[nsp-sec] Fwd: Kenyan Route Hijack

Danny McPherson danny at tcb.net
Sun Mar 16 01:10:03 EDT 2008 

I'm really surprised this is still occurring.  Does anyone here
have information regarding this that may suggest it was
intentional, or malicious, or something of the sort?

Any responses received for on-list consumption only, of course.

My write-up on this:

<http://asert.arbornetworks.com/2008/03/africa-online-kenya-latest-internet-routing-insecurity-casuality/ 
 >

-danny

Begin forwarded message:

> From: Danny McPherson <danny at tcb.net>
> Date: March 15, 2008 11:57:50 AM MDT
> To: Felix Bako <fbako at africaonline.co.ke>
> Cc: nanog at merit.edu
> Subject: Kenyan Route Hijack
>
> [more accurate subject line]
>
> On Mar 14, 2008, at 1:33 PM, Felix Bako wrote:
>
>>
>> Hello,
>> There is a routing loop while accesing my network 194.9.82.0/24  
>> from some networks on the Internet.
>>
>> | This is a test done from  lg.above.net looking glass.
>>
>> 1 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec  
>> 0 msec
>> 2 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label  
>> 78 Exp 0] 0 msec 0 msec 0 msec
>> 3 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 8 msec 8 msec 0 msec
>> 4 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label  
>> 80 Exp 0] 0 msec 4 msec 0 msec
>> 5 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec  
>> 0 msec
>> 6 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label  
>> 78 Exp 0] 0 msec 0 msec 4 msec
>> 7 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 64 msec 0 msec 4  
>> msec
>> 8 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label  
>> 80 Exp 0] 0 msec 4 msec 0 msec
>> 9 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec  
>> 0 msec
>> 10 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label  
>> 78 Exp 0] 0 msec 4 msec 0 msec
>> 11 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 4 msec 0 msec 4  
>> msec|
>
> According to RIPE BGP play data looks to me like AS 6461
> (Abovenet) began announcing 194.9.82.0/24 about 10 hours
> ago, pulling traffic away from AS 39615 and triggering your
> reachability problems (Note times are UTC):
>
> # 1/361  2008-03-15 03:05:27   Path Change  from  29636 6461 2914  
> 8513 25228 36915
>  rrc01  195.66.224.132                       to  29636 2914 6461
> # 2/361  2008-03-15 03:05:27   Route Announcement   20485 2914 6461
>  rrc01  195.66.224.212
> ....
>
> About 17 minutes later AS 6461 they withdrew the route announcement:
>
> # 41/361  2008-03-15 03:22:56   Route Withdrawal ( 4777 2497 2914  
> 6461 )
>   rrc06  202.249.2.20
> ....
>
> And another 12 minutes or so later they began announcing it
> again:
>
> # 42/361  2008-03-15 03:35:26   Path Change  from  29636 6461 2914  
> 8513 25228 36915
>   rrc01  195.66.224.132                       to  29636 2914 6461
> ...
>
> Seemed to be a bunch more instability with this prefix around 5:53:
>
> # 66/361  2008-03-15 05:53:40   Route Announcement   25462 6461
>   rrc07  194.68.123.157
> ...
>
> And then some withdraws around 7:43:
>
> # 183/361  2008-03-15 07:43:48   Path Change  from  8468 6453 6461
>    rrc01  195.66.224.151                       to  8468 3491 25228  
> 25228 25228 25228 25228 36915
> ...
>
> With considerable oscillation for around 40 minutes between the legit
> path via AS 36915 and the path via AS 6461.
>
> And the latest was this transition from AS 6461 back to the 36915 path
> about 2 hours ago, but only by a few ASNs, I suspect because those  
> ASNs
> explicitly modified policy (either preference or filtering) to  
> de_prefer the
> AS 6461 path.  This is illustrated pretty nicely with BGP play:
>
> # 335/361  2008-03-15 14:59:43   Route Withdrawal ( 1916 3549 6461 )
>    rrc15  200.219.130.4
> # 361/361  2008-03-15 15:00:27   Path Change  from  13645 3356 6461
>    rrc11  198.32.160.150                       to  13645 3491 25228  
> 25228 25228 25228 25228 36915
>
> BGP Play applet here:
>
> http://www.ris.ripe.net/bgplay/applet.html?
>
> Although most folks are definitely still preferring the AS 6461
> path.
>
> An interesting bit is that the current announcement on routeviews
> directly from AS 6461 has Community 6461:5999 attached:
> ...
>  6461
>    64.125.0.137 from 64.125.0.137 (64.125.0.137)
>      Origin IGP, metric 0, localpref 100, valid, external, best
>      Community: 6461:5999
> ...
>
> According to this, that community is used for "internal prefixes":
>
> http://onesc.net/communities/as6461/
>
> "6461:5999 internal prefix"
>
> A "sh ip bgp community 6461:5999" currently yields 130 prefixes
> with Origin AS of 6461 and that community.  Nothing more specific
> than a /24, although many many adjacent prefixes that would
> presumably be aggregated normally are announced as well.
>
> The closest adjacent prefix to 194.9.82/24 they're announcing
> is 194.9.40/24, which is one of their prefixes:
>
> *> 194.9.40.0       64.125.0.137             0             0 6461 i
> *> 194.9.82.0       64.125.0.137             0             0 6461 i
>
> Unfortunately, the AS6461 forwarding loops still exists, and most
> ASNs still appear to be preferring their path over yours per BGP
> AS path route selection rules:
>
> ---
> danny at pork% date
> Sat Mar 15 11:55:27 MDT 2008
> ...
> 14  ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74)  188.278 ms   
> 172.714 ms  174.984 ms
> 15  ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73)  176.234 ms   
> 174.013 ms  174.109 ms
> 16  ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70)  173.230 ms   
> 172.892 ms  174.765 ms
> 17  ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69)  174.721 ms   
> 175.256 ms  174.738 ms
> 18  ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74)  174.437 ms   
> 220.815 ms  180.961 ms
> 19  ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73)  177.564 ms   
> 181.966 ms  174.771 ms
> 20  ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70)  176.028 ms   
> 174.269 ms  174.365 ms
> 21  ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69)  175.626 ms   
> 175.381 ms  175.831 ms
> 22  ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74)  174.046 ms   
> 174.841 ms  174.388 ms
> 23  ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73)  174.861 ms   
> 174.857 ms  175.475 ms
> ...
>
> My recommendation, stay on the phone with Abovenet (via your
> upstream, and their upstream if necessary) until you see a withdraw
> for the route on routeviews from AS 6461:
>
> telnet route-views.routeviews.org
> sh ip bgp 194.9.82.0/24
>
> -danny
>

More information about the nsp-security mailing list