Indonesian ISP Moratel announces Google's prefixes

Anurag_Bhatia · November 6, 2012, 11:35am

Another case of route hijack -
http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about

I am curious if big networks have any pre-defined filters for big content
providers like Google to avoid these? I am sure internet community would be
working in direction to somehow prevent these issues. Curious to know
developments so far.

Thanks.

Jian_Gu · November 7, 2012, 4:48am

What do you mean hijack? Google is peering with Moratel, if Google does not
want Moratel to advertise its routes to Moratel's peers/upstreams, then
Google should've set the correct BGP attributes in the first place.

Christopher_Morrow · November 7, 2012, 4:51am

curios to know which those are?

Andrew_Jones · November 7, 2012, 4:55am

It's widely accepted that you only advertise your peers' routes to customers, and you only advertise your own, and your customers' routes to your upstreams.

Jian_Gu · November 7, 2012, 4:58am

By reading cloudflare blog, cloudflare network engineer discovered that
Google's authoritative DNS server networks (including Google's public DNS
8.8.8.0/24) were being routed to Indonesia according their cloudflare's SF
office edge router, this is werid unless cloudflare is doing something
crazy on their edge router, given that those networks are heavily anycasted
across the Internet, if cloudflare sees those networks are being routed to
Indonesia from San Francisco, then a lot more people should've been
affected.

ianai · November 7, 2012, 5:02am

That doesn't make the slightest bit of sense.

If a Moratel customer announced a Google-owned prefix to Moratel, and Moratel did not have the proper filters in place, there is nothing Google could do to stop the hijack from happening.

Exactly what attribute do you think would stop this?

Jian_Gu · November 7, 2012, 5:07am

Where did you get the idea that a Moratel customer announced a google-owned
prefix to Moratel and Moratel did not have the proper filters in place?
according to the blog, all google's 4 authoritative DNS server networks and
8.8.8.0/24 were wrongly routed to Moratel, what's the possiblity for a
Moratel customers announce all those prefixes?

Stephen_Wilcox · November 7, 2012, 5:13am

Nobody said a Moratel customer announced a Google prefix, they said the
issue was within Moratel.

This is a really good article that explains the issue in detail, maybe read
it again?

http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about

Steve

ianai · November 7, 2012, 5:13am

Ah, right, they just leaked Google's prefix. I thought a customer originated the prefix.

Original question still stands. Which attribute do you expect Google to set to stop this?

Hint: Don't say No-Advertise, unless you want peers to only talk to the adjacent AS, not their customers or their customers' customers, etc.

Looking forward to your answer.

Jian_Gu · November 7, 2012, 5:21am

I don't know what Google and Moratel's peering agreement, but "leak"?
educate me, Google is announcing /24 for all of their 4 NS prefix and
8.8.8.0/24 for their public DNS server, how did Moratel leak those routes
to Internet?

ianai · November 7, 2012, 5:26am

Downthread, someone said what is typical with peering prefixes, i.e. announce to customers, not to peers or upstreams. How do you think peering works?

However, I place most of the blame on PCCW for crappy filtering of their customers. And I'm a little surprised to see nLayer in the path. Shame on them! (Does that have any effect any more?

Oh, and we are still waiting for an answer: Which attribute do you think Google could have used to stop this?

Hank_Nussbacher1 · November 7, 2012, 5:30am

Ahhh...blame the victim. Google - shame on you.

-Hank

Hank_Nussbacher1 · November 7, 2012, 5:33am

If Google announces 8.8.8.0/24 to you and you in turn start announcing to the Internet 8.8.8.0/24 as originating from you, then a certain section of the Internet will believe your announcement over Google's. This has happened many times before due to improper filters, but this is the first time I have seen the victim being blamed. Interesting concept.

-Hank

Jian_Gu · November 7, 2012, 5:35am

Hmm, look at this screen shot from the blog, 8.8.8.0/24 was orignated from
Google.

tom@edge01.sfo01> show route 8.8.8.8

inet.0: 422196 destinations, 422196 routes (422182 active, 0 holddown,
14 hidden)
+ = Active Route, - = Last Active, * = Both
8.8.8.0/24 *[BGP/170] 00:27:02, MED 18, localpref 100
AS path: 4436 3491 23947 15169 I

ianai · November 7, 2012, 5:45am

Everyone who posted in this thread was well aware of that. (Well, except me in my first post. Google was still the victim, and it was still not their fault.

You are showing wide and clear ignorance on the basics of peering. Which is fine, the vast majority of the planet hasn't a clue what peering is. However, the rest of the people who do not know what they are talking about have managed to avoid commenting on the subject to 10K+ of their not-so-closest friends.

To be clear, if you had started with something like: "Why is Google originating the route? Doesn't that make it valid?", you would have gotten a lot of help & support. But instead you started by claiming it was Google's fault and they could stop this by setting "the correct BGP attributes". I note you still haven't told us what those attributes would be despite repeated questions.

Perhaps it's time to admit you don't know what attributes, and you need a little more education on peering in general?

When you find yourself in a hole, stop digging.

Joel_Jaeggli · November 7, 2012, 5:48am

I would expect that moratel should have a route object which their transit providers can construct a prefix filter for. if moratel advertised an AS path including themselves and a google orgin pccw should not have accepted it. if they originated the prefix, pccw should not have accepted it.

Andrew_Jones · November 7, 2012, 5:54am

It looks like nLayer have routes learned through Moratel which have local-pref set to anywhere up to 250 (learned from private peers), while the routes learned from direct peering relationships to Google on public peering have a local-pref of 200. This explains why the routes from Moratel would have been preferred during the period when they were being leaked, despite the shorter as-path (but doesn't explain why they weren't being filtered).

Anurag_Bhatia · November 7, 2012, 6:29am

Apologize for calling it an prefix hijack. I misunderstood in start.
Clearly it was case of prefix leaking.

Thanks

Anurag Bhatia
http://anuragbhatia.com

Jian_Gu · November 7, 2012, 7:30am

Dear Mr. Know-Peering,

I came here to learn and I believe I have the right to say what I was
thinking, no matter how ignorant my comment was. I don't have the right to
blame anybody, in fact I don't give a damn whose fault it is, it is not my
business.

I apologize if I offended you when you claimed that it was a hijacking.

Anurag_Bhatia · November 7, 2012, 10:05am

OK one quick question here - Moratel leaked route and thus for a portion of
internet route to Google was via Moratel but was a path. What caused 100%
outage I.e all four authoritative DNS servers and open resolver service too
? Can we just guess that due to ultra high traffic path between Moratel
and Google was checked ?

Or there's a chance that some customer of Moratel announced prefix using
Google's ASN at first place. Hard to believe why they would have set bgp
session in first place with wrong asn but was curious to know if that is
also a possibility?

Thanks

Anurag Bhatia
http://anuragbhatia.com