--On Tuesday, August 26, 2003 9:35 AM -0400 Leo Bicknell <bicknell@ufp.org> wrote:
Almost everyone filters customers. The large ISP's all have the same opinion, if small to medium sized players abuse the system I wish this was true but it is not!!!
From above everything starting with 11 was faked and once this was realized Qwest security was notified and they even said the ip block will be filtered and indeed it was for 1 day!!! But appearently they just started advertising smaller 138.252.0.0/21 ip block from exactly same Qwest POP in Burbank, CA but with new faked traceroute:
In particular I call your attention to Qwest. Their customer in LA with AS29809 was announcing ip block 138.252.0.0/16, which is hijacked ip block, see details at http://www.completewhois.com/hijacked/files/138.252.0.0.txt It took us a little time to find out who to report it to because amount of abuse was small and all traceroutes were faked, here is part of it as it was several days ago: 8 204.255.169.138 (204.255.169.138) 33.299 ms 28.885 ms 30.188 ms 9 bur-core-01.inet.qwest.net (205.171.13.9) 35.992 ms 28.280 ms 10 bux-edge-01.inet.qwest.net (205.171.13.174) 32.468 ms 30.766 ms 11 tbr1-p012201.la2ca.ip.att.net (12.123.28.130) 40.104 ms <-- Faked here 12 gbr4-p20.sffca.ip.att.net (12.122.2.69) 51.680 ms 52.195 ms 50.259 13 gbr6-p70.sffca.ip.att.net (12.122.5.153) 62.751 ms 61.256 ms 14 ar2-p3110.sfcca.ip.att.net (12.123.195.81) 71.827 ms 71.376 ms 15 12.119.200.38 (12.119.200.38) 83.024 ms 82.612 ms 82.004 ms 16 203.148.164.170 (203.148.164.170) 89.747 ms 92.942 ms 87.614 ms 17 203.148.164.228 (203.148.164.228) 103.087 ms 99.536 ms 99.910 ms 18 svoa-bkk.a-net.net.th (203.148.200.145) 1104.594 ms 1098.491 ms 19 138.252.0.1 (138.252.0.1) 33.634 ms 33.220 ms 32.514 ms" And that is when "sh ip bgp" was showing: 8001 7911 209 29809 6395 1239 209 29809 5650 1239 209 29809 traceroute to 138.252.0.10 (138.252.0.10), 30 hops max, 38 byte packets ... 5 qwest.sjc03.atlas.psi.net (154.54.10.154) 1.988 ms 1.264 ms 1.243 ms 6 svl-core-01.inet.qwest.net (20r.171.214.41) 2.526 ms 2.229 ms 2.383 ms 7 sbur-core-02.inet.qwest.net (205.171.5.217) 9.491 ms 9.519 ms 9.494 ms 8 bux-edge-01.inet.qwest.net (205.171.13.178) 9.514 ms 9.860 ms 9.467 ms 9 * * * 10 obl-rou-1003.NL.eurorings.net (134.222.229.238) 22.436 ms 18.489 ms 11 ffm-s1-rou-1002.DE.eurorings.net (134.222.230.30) 40.087 ms 47.130 12 ksrh-s1-rou-1071.DE.eurorings.net (134.222.227.86) 39.634 ms 38.361 13 ksrh-s1-rou-1072.DE.eurorings.net (134.222.227.74) 40.083 ms 42.067 14 r1-ka.strato.cust.eurorings.net (134.222.102.18) 39.853 ms 39.022 ms 15 81.169.144.22 (81.169.144.22) 39.770 ms 43.874 ms 39.956 ms 16 81.169.144.38 (81.169.144.38) 60.088 ms 59.179 ms 60.091 ms 17 lb1.webmailer.de (192.67.198.246) 70.123 ms 76.9934ms 69.991 ms router#sh ip bgp 138.252.0.1 BGP routing table entry for 138.252.0.0/21, version 10503636 Paths: (2 available, best #1, not advertised outside local AS) 16631 174 209 29809 216.151.223.17 (metric 65) from 216.151.223.17 Origin IGP, metric 1000000, localpref 100, weight 500, valid, internal, best Community: 16631:1000 local-AS 6347 701 209 29809 209.144.160.89 from 209.144.160.89 (209.83.159.23) Origin IGP, localpref 100, weight 10, valid, external Community: 6347:1023 6347:5000 6347:5001 local-AS I'm pretty sure Qwest is doing something wrong by allowing such an open BGP annoncements from their customers without checking what they would be announcing. Instead of putting filters as "allow all" and then adding filtering only 138.252.0.0/16 when they were contacted, they instead should have filtered all announcement except for specific ones customer asked and was authorized. And I do hope there is somebody from Qwest here who can deal with this issue and educate on proper filtering whoever is responsible for their bgp router in Burbank. Also as for this particular case, I'll strongly advise to just filter AS29809 entirely, I have serious doubts about whoever controls this asn and have done the research on it (see above referenced file) and it appears the addresses at ARIN are all wrong (I have some doubts about Trimeda being located on the grounds of Mormon Temple for example...) and has been recently changed from completely different set of addresses and besides it would have been enough that AS29809 only advertises this particular hijacked ip block (and nothing else!) and they on purpose fake traceroute to their AS to move blame away from themselve.
Just a shame that not everyone filters their customers. And although it has been a while, I know I've seen a route-leak from 6461 at AMS-IX. (Probably last year sometime)
Indeed it really is a shame, especially when its large players like Qwest who do not filter their customers, how can you expect it from smaller European networks where peering seems is a lot easier to setup... -- William Leibzon Elan Networks william@elan.net