On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more
specifics on one of our prefixes. Anyone else seeing similar or is it just
us?
is your AS in the path below? (what is your AS so folk can check for
your prefixes/customer-prefixes and attempt to help?)
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
Info gathered off-list indicates this may be a couple of issues in our case - possible routing leak by 18978 (check your tables!) and more specifics on our prefixes from 4795 that we couldn't see before the leak hence the apparent hijack.
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more
specifics on one of our prefixes. Anyone else seeing similar or is it just
us?
Assuming that your prefix is 198.98.180.0/22 (AS29889 - FSNET-1 - Fast
Serv Networks, LLC) none of the mentioned more specifics are currently
seen from the RIPE NCC's RIS network, see the Looking Glass widget:
though there has been some BGP activity going on since 11:49:42, see the
BGPlay and BGP Update Activity widget. In both cases the originating ASN
was AS29889.
this morning our BGPmon system picked up many new more specific
announcements by a variety of Origin ASns, the interesting part is that
the majority of them were classified as BGP Man In The middle attacks
(MITM).
Several people asked me off list for more details, here is what I have regarding it.
This morning a tier2 isp that connects to our network made an error in their router configuration causing the route leakage. The issue has been addressed and we will be performing a full post mortem to ensure this does not happen again.
While investigating the issue we did find that the noction appliance stopped advertising the no export community string with its advertisements which is why certain prefixes were also seen.
Sure, but even that might not always prevent the fake paths from leaking
to your eBGP neighbors. For instance, not too long ago there was this
bug:
"Routes learned with the no-export community from an iBGP neighbor
are being advertised to eBGP neighbors. This may occur on Cisco ASR
9000 Series Aggregation Services Routers." (don't remember BugID)
In other words: it can happen to the best of us.
You should not lie to yourself by inserting fake more-specific paths
into routing tables. The moment your lies somehow manage to escape into
the default-free-zone you are taking other businesses down. Whether the
leak is caused by a bug in the router's software or human error,
destroying other people's online presence is far beyond acceptable.
If the same leak would've happened /without/ the fake more-specifics,
it'd still be an issue, but the collateral damage would have been
dampened. The leaked paths would have to compete with the normal paths
and best-path selectors like as-path length apply.
Using software to insert fake more-specific paths into your routing
domain should be discouraged and frowned upon.
Your upstream could also re-write any BGP communities you attach to your BGP updates; so unless co-ordinated, there is no real guarantee a NO_EXPORT community will be maintained/honoured within your upstream's network.
I guess AS18978 didn't learn from their mistake. Got a slew of identical bgpmon alerts for withdrawals and more specifics within the last 30 minutes. Worse than last time. Some still active, like:
update time (UTC) Update Type Probe ASn Probe Location Prefix AS path Cleared Duration
2015-03-26 12:18:41 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 Active