According to RIPE RIS, AS26347 announced a bunch of prefixes again.
- http://www.ris.ripe.net/dashboard/26347
First suspicious announcement was started 2013-03-06 07:52:40 UTC, and
last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
It seems these unauthorized announcements have the same profile as
before - AS26347 shrinks the prefix lenght of their received prefix
somehow upto /20, and re-originates the prefix with origin AS26347.
Any known bugs?
Regards,
Hi Mat,
I see the same thing, we learn the prefix from the route-server in LAX:
telnet@r1.lax1.us>show ip bgp routes detail 90.201.80.0/20
Number of BGP Routes matching display condition : 1
Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED
E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH
S:SUPPRESSED F:FILTERED s:STALE
1 Prefix: 90.201.80.0/20, Status: BE, Age: 0h22m15s
NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer: 206.223.143.253 (19996)
LOCAL_PREF: 400, MED: none, ORIGIN: incomplete, Weight: 0
AS_PATH: 26347
COMMUNITIES: 5580:12431
Adj_RIB_out count: 18, Admin distance 20
Last update to IP routing table: 0h22m15s, 1 path(s) installed:
Kind regards,
Job
They're doing this to our routes in any2 in LA as well.
...
Hi all,
I tried contacting Coresite/Any2 to have somebody login to the routeserver and doublecheck
which peer is actually announcing this NLRI. Because there is a remote possibility that the
route-server is being manipulated by a third party and dreamhost is a victim here.
After the usual hurdles like "What is your circuit ID?" "Without a workorder I cannot login to
the routeserver!" and "5580? that can't be an AS number" I unfortunately got nowhere so I
still don't know who exactly announced these prefixes to the route-server.
As of now the announcements for the more specifics seem to be gone.
Can anybody (preferably from Any2 or Dreamhost) shed more light on this matter?
Kind regards,
Job
Hi Guys,
Sorry to see this come up again. We are no announcing the prefix in
question. I am happy to work with you to investigate.
dh_admin@gar-bdr-01> show route advertising-protocol bgp 206.223.143.122
inet.0: 447113 destinations, 1801741 routes (447105 active, 8 holddown, 0
hidden)
Prefix Nexthop MED Lclpref AS path
* 64.111.96.0/19 Self I
* 66.33.192.0/19 Self I
* 66.33.197.0/24 Self 6 I
* 67.205.0.0/18 Self I
* 69.163.128.0/17 Self I
* 75.119.192.0/19 Self I
* 173.236.128.0/17 Self I
* 205.196.208.0/20 Self I
* 208.97.128.0/18 Self I
* 208.113.128.0/17 Self I
* 208.113.200.0/24 Self 6 I
Best,
Kenneth
{master}
dh_admin@gar-bdr-01>
.-- My secret spy satellite informs me that at 2013-03-06 12:59 AM
Matsuzaki Yoshinobu wrote:
According to RIPE RIS, AS26347 announced a bunch of prefixes again.
- http://www.ris.ripe.net/dashboard/26347First suspicious announcement was started 2013-03-06 07:52:40 UTC, and
last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.It seems these unauthorized announcements have the same profile as
before - AS26347 shrinks the prefix lenght of their received prefix
somehow upto /20, and re-originates the prefix with origin AS26347.Any known bugs?
Sounds indeed like an exact copy of the incident on January 11:
http://seclists.org/nanog/2013/Jan/243
That time the prefixes seem to also have been learned via a route-server
in LA.
The strange thing is that the majority of the 'hijacked' prefixes (today
and in January) are new more specifics (not seen before).
(Using some kind of BGP route optimizer?).
This time it affected 203 unique prefixes and 133 ASns.
Below a list of some of the affected ASns
20115 Charter Telecom.
4837 China Unicom
8151 UNINET Mexico
11427 Roadrunner
42961 MTC GPRS Kuwait
7303 Telecom Argentina S.A.
25135 Vodafone
7018 AT&T
6389 BellSouth.net
8220 Colt
19262 Verizon
9143 ZIGGO
6830 UPC
5089 Virgin Media
Cheers,
Andree
Hi all,
Just a small update.
Off-list Andree and me have been working together with Kenneth from dreamhost
to try and figure out what exactly happened and which device or party orginated
these prefixes.
Unfortunately no hard conclusions can be drawn from the data available to us, especially
since we lack proper insight into this Any2 routeserver.
I also want to emphasize that Kenneth and Dreamhost have been very forth coming in
sharing data (configs, stats, networkplans) to find the root cause.
We have put additional monitoring in place to try and catch more data if this happens
a next time.
Thank you all for being on top of incidents like this!
Kind regards,
Job