Kenyan Route Hijack

Fergie · March 16, 2008, 5:30am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Glen_Kent · March 16, 2008, 6:07am

Paul,

Also: I have seen instances where a static route points to a next
hop that (inadvertently) may be "redistribute-static" injected into
BGP. This happens occasionally due to ad hoc configurations, back-
hole null routing, etc.

And why would an ISP locally try to blackhole traffic bound to some
other legitimate address space? Wouldnt this result in this service
provider's customers to lose connectivity to whatever websites fall
behind the IP address block in question? Or is that the intention?

If its done intentionally then it would only make sense if theres a
DOS attack coming from that address block, or if theres something
"blasphemous" put up there. If none of these, then why locally
blackhole traffic?

Thanks,
Glen

Christopher_Morrow · March 16, 2008, 6:36am

Paul,

> Also: I have seen instances where a static route points to a next
> hop that (inadvertently) may be "redistribute-static" injected into
> BGP. This happens occasionally due to ad hoc configurations, back-
> hole null routing, etc.

And why would an ISP locally try to blackhole traffic bound to some
other legitimate address space? Wouldnt this result in this service

I think it was Abovenet that blackholed a /24 of (I want to say MAPS,
but that's not right) an anti-spam-RBL sometime pre-1999?

provider's customers to lose connectivity to whatever websites fall
behind the IP address block in question? Or is that the intention?

perhaps they had a significant number of complaints about the address
block and no reaction from the owner(s)? or the address block (or
hosts in it) were scanning their infrastucture, or dos'ing it or???
There are a whole host of reasons one might conjecture. In ALL cases
you'd never put in a /24 but a pair of /25 so that you didn't become
the best path for the rest of the internets...

If its done intentionally then it would only make sense if theres a
DOS attack coming from that address block, or if theres something

dos attack mitigation works best on destinations, not sources...
urpf-loose aside a filter would have solved that form of problem
quicker.

"blasphemous" put up there. If none of these, then why locally
blackhole traffic?

once upon a time we had a noc person null route a 210.x.x.0/24 block
because someone used their email address in the 'from' for a spam
run... a swift 'discussion' ensued and they learned there was a better
solution to their problem. (swift after the owners of the ip space got
a little irrate )

-Chris

Kameron_Gasso1 · March 16, 2008, 10:42am

Christopher Morrow wrote:

I think it was Abovenet that blackholed a /24 of (I want to say MAPS,
but that's not right) an anti-spam-RBL sometime pre-1999?

If I'm not mistaken, that was ORBS.

perhaps they had a significant number of complaints about the address
block and no reaction from the owner(s)? or the address block (or
hosts in it) were scanning their infrastucture, or dos'ing it or???

Such action has always been a last-ditch when I've had to deal with
severe network abuse/denial of service. Doing it on routers at the
network core and not just at the edge where the affected systems or
customers interconnect seems pretty severe, though.

There are a whole host of reasons one might conjecture. In ALL cases
you'd never put in a /24 but a pair of /25 so that you didn't become
the best path for the rest of the internets...

Even then, one would hope filters would be in place to keep it from
traversing outside of their local AS, at least in a more perfect world.
Of course, another recent incident disproving that theory comes to mind...

-Kam

Alastair_Johnson · March 16, 2008, 11:49am

Kameron Gasso wrote:

Christopher Morrow wrote:

I think it was Abovenet that blackholed a /24 of (I want to say MAPS,
but that's not right) an anti-spam-RBL sometime pre-1999?

If I'm not mistaken, that was ORBS.

Correct. A particularly interesting case, since ORBS' transit provider was also a transit customer of Above.net. Said transit provider would announce their /16s, of which ORBS sat in a /24 or two of, and have their traffic blackholed.

IIRC they punched /24s via their other transit providers to partly resolve the issue.

But the rest of the story - let's not go there.

Jon_Lewis1 · March 16, 2008, 2:50pm

Why not? We _used_ to be an Above.net OC3 customer. Back around 2003, we ran into issues with Above.net deciding for us which parts of the internet should be accessible. We got customer complaints that certain web sites were unreachable through us, but worked fine on other internet services. I eventually got Above.net to give me a list of the several dozen /24's they were null routing.

This was particularly annoying because they had nothing setup to notify customers of these null routes or allow us to choose not to send them traffic they'd null route. To me, this seemed rather inappropriate behavior for a transit provider.

jpayne · March 16, 2008, 11:32pm

ORBS, and the only reason it became such a big deal was that Abovenet was the upstream of ORBS’ upstream. And that’s something people still haven’t gotten over.

Paul_Vixie1 · March 17, 2008, 4:12am

john@sackheads.org (John Payne) writes:

> I think it was Abovenet that blackholed a /24 of (I want to say MAPS,
> but that's not right) an anti-spam-RBL sometime pre-1999?

ORBS, and the only reason it became such a big deal was that Abovenet was
the upstream of ORBS' upstream. And that's something people still
haven't gotten over.

this was a simple AUP violation, blown way out of proportion because two of
abovenet's executives were also owners of MAPS. without that element, this
would just have been a matter of ORBS doing forced open relay scans of the
internet and especially of abovenet's other customers, and noone would have
been shocked or surprised to see abovenet blackhole them, citing chapter
and verse of the abovenet AUP, as well as many equivilent examples.

i think, at this stage and at this date, that bringing up the ORBS/abovenet
debacle constitutes a "canard", and should be avoided, for the good of all.

Suresh_Ramasubramani · March 17, 2008, 7:43am

Completely unrelated to l'affaire ORBS of course, but in this more
recent example, was uunet kenya a transit customer (or customer of a
customer) of abovenet? And quoting from a previous email -

Ross_Vandegrift · March 17, 2008, 12:25pm

No, 6461:5999 is definitely not a blackhole community. I'm seeing
prefixes tagged 5999 that are reachable. See for example 62.80.96.0/19.

The only common factors I can see with these prefixes:

1) They are all announced with an AS path of 6461.
2) A large number seem to be related to dyanmic IP internet service.
Some are registered to wireless providers, some have reverse DNS that
indicates there's DSL behind them.

But then there's some stuff that looks to be non-ISP:
204.227.66.0/24 is registered to "Ann Taylor Stores Corp", is part of
ARIN assigned 204.227.64/19. However, none of the rest of that /19 is there.

Puzzling...