Dreamhost hijacking my prefix...

Mailman List Mirror (Read Only)
1

Not sure how widespread their "leakage" may be, but Dreamhost just
hijacked one of my prefixes...

====================================================================
Possible Prefix Hijack (Code: 10)

Your prefix: 150.182.192.0/18:
Update time: 2013-01-11 14:14 (UTC)
Detected by #peers: 11
Detected prefix: 150.182.208.0/20
Announced by: AS26347 (DREAMHOST-AS - New Dream Network, LLC)
Upstream AS: AS42861 (PRIME-LINE-AS JSC "Prime-Line")
ASpath: 8331 42861 42861 42861 26347

Anyone have a contact there? ASinfo gives netops@dreamhost.com where I
have submitted a report, but so far no joy...

Jeff

2

Jeff,

We are not announcing the prefix in question nor do we peer with AS42861.

3

Robtex would beg to differ... you show peered with AS42861, perhaps
someone (else) is looping their advertisements?

_R_egistered
_O_ther side
_B_GP visible Peer
OB AS174 COGENT /PSI
B AS4323 TWTC Autonomous system for tw telecom .
B AS4826 VOCUS-BACKBONE-AS Vocus Connect International Backbone Vocus
Communications Level 2, Vocus House 189 Miller Street North Sydney NSW 2060
B AS5580 ATRATO-IP / Atrato IP Networks
B AS6461 MFNX MFN - Metromedia Fiber Network
B AS6939 HURRICANE Electric
B AS7575 AARNET-AS-AP Australia's Research and Education Network (AARNet3)
B AS7922 COMCAST-IBONE Comcast Cable Communications, Inc. 1800 Bishops
Gate Blvd Mt Laurel, NJ 08054 US
B AS8359 MTS Dummy description for
B AS10912 INTERNAP-BLK Internap Network Services
B AS10913 INTERNAP-BLK Internap Network Services
B AS12989 HWNG Eweka Internet Services B.V.
B AS36351 SOFTLAYER Technologies Inc.
B AS42861 PRIME-LINE-AS Dummy description for

4

Sounds like someone in Russia is having some fun with as-path prepending and prefix hijacking.

5

Just checked all BGP speakers again and I show no peering with AS42861.

6

That would be my guess. We have had some issues with this in the past with
operators from China and Russia.

7

Here at/as AS5580 I no longer see it announced as a /20, only your own /18:

#sh ip bgp routes 150.182.192.0 255.255.192.0 longer-prefixes
Number of BGP Routes matching display condition : 4
Searching for matching routes, use ^C to quit...
Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED
        E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH
        S:SUPPRESSED F:FILTERED s:STALE
        Prefix Next Hop MED LocPrf Weight Status
1 150.182.192.0/18 80.94.64.10 400 0 BMI
          AS_PATH: 11164 10490 3450 14209
2 150.182.192.0/18 80.94.64.10 400 0 MI
          AS_PATH: 11164 10490 3450 14209
3 150.182.192.0/18 80.94.64.10 400 0 MI
          AS_PATH: 11164 10490 3450 14209
4 150.182.192.0/18 80.94.64.10 400 0 MI
          AS_PATH: 11164 10490 3450 14209

8

Hi,
Here's a quick summary of what we saw at BGPMon.net.

At 2013-01-11 14:14:13 we saw announcements (seemingly) originated by
26347, for prefixes normally announced by other ASn's (origin change /
hijack).

This seems to have affected 112 prefixes for 110 ASn's [1], including
Rogers, Tata, Sprint, Ziggo, Verizon, KPN, Vodafone, CloudFlare, XS4ALL,
AT&T, Bell Canada and many more.
Most of these were new more specific(!) announcements.

With regards to next-hop ASN's (peers). It seems this hijack was
propagated via 12 unique (AS26347) peers [1]

A quick look at the prefix that was mentioned by Jeff, 150.182.208.0/20
(more specific of 50.182.192.0/18)
The first announcement for this prefix was seen at 2013-01-11 14:14:28
and withdrawn at 2013-01-11 15:20:57. It was detected by 42 unique peers.

some example paths:
271 6939 26347
5580 26347|
37312 5713 6939 26347
1126 24785 12989 26347

[1] I've posted some details (Unique next-hop ASN's and affected origin
ASN's), check if your AS was affected here:
http://portal.bgpmon.net/data/hijack20130111.txt

Cheers,
Andree

.-- My secret spy satellite informs me that at 2013-01-11 7:23 AM Jeff
Kell wrote:

9

Jeff:

150.182.208.0/20 is not visible from AS702 in Germany.
150.182.192.0/18 path is 702 701 209 26827 14209

Tony

10

Thanks for that info Andree. The only valid peer I see on the list would
be HE. We do not peer with any of the others listed.

Kenneth

11

Hi Kenneth,

.-- My secret spy satellite informs me that at 2013-01-11 8:54 AM
Kenneth McRae wrote:

Thanks for that info Andree. The only valid peer I see on the list
would be HE. We do not peer with any of the others listed.

Could it be these ASns receive your routes via an IX route-server?

Below some examples that show a peering between 26347 and
5580 as well as 12989

5580 26347
http://www.ris.ripe.net/cgi-bin/lg/index.cgi?rrc=RRC031&query=12&arg=5580+26347

12989 26347:
http://www.ris.ripe.net/cgi-bin/lg/index.cgi?rrc=RRC031&query=12&arg=12989+26347

And route views:

route-views>sh ip bgp regex 12989_26347
BGP table version is 427410275, local router ID is 128.223.51.103
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network Next Hop Metric LocPrf Weight Path
* 64.111.96.0/19 208.74.64.40 0 19214 12989
26347 i
* 66.33.192.0/19 208.74.64.40 0 19214 12989
26347 i
* 67.205.0.0/18 208.74.64.40 0 19214 12989
26347 i
* 69.163.128.0/17 208.74.64.40 0 19214 12989
26347 i
* 75.119.192.0/19 208.74.64.40 0 19214 12989
26347 i
* 173.236.128.0/17 208.74.64.40 0 19214 12989
26347 i
* 205.196.208.0/20 208.74.64.40 0 19214 12989
26347 i
* 208.97.128.0/18 208.74.64.40 0 19214 12989
26347 i
* 208.113.128.0/17 208.74.64.40 0 19214 12989
26347 i
* 208.113.200.0 208.74.64.40 0 19214 12989
26347 i

Cheers,
Andree

12

Hi all,

Atrato / 5580 here.

We don't have direct peering with AS26347, although we learn the AS26347 prefixes through the 206.223.143.253 (AS 19996) routeserver in LAX.

So in a sense we are peering :slight_smile:

Kind regards,

Job

13

Yes, now that is possible (just no direct peering). So that takes me back
to my original statement about not announcing the 150.182.208.0/20 prefix
to begin with.

Kenneth

14

.-- My secret spy satellite informs me that at 2013-01-11 10:44 AM
Kenneth McRae wrote:

Yes, now that is possible (just no direct peering). So that takes me
back to my original statement about not announcing the 150.182.208.0/20
<http://150.182.208.0/20&gt; prefix to begin with.

Here's some more data showing an announcement for
150.182.208.0/20 originated by 26347

http://www.ris.ripe.net/mt/rissearch-result.html?aspref=150.182.208.0%2F20&preftype=EMATCH&rrc_id=1000&peer=ALL&startday=20130111&starthour=00&startmin=00&startsec=00&endday=20130111&endhour=19&endmin=16&endsec=26&outype=html&submit=Search&.submit=type

I can send you more data if you need it.
Just contact me off-list.

Cheers,
Andree