[nsp-sec] Fwd: Kenyan Route Hijack

Chris Morrow morrowc at ops-netman.net
Sun Mar 16 02:13:38 EDT 2008 

is it possible abovenet is null-routing the space and forgot that /24's 
leak across their boundaries?

On Sat, 15 Mar 2008, Danny McPherson wrote:

> ----------- nsp-security Confidential --------
>
>
> I'm really surprised this is still occurring.  Does anyone here
> have information regarding this that may suggest it was
> intentional, or malicious, or something of the sort?
>
> Any responses received for on-list consumption only, of course.
>
> My write-up on this:
>
> <http://asert.arbornetworks.com/2008/03/africa-online-kenya-latest-internet-routing-insecurity-casuality/
> >
>
> -danny
>
> Begin forwarded message:
>
>> From: Danny McPherson <danny at tcb.net>
>> Date: March 15, 2008 11:57:50 AM MDT
>> To: Felix Bako <fbako at africaonline.co.ke>
>> Cc: nanog at merit.edu
>> Subject: Kenyan Route Hijack
>>
>> [more accurate subject line]
>>
>> On Mar 14, 2008, at 1:33 PM, Felix Bako wrote:
>>
>>>
>>> Hello,
>>> There is a routing loop while accesing my network 194.9.82.0/24
>>> from some networks on the Internet.
>>>
>>> | This is a test done from  lg.above.net looking glass.
>>>
>>> 1 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec
>>> 0 msec
>>> 2 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label
>>> 78 Exp 0] 0 msec 0 msec 0 msec
>>> 3 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 8 msec 8 msec 0 msec
>>> 4 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label
>>> 80 Exp 0] 0 msec 4 msec 0 msec
>>> 5 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec
>>> 0 msec
>>> 6 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label
>>> 78 Exp 0] 0 msec 0 msec 4 msec
>>> 7 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 64 msec 0 msec 4
>>> msec
>>> 8 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label
>>> 80 Exp 0] 0 msec 4 msec 0 msec
>>> 9 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec
>>> 0 msec
>>> 10 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label
>>> 78 Exp 0] 0 msec 4 msec 0 msec
>>> 11 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 4 msec 0 msec 4
>>> msec|
>>
>> According to RIPE BGP play data looks to me like AS 6461
>> (Abovenet) began announcing 194.9.82.0/24 about 10 hours
>> ago, pulling traffic away from AS 39615 and triggering your
>> reachability problems (Note times are UTC):
>>
>> # 1/361  2008-03-15 03:05:27   Path Change  from  29636 6461 2914
>> 8513 25228 36915
>>  rrc01  195.66.224.132                       to  29636 2914 6461
>> # 2/361  2008-03-15 03:05:27   Route Announcement   20485 2914 6461
>>  rrc01  195.66.224.212
>> ....
>>
>> About 17 minutes later AS 6461 they withdrew the route announcement:
>>
>> # 41/361  2008-03-15 03:22:56   Route Withdrawal ( 4777 2497 2914
>> 6461 )
>>   rrc06  202.249.2.20
>> ....
>>
>> And another 12 minutes or so later they began announcing it
>> again:
>>
>> # 42/361  2008-03-15 03:35:26   Path Change  from  29636 6461 2914
>> 8513 25228 36915
>>   rrc01  195.66.224.132                       to  29636 2914 6461
>> ...
>>
>> Seemed to be a bunch more instability with this prefix around 5:53:
>>
>> # 66/361  2008-03-15 05:53:40   Route Announcement   25462 6461
>>   rrc07  194.68.123.157
>> ...
>>
>> And then some withdraws around 7:43:
>>
>> # 183/361  2008-03-15 07:43:48   Path Change  from  8468 6453 6461
>>    rrc01  195.66.224.151                       to  8468 3491 25228
>> 25228 25228 25228 25228 36915
>> ...
>>
>> With considerable oscillation for around 40 minutes between the legit
>> path via AS 36915 and the path via AS 6461.
>>
>> And the latest was this transition from AS 6461 back to the 36915 path
>> about 2 hours ago, but only by a few ASNs, I suspect because those
>> ASNs
>> explicitly modified policy (either preference or filtering) to
>> de_prefer the
>> AS 6461 path.  This is illustrated pretty nicely with BGP play:
>>
>> # 335/361  2008-03-15 14:59:43   Route Withdrawal ( 1916 3549 6461 )
>>    rrc15  200.219.130.4
>> # 361/361  2008-03-15 15:00:27   Path Change  from  13645 3356 6461
>>    rrc11  198.32.160.150                       to  13645 3491 25228
>> 25228 25228 25228 25228 36915
>>
>> BGP Play applet here:
>>
>> http://www.ris.ripe.net/bgplay/applet.html?
>>
>> Although most folks are definitely still preferring the AS 6461
>> path.
>>
>> An interesting bit is that the current announcement on routeviews
>> directly from AS 6461 has Community 6461:5999 attached:
>> ...
>>  6461
>>    64.125.0.137 from 64.125.0.137 (64.125.0.137)
>>      Origin IGP, metric 0, localpref 100, valid, external, best
>>      Community: 6461:5999
>> ...
>>
>> According to this, that community is used for "internal prefixes":
>>
>> http://onesc.net/communities/as6461/
>>
>> "6461:5999 internal prefix"
>>
>> A "sh ip bgp community 6461:5999" currently yields 130 prefixes
>> with Origin AS of 6461 and that community.  Nothing more specific
>> than a /24, although many many adjacent prefixes that would
>> presumably be aggregated normally are announced as well.
>>
>> The closest adjacent prefix to 194.9.82/24 they're announcing
>> is 194.9.40/24, which is one of their prefixes:
>>
>> *> 194.9.40.0       64.125.0.137             0             0 6461 i
>> *> 194.9.82.0       64.125.0.137             0             0 6461 i
>>
>> Unfortunately, the AS6461 forwarding loops still exists, and most
>> ASNs still appear to be preferring their path over yours per BGP
>> AS path route selection rules:
>>
>> ---
>> danny at pork% date
>> Sat Mar 15 11:55:27 MDT 2008
>> ...
>> 14  ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74)  188.278 ms
>> 172.714 ms  174.984 ms
>> 15  ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73)  176.234 ms
>> 174.013 ms  174.109 ms
>> 16  ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70)  173.230 ms
>> 172.892 ms  174.765 ms
>> 17  ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69)  174.721 ms
>> 175.256 ms  174.738 ms
>> 18  ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74)  174.437 ms
>> 220.815 ms  180.961 ms
>> 19  ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73)  177.564 ms
>> 181.966 ms  174.771 ms
>> 20  ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70)  176.028 ms
>> 174.269 ms  174.365 ms
>> 21  ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69)  175.626 ms
>> 175.381 ms  175.831 ms
>> 22  ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74)  174.046 ms
>> 174.841 ms  174.388 ms
>> 23  ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73)  174.861 ms
>> 174.857 ms  175.475 ms
>> ...
>>
>> My recommendation, stay on the phone with Abovenet (via your
>> upstream, and their upstream if necessary) until you see a withdraw
>> for the route on routeviews from AS 6461:
>>
>> telnet route-views.routeviews.org
>> sh ip bgp 194.9.82.0/24
>>
>> -danny
>>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list