/20 206313 6724 1299 7219 10990
= 147.194.16.0/20 206313 6724 1299 7219 10990
= 162.157.0.0/17 206313 6724 1299 7219 10990
= 162.157.128.0/17 206313 6724 1299 7219 10990
= 166.48.0.0/18 206313 6724 1299 7219 10990
= 166.48.64.0/18 206313 6724 1299 7219 10990
= 167.100.80.0/22 206313 6724 1299 7219 10990
= 167.100.84.0/22 206313 6724 1299 7219 10990
= 172.103.112.0/20 206313 6724 1299 7219 10990
= 172.103.96.0/20 206313 6724 1299 7219 10990
= 172.112.0.0/14 206313 6724 1299 7219 10990
= 172.116.0.0/14 206313 6724 1299 7219 10990
= 173.160.0.0/14 206313 6724 1299 7219 10990
= 173.164.0.0/14 206313 6724 1299 7219 10990
= 173.28.224.0/21 206313 6724 1299 7219 10990
= 173.28.232.0/21 206313 6724 1299 7219 10990
= 173.48.0.0/17 206313 6724 1299 7219 10990
= 173.48.128.0/17 206313 6724 1299 7219 10990
= 173.90.0.0/16 206313 6724 1299 7219 10990
= 173.91.0.0/16 206313 6724 1299 7219 10990
= 174.1.56.0/23 206313 6724 1299 7219 10990
= 174.1.58.0/23 206313 6724 1299 7219 10990
= 174.108.0.0/15 206313 6724 1299 7219 10990
= 174.110.0.0/15 206313 6724 1299 7219 10990
= 174.223.0.0/18 206313 6724 1299 7219 10990
= 174.223.64.0/18 206313 6724 1299 7219 10990
= 174.228.0.0/18 206313 6724 1299 7219 10990
= 174.228.64.0/18 206313 6724 1299 7219 10990
= 174.231.128.0/18 206313 6724 1299 7219 10990
= 174.231.192.0/18 206313 6724 1299 7219 10990
= 177.132.112.0/20 206313 6724 1299 7219 10990
= 177.132.96.0/20 206313 6724 1299 7219 10990
= 198.166.0.0/17 206313 6724 1299 7219 10990
= 198.166.128.0/17 206313 6724 1299 7219 10990
= 198.52.176.0/23 206313 6724 1299 7219 10990
= 198.52.178.0/23 206313 6724 1299 7219 10990
= 204.195.0.0/18 206313 6724 1299 7219 10990
= 208.79.152.0/22 206313 6724 6939 10990
= 208.79.153.0/24 206313 6724 6939 7219 10990
= 216.10.190.0/24 206313 6724 1299 7219 10990
= 216.10.191.0/24 206313 6724 1299 7219 10990
= 24.102.64.0/19 206313 6724 1299 7219 10990
= 24.102.96.0/19 206313 6724 1299 7219 10990
= 24.197.208.0/21 206313 6724 1299 7219 10990
= 24.197.216.0/21 206313 6724 1299 7219 10990
= 24.201.64.0/19 206313 6724 1299 7219 10990
= 24.201.96.0/19 206313 6724 1299 7219 10990
= 24.205.160.0/20 206313 6724 1299 7219 10990
= 24.205.176.0/20 206313 6724 1299 7219 10990
= 24.48.0.0/19 206313 6724 1299 7219 10990
= 24.48.32.0/19 206313 6724 1299 7219 10990
= 24.57.0.0/17 206313 6724 1299 7219 10990
= 24.57.128.0/17 206313 6724 1299 7219 10990
= 24.89.16.0/20 206313 6724 1299 7219 10990
= 24.90.64.0/19 206313 6724 1299 7219 10990
= 24.90.96.0/19 206313 6724 1299 7219 10990
= 35.211.0.0/17 206313 6724 1299 7219 10990
= 35.211.128.0/17 206313 6724 1299 7219 10990
= 45.48.0.0/15 206313 6724 1299 7219 10990
= 45.50.0.0/15 206313 6724 1299 7219 10990
= 47.218.0.0/23 206313 6724 1299 7219 10990
= 47.218.2.0/23 206313 6724 1299 7219 10990
= 47.32.64.0/19 206313 6724 1299 7219 10990
= 47.32.96.0/19 206313 6724 1299 7219 10990
= 47.36.0.0/19 206313 6724 1299 7219 10990
= 47.36.32.0/19 206313 6724 1299 7219 10990
= 47.39.64.0/19 206313 6724 1299 7219 10990
= 47.39.96.0/19 206313 6724 1299 7219 10990
= 50.88.0.0/16 206313 6724 1299 7219 10990
= 50.89.0.0/16 206313 6724 1299 7219 10990
= 50.92.0.0/17 206313 6724 1299 7219 10990
= 50.92.128.0/17 206313 6724 1299 7219 10990
= 66.65.0.0/18 206313 6724 1299 7219 10990
= 66.65.64.0/18 206313 6724 1299 7219 10990
= 66.68.0.0/16 206313 6724 1299 7219 10990
= 66.69.0.0/16 206313 6724 1299 7219 10990
= 67.149.198.0/24 206313 6724 1299 7219 10990
= 67.149.199.0/24 206313 6724 1299 7219 10990
= 67.247.112.0/20 206313 6724 1299 7219 10990
= 67.247.96.0/20 206313 6724 1299 7219 10990
= 70.83.128.0/19 206313 6724 1299 7219 10990
= 70.83.160.0/19 206313 6724 1299 7219 10990
= 72.137.0.0/17 206313 6724 1299 7219 10990
= 72.137.128.0/17 206313 6724 1299 7219 10990
= 72.140.0.0/16 206313 6724 1299 7219 10990
= 72.141.0.0/16 206313 6724 1299 7219 10990
= 72.53.64.0/20 206313 6724 1299 7219 10990
= 72.53.80.0/20 206313 6724 1299 7219 10990
= 74.56.192.0/19 206313 6724 1299 7219 10990
= 74.56.224.0/19 206313 6724 1299 7219 10990
= 74.59.128.0/19 206313 6724 1299 7219 10990
= 74.59.160.0/19 206313 6724 1299 7219 10990
= 74.76.0.0/15 206313 6724 1299 7219 10990
= 74.78.0.0/15 206313 6724 1299 7219 10990
= 76.168.0.0/14 206313 6724 1299 7219 10990
= 76.172.0.0/14 206313 6724 1299 7219 10990
= 76.86.0.0/16 206313 6724 1299 7219 10990
= 76.87.0.0/16 206313 6724 1299 7219 10990
= 96.3.0.0/17 206313 6724 1299 7219 10990
= 96.3.128.0/17 206313 6724 1299 7219 10990
= 96.32.64.0/20 206313 6724 1299 7219 10990
= 96.32.80.0/20 206313 6724 1299 7219 10990
= 98.148.0.0/16 206313 6724 1299 7219 10990
= 98.149.0.0/16 206313 6724 1299 7219 10990
= 98.32.0.0/13 206313 6724 1299 7219 10990
= 98.40.0.0/13 206313 6724 1299 7219 10990
= 99.225.0.0/19 206313 6724 1299 7219 10990
= 99.225.192.0/19 206313 6724 1299 7219 10990
= 99.225.224.0/19 206313 6724 1299 7219 10990
= 99.225.32.0/19 206313 6724 1299 7219 10990
= 99.240.128.0/18 206313 6724 1299 7219 10990
= 99.240.192.0/18 206313 6724 1299 7219 10990
= 99.254.80.0/21 206313 6724 1299 7219 10990
= 99.254.88.0/21 206313 6724 1299 7219 10990
= 99.255.0.0/19 206313 6724 1299 7219 10990
= 99.255.32.0/19 206313 6724 1299 7219 10990

_Stephane_Bortzmeyer · July 30, 2020, 8:31am

a message of 48 lines which said:

See:

And:

Owen_DeLong · July 30, 2020, 4:35pm

Looks like the real question here is why doesn’t 7219 do a better job of filtering what they accept.

Has anyone reached out to them?

Owen

Yang_Yu · July 30, 2020, 4:45pm

You mean 1299? 7219 and 10990 are the same entity.

Toma_Gavrichenkov · July 30, 2020, 4:58pm

Peace,

Patrick_Schultz · July 30, 2020, 5:09pm

so, bgp optimizers… again?

Sadiq_Saif1 · July 30, 2020, 5:32pm

More like shame on Telia for not filtering properly.

If Tulix used a so called BGP "optimizer" and didn't have a proper export filter in place it is their mistake but as a major transit provider, Telia bears the brunt of the responsibility of making sure that Tulix's mistake doesn't affect the rest of us.

Job_Snijders3 · July 30, 2020, 5:36pm

We should stop calling them 'optimizers'... perhaps "BGP Polluters"?

Kind regards,

Job

Toma_Gavrichenkov · July 30, 2020, 5:41pm

Peace,

Tom_Beecher · July 30, 2020, 5:44pm

It’s not like there are scorecards, but there’s a lot of fault to go around.

However, again, BGP “Optimizers” are bad. The conditions by which the inadvertent leak occur need to be fixed , no question. But in scenarios like this, as-path length generally limits impact to “Oh crap, I’ll fix that, sorry!.” Once you start squirting out more specifics, you get to own some of the egg on the face.

Owen_DeLong · July 30, 2020, 5:50pm

In that case, sure, up to 1299.

Owen

Patrick_Schultz · July 30, 2020, 6:31pm

I'd like to direct you to Job's writeup on this https://mailman.nanog.org/pipermail/nanog/2017-August/191897.html
While these "optimizers" CAN be beneficial to the individual operator, they're apparently used incorrectly in some instances.
Telia should've filtered, that's for sure. But the leak shouldn't have occured in the first place.

Baldur_Norddahl · July 30, 2020, 10:37pm

Telia implements RPKI filtering so the question is did it work? Were any affected prefixes RPKI signed? Would any prefixes have avoided being hijacked if RPKI signing had been in place?

Regards

Baldur - who had to turn off RPKI filtering at the request of JTAC to stop our mx204s from crashing

tor. 30. jul. 2020 18.59 skrev Töma Gavrichenkov <ximaera@gmail.com>:

Aftab_Siddiqui · July 31, 2020, 1:57am

Not a single prefix was signed, what I saw. May be good reason for Rogers, Charter, TWC etc to do that now. It would have stopped the propagation at Telia.

Nick_Hilliard3 · July 31, 2020, 8:47am

Not only that, Telia indicates that Telia does everything right:

https://www.teliacarrier.com/our-network/bgp-routing/routing-security-.html

"We reject RPKI Invalids on all BGP Sessions; for both Peers and Customers."

How can that be?

Misconfig or oversight?

Nick

Baldur_Norddahl · July 31, 2020, 8:55am

If true that none of the affected prefixes where signed, this is a good case to get some people to sign their prefixes. Everyone affected will have to accepted shared blame, because they could have prevented the issue by following best practice by doing their RPKI signing.

Regards,

Baldur