questions regarding prefix hijacking

Hi,

as probably many of you know, it's possible to create a "route" object
to RIPE database for an address space which is allocated outside the
RIPE region using the RIPE-NCC-RPSL-MNT maintainer object. For example
an address space is from APNIC or ARIN region and AS is from RIPE
region. For example a LIR in RIPE region creates a "route" object to
RIPE database for 157.166.266.0/24(used by Turner Broadcasting System)
prefix without having written permission from Turner Broadcasting
System and as this LIR uses up-link providers who create prefix
filters automatically according to RADb database entries, this ISP is
soon able to announce this 157.166.266.0/24 prefix to Internet. This
should disturb the availability of the real 157.166.266.0/24 network
on Internet? Has there been such situations in history? Isn't there a
method against such hijacking? Or have I misunderstood something and
this isn't possible?

regards,
Martin

Unfortunately, it is way too easy for people to inject routes into the
global routing system.

I think most of the folks on the list can attest to that.

- ferg

Certainly practical scenario, but in many cases not needed at all. In most
cases upstream does not do any automatic prefix filter generation, it's
maybe somewhat popular in mid-sized european shops but generally not too
common.

There is active on-going work to secure BGP and you may want to read up on
'RPKI' which is further along that track.

I hope it has better adoption than BCP38/BCP84.

- ferg

Ok. And such attacks have happened in the past? For example one could
do a pretty widespread damage for at least short period of time if it
announces for example some of the root DNS server prefixes(as long
prefixes as possible) to it's upstream provider and as upstream
provider probably prefers client traffic over it's peerings or
upstreams, it will prefer those routes by malicious ISP for all the
traffic to root DNS servers?

regards,
Martin

Of course similar problems have occurred in the past. Just take a look
at this video: http://www.youtube.com/watch?v=IzLPKuAOe50

Some minor occurrences have happened recently as well.

Ciao!

Historically, most prefix hijacks have been accidental, generally due
to configuration error -- for instance:

http://www.renesys.com/2008/02/pakistan-hijacks-youtube-1/

Having said that, there are quite a few documented cases of it being
done intentionally, and for nefarious purposes.

- ferg

It has happened in the past and there is no silver bullet solution to
prevent this 100%.

One big happening I can recall was the AS7007 incident way back in 1997.

http://en.wikipedia.org/wiki/AS_7007_incident

Cheers.

Do I need ECC on my brain to stop the bitrot, or was there a kerfluffle a
long ways back when somebody announced 127/8, and a surprising number of
systems actually bit?

From: Paul Ferguson
Sent: Wednesday, August 7, 2013 3:07 AM
Subject: Re: questions regarding prefix hijacking

Historically, most prefix hijacks have been accidental, generally due to
configuration error -- for instance...

Having said that, there are quite a few documented cases of it being done
intentionally, and for nefarious purposes.

It would be incredibly useful for someone to start a page or a category on Wikipedia "List of Internet Routing and DNS Incidents" that would include both "accidental" and malicious events.

- Marsh

do we really need that? they seem to occur often enough that that
isn't really required

From: Christopher Morrow
Sent: Wednesday, August 7, 2013 2:06 PM

>
> It would be incredibly useful for someone to start a page or a category on
Wikipedia "List of Internet Routing and DNS Incidents" that would include
both "accidental" and malicious events.

do we really need that?

Have you ever heard of someone using IP addresses as an access control mechanism? (AKA, "IP whitelist")

When I hear about this, I would really *love* to be able to link them to a credible source.

they seem to occur often enough that that isn't really required

*I* believe you, but in practice that's not sufficient to convince many other folks.
Currently, a section of a page on Wikipedia lists 7 incidents going back to 1997.

Serious question: Do folks here feel that is an accurate representation of this phenomenon in practice?

- Marsh

Regards
Alexander

Alexander Neilson
Neilson Productions Limited

alexander@neilson.net.nz
021 329 681
022 456 2326

From: Christopher Morrow
Sent: Wednesday, August 7, 2013 2:06 PM

It would be incredibly useful for someone to start a page or a category on

Wikipedia "List of Internet Routing and DNS Incidents" that would include
both "accidental" and malicious events.

I would see there being a problem with Wikipedia trying to categorise some of them as accidental / malicious. I think if it was done it would have to be list where ones that were publicly announced as accidental would be listed as accidents and the rest left un noted to comply with neutral point of view and verification.

do we really need that?

Have you ever heard of someone using IP addresses as an access control mechanism? (AKA, "IP whitelist")

When I hear about this, I would really *love* to be able to link them to a credible source.

they seem to occur often enough that that isn't really required

*I* believe you, but in practice that's not sufficient to convince many other folks.
Currently, a section of a page on Wikipedia lists 7 incidents going back to 1997.
BGP hijacking - Wikipedia

Serious question: Do folks here feel that is an accurate representation of this phenomenon in practice?

I would tend to say as it lists BGPmon.net as an external link thats a good resource for finding out about other ones that have happened. Also maybe that section should be renamed notable incidents and just have it as a sample of some of these incidents.

It appears AS3549 is announcing 10.0.0.0/8. I noticed it from an

> From: Christopher Morrow
> Sent: Wednesday, August 7, 2013 2:06 PM
>
> >
> > It would be incredibly useful for someone to start a page or a
> > category on
> > Wikipedia "List of Internet Routing and DNS Incidents" that would
> > include
> > both "accidental" and malicious events.
>
> do we really need that?

Have you ever heard of someone using IP addresses as an access control
mechanism? (AKA, "IP whitelist")

Yes. I've even had to configure my DHCP client to auto generate requests
to get the whitelist updated when my ISP gives my cable modem a new address.

They are used all the time to allow access to DNS servers. If fact we
ship nameservers where the default setting whitelist particular sets
of clients (directly connected) by default.

>
>> on Internet? Has there been such situations in history? Isn't there a
>> method against such hijacking? Or have I misunderstood something and
>> this isn't possible?
>
> Certainly practical scenario, but in many cases not needed at all. In most
> cases upstream does not do any automatic prefix filter generation, it's
> maybe somewhat popular in mid-sized european shops but generally not too
> common.
>
> There is active on-going work to secure BGP and you may want to read up on
> 'RPKI' which is further along that track.
>

I hope it has better adoption than BCP38/BCP84.

SIDR should help with BCP38/BCP84 as it allows correct filters to
be securely built.

Mark

Seems like that might have been the first time I was annoying the Big Net Operators about why they route unroutable traffic.

And a new annoying question: does it seem odd that the Big Net Operator's Private Mailing List is answering such gut basic and old news questions about how do I best destroy the Internet, should I wan t to do that?

They do happen, but they get little publicity. People that I've talked to
about this say, for reasons mostly unspecified, they'd rather not talk
about it.

Saku,

In most cases upstream does not do any automatic prefix filter generation, it's maybe somewhat popular in mid-sized european shops but generally not too common.

What do you mean? In most cases upstreams do not filter prefixes at all?

There is active on-going work to secure BGP and you may want to read up on 'RPKI' which is further along that track.

Thanks for mentioning this! Very interesting effort. I validated some
routes in LIR portal, verified that those are validated using RIPE
rpki-validator tool and a Juniper router connected to validator:

rpki@lr1.ham1.de> show validation session detail
Session 195.13.63.18, State: up, Session index: 2
  Group: eurotransit-testbed, Preference: 100
  Local IPv4 address: 193.34.50.25, Port: 8282
  Refresh time: 120s
  Hold time: 180s
  Record Life time: 3600s
  Serial (Full Update): 559
  Serial (Incremental Update): 559
    Session flaps: 0
    Session uptime: 00:11:35
    Last PDU received: 00:00:27
    IPv4 prefix count: 4921
    IPv6 prefix count: 833

rpki@lr1.ham1.de> show route protocol bgp 5.11.81.0

inet.0: 456407 destinations, 456408 routes (456407 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

5.11.81.0/24 *[BGP/170] 00:11:59, localpref 110, from 79.141.168.1
                      AS path: 33926 25577 43532 I, validation-state: valid
                    > to 193.34.50.1 via em0.0

RPKI-valid.inet.0: 11440 destinations, 11440 routes (11440 active, 0
holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

5.11.81.0/24 *[BGP/170] 00:11:11, localpref 110, from 79.141.168.1
                      AS path: 33926 25577 43532 I, validation-state: valid
                    > to 193.34.50.1 via em0.0

rpki@lr1.ham1.de>

Massimiliano, Paul, Indra:

thanks for pointing out those interesting cases!

regards,
Martin