[nsp-sec] Fwd: Kenyan Route Hijack
Hank Nussbacher
hank at efes.iucc.ac.il
Sun Mar 16 02:48:19 EDT 2008
At 06:13 AM 16-03-08 +0000, Chris Morrow wrote:
>----------- nsp-security Confidential --------
>
>is it possible abovenet is null-routing the space and forgot that /24's
>leak across their boundaries?
Better question - why isn't Abovenet on nsp-sec?
-Hank
>On Sat, 15 Mar 2008, Danny McPherson wrote:
>
> > ----------- nsp-security Confidential --------
> >
> >
> > I'm really surprised this is still occurring. Does anyone here
> > have information regarding this that may suggest it was
> > intentional, or malicious, or something of the sort?
> >
> > Any responses received for on-list consumption only, of course.
> >
> > My write-up on this:
> >
> >
> <http://asert.arbornetworks.com/2008/03/africa-online-kenya-latest-internet-routing-insecurity-casuality/>
> >
> >
> > -danny
> >
> > Begin forwarded message:
> >
> >> From: Danny McPherson <danny at tcb.net>
> >> Date: March 15, 2008 11:57:50 AM MDT
> >> To: Felix Bako <fbako at africaonline.co.ke>
> >> Cc: nanog at merit.edu
> >> Subject: Kenyan Route Hijack
> >>
> >> [more accurate subject line]
> >>
> >> On Mar 14, 2008, at 1:33 PM, Felix Bako wrote:
> >>
> >>>
> >>> Hello,
> >>> There is a routing loop while accesing my network 194.9.82.0/24
> >>> from some networks on the Internet.
> >>>
> >>> | This is a test done from lg.above.net looking glass.
> >>>
> >>> 1 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec
> >>> 0 msec
> >>> 2 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label
> >>> 78 Exp 0] 0 msec 0 msec 0 msec
> >>> 3 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 8 msec 8 msec 0 msec
> >>> 4 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label
> >>> 80 Exp 0] 0 msec 4 msec 0 msec
> >>> 5 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec
> >>> 0 msec
> >>> 6 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label
> >>> 78 Exp 0] 0 msec 0 msec 4 msec
> >>> 7 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 64 msec 0 msec 4
> >>> msec
> >>> 8 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label
> >>> 80 Exp 0] 0 msec 4 msec 0 msec
> >>> 9 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec
> >>> 0 msec
> >>> 10 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label
> >>> 78 Exp 0] 0 msec 4 msec 0 msec
> >>> 11 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 4 msec 0 msec 4
> >>> msec|
> >>
> >> According to RIPE BGP play data looks to me like AS 6461
> >> (Abovenet) began announcing 194.9.82.0/24 about 10 hours
> >> ago, pulling traffic away from AS 39615 and triggering your
> >> reachability problems (Note times are UTC):
> >>
> >> # 1/361 2008-03-15 03:05:27 Path Change from 29636 6461 2914
> >> 8513 25228 36915
> >> rrc01 195.66.224.132 to 29636 2914 6461
> >> # 2/361 2008-03-15 03:05:27 Route Announcement 20485 2914 6461
> >> rrc01 195.66.224.212
> >> ....
> >>
> >> About 17 minutes later AS 6461 they withdrew the route announcement:
> >>
> >> # 41/361 2008-03-15 03:22:56 Route Withdrawal ( 4777 2497 2914
> >> 6461 )
> >> rrc06 202.249.2.20
> >> ....
> >>
> >> And another 12 minutes or so later they began announcing it
> >> again:
> >>
> >> # 42/361 2008-03-15 03:35:26 Path Change from 29636 6461 2914
> >> 8513 25228 36915
> >> rrc01 195.66.224.132 to 29636 2914 6461
> >> ...
> >>
> >> Seemed to be a bunch more instability with this prefix around 5:53:
> >>
> >> # 66/361 2008-03-15 05:53:40 Route Announcement 25462 6461
> >> rrc07 194.68.123.157
> >> ...
> >>
> >> And then some withdraws around 7:43:
> >>
> >> # 183/361 2008-03-15 07:43:48 Path Change from 8468 6453 6461
> >> rrc01 195.66.224.151 to 8468 3491 25228
> >> 25228 25228 25228 25228 36915
> >> ...
> >>
> >> With considerable oscillation for around 40 minutes between the legit
> >> path via AS 36915 and the path via AS 6461.
> >>
> >> And the latest was this transition from AS 6461 back to the 36915 path
> >> about 2 hours ago, but only by a few ASNs, I suspect because those
> >> ASNs
> >> explicitly modified policy (either preference or filtering) to
> >> de_prefer the
> >> AS 6461 path. This is illustrated pretty nicely with BGP play:
> >>
> >> # 335/361 2008-03-15 14:59:43 Route Withdrawal ( 1916 3549 6461 )
> >> rrc15 200.219.130.4
> >> # 361/361 2008-03-15 15:00:27 Path Change from 13645 3356 6461
> >> rrc11 198.32.160.150 to 13645 3491 25228
> >> 25228 25228 25228 25228 36915
> >>
> >> BGP Play applet here:
> >>
> >> http://www.ris.ripe.net/bgplay/applet.html?
> >>
> >> Although most folks are definitely still preferring the AS 6461
> >> path.
> >>
> >> An interesting bit is that the current announcement on routeviews
> >> directly from AS 6461 has Community 6461:5999 attached:
> >> ...
> >> 6461
> >> 64.125.0.137 from 64.125.0.137 (64.125.0.137)
> >> Origin IGP, metric 0, localpref 100, valid, external, best
> >> Community: 6461:5999
> >> ...
> >>
> >> According to this, that community is used for "internal prefixes":
> >>
> >> http://onesc.net/communities/as6461/
> >>
> >> "6461:5999 internal prefix"
> >>
> >> A "sh ip bgp community 6461:5999" currently yields 130 prefixes
> >> with Origin AS of 6461 and that community. Nothing more specific
> >> than a /24, although many many adjacent prefixes that would
> >> presumably be aggregated normally are announced as well.
> >>
> >> The closest adjacent prefix to 194.9.82/24 they're announcing
> >> is 194.9.40/24, which is one of their prefixes:
> >>
> >> *> 194.9.40.0 64.125.0.137 0 0 6461 i
> >> *> 194.9.82.0 64.125.0.137 0 0 6461 i
> >>
> >> Unfortunately, the AS6461 forwarding loops still exists, and most
> >> ASNs still appear to be preferring their path over yours per BGP
> >> AS path route selection rules:
> >>
> >> ---
> >> danny at pork% date
> >> Sat Mar 15 11:55:27 MDT 2008
> >> ...
> >> 14 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 188.278 ms
> >> 172.714 ms 174.984 ms
> >> 15 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) 176.234 ms
> >> 174.013 ms 174.109 ms
> >> 16 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 173.230 ms
> >> 172.892 ms 174.765 ms
> >> 17 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) 174.721 ms
> >> 175.256 ms 174.738 ms
> >> 18 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 174.437 ms
> >> 220.815 ms 180.961 ms
> >> 19 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) 177.564 ms
> >> 181.966 ms 174.771 ms
> >> 20 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 176.028 ms
> >> 174.269 ms 174.365 ms
> >> 21 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) 175.626 ms
> >> 175.381 ms 175.831 ms
> >> 22 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 174.046 ms
> >> 174.841 ms 174.388 ms
> >> 23 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) 174.861 ms
> >> 174.857 ms 175.475 ms
> >> ...
> >>
> >> My recommendation, stay on the phone with Abovenet (via your
> >> upstream, and their upstream if necessary) until you see a withdraw
> >> for the route on routeviews from AS 6461:
> >>
> >> telnet route-views.routeviews.org
> >> sh ip bgp 194.9.82.0/24
> >>
> >> -danny
> >>
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security
> counter-measures.
> > _______________________________________________
> >
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security
>counter-measures.
>_______________________________________________
More information about the nsp-security
mailing list