[nsp-sec] Cogent hijacking many Israeli IPs

Aaron Weintraub aweintraub at cogentco.com
Wed Apr 1 12:02:13 EDT 2009 

On Wed, Apr 01, 2009 at 01:25:01PM +0000, John Fraizer wrote:
> 
> It's definitely Cogent leaking DDoS-RS data.  I just spot-checked a
> couple from our feed and sure enough, there is 174 leaking them:
> 
> 2009-04-01 10:34:51	65334	12.176.2.53/32	12.128.0.0/9	7018	10565 174 65334
> 
> 2009-04-01 10:34:51	65334	64.34.183.88/32	64.34.176.0/21	30099	13768
> 12050	10565 174 65334

So I've looked at the only location on our network where we peer with 10565. 
That peer has been up for 4 weeks, and tacacs accounting log shows no
changes today at all.  I've also verified that our standard route-map for
sending routes to customers is and was in place.

A spot check of the routes show that we do have the route with the 65534
origin and not sending it to anybody externally.

mpd01.sjc01#sh ip bg 12.176.2.53/32
Load for five secs: 5%/1%; one minute: 7%; five minutes: 8%
Time source is NTP, 15:27:59.587 UTC Wed Apr 1 2009
BGP routing table entry for 12.176.2.53/32, version 117129500
Paths: (1 available, best #1, table default)
Multipath: eBGP iBGP
  Advertised to update-groups:
     3
  65334
    10.255.255.255 (metric 100) from 154.54.4.59 (154.54.4.59)
      Origin IGP, localpref 150, valid, internal, best
      Community: 174:12321
      Originator: 66.28.1.253, Cluster list: 154.54.4.59

mpd01.sjc01#sh ip bg 64.34.183.88/32
Load for five secs: 10%/1%; one minute: 6%; five minutes: 8%
Time source is NTP, 15:28:19.427 UTC Wed Apr 1 2009
BGP routing table entry for 64.34.183.88/32, version 115507113
Paths: (1 available, best #1, table default)
Multipath: eBGP iBGP
  Advertised to update-groups:
     3
  65334
    10.255.255.255 (metric 100) from 154.54.4.59 (154.54.4.59)
      Origin IGP, localpref 150, valid, internal, best
      Community: 174:12321
      Originator: 66.28.1.253, Cluster list: 154.54.4.59

Update-group 3 on this router is our internal distribution to other routers
in the site:
mpd01.sjc01#sh ip bg update-group 3
Load for five secs: 10%/0%; one minute: 11%; five minutes: 8%
Time source is NTP, 15:54:43.197 UTC Wed Apr 1 2009

BGP version 4 update-group 3, internal, Address Family: IPv4 Unicast
  BGP Update version : 123246693/0, messages 0
  Route-Reflector Client
  Community attribute sent to this neighbor
  Route map for outgoing advertisements is internal-out
  Update messages formatted 40413734, replicated 80498615
  Number of NLRIs in the update sent: max 520, min 0
  Minimum time between advertisement runs is 0 seconds
  Has 3 members (* indicates the members currently being sent updates):
   66.28.1.160      66.28.1.81       66.28.1.84

(all of our backbone devices are 66.28.1.*)

Our outbound policy to customers would have denied this in 3 ways - by
prefix length, by not having the right community set for export to
customers, and by a default policy to not announce anything else.

I've hard cleared the peer with this neighbor and re-verified that we are
not sending the route.

At this point, my only two ideas are 1) This is some new elaborate April
Fool's joke on us (ha-ha) or 2) we have found some really interesting new
bug.  Either explanation would suffice.

If anyone has an accurate announce/withdrawal time of this route, that would
greatly assist us in tracking this down so we can find the root cause.

-aw
Aaron Weintraub
Cogent Communications
202-295-4259

More information about the nsp-security mailing list