It looks like nLayer have routes learned through Moratel which have local-pref set to anywhere up to 250 (learned from private peers), while the routes learned from direct peering relationships to Google on public peering have a local-pref of 200. This explains why the routes from Moratel would have been preferred during the period when they were being leaked, despite the shorter as-path (but doesn't explain why they weren't being filtered). On 07.11.2012 16:33, Hank Nussbacher wrote:
At 21:21 06/11/2012 -0800, Jian Gu wrote:
If Google announces 8.8.8.0/24 to you and you in turn start announcing to the Internet 8.8.8.0/24 as originating from you, then a certain section of the Internet will believe your announcement over Google's. This has happened many times before due to improper filters, but this is the first time I have seen the victim being blamed. Interesting concept.
-Hank
I don't know what Google and Moratel's peering agreement, but "leak"? educate me, Google is announcing /24 for all of their 4 NS prefix and 8.8.8.0/24 for their public DNS server, how did Moratel leak those routes to Internet?
On Tue, Nov 6, 2012 at 9:13 PM, Patrick W. Gilmore <patrick@ianai.net>wrote:
On Nov 07, 2012, at 00:07 , Jian Gu <guxiaojian@gmail.com> wrote:
Where did you get the idea that a Moratel customer announced a google-owned prefix to Moratel and Moratel did not have the proper filters in place? according to the blog, all google's 4 authoritative DNS server networks and 8.8.8.0/24 were wrongly routed to Moratel, what's the possiblity for a Moratel customers announce all those prefixes?
Ah, right, they just leaked Google's prefix. I thought a customer originated the prefix.
Original question still stands. Which attribute do you expect Google to set to stop this?
Hint: Don't say No-Advertise, unless you want peers to only talk to the adjacent AS, not their customers or their customers' customers, etc.
Looking forward to your answer.
-- TTFN, patrick
On Tue, Nov 6, 2012 at 9:02 PM, Patrick W. Gilmore <patrick@ianai.net wrote:
On Nov 06, 2012, at 23:48 , Jian Gu <guxiaojian@gmail.com> wrote:
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place.
That doesn't make the slightest bit of sense.
If a Moratel customer announced a Google-owned prefix to Moratel, and Moratel did not have the proper filters in place, there is nothing Google could do to stop the hijack from happening.
Exactly what attribute do you think would stop this?
-- TTFN, patrick
On Tue, Nov 6, 2012 at 3:35 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
> Another case of route hijack - >
http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
> > > > I am curious if big networks have any pre-defined filters for big content > providers like Google to avoid these? I am sure internet community would be > working in direction to somehow prevent these issues. Curious to know > developments so far. > > > > > Thanks. > > > -- > > Anurag Bhatia > anuragbhatia.com > > Linkedin <http://in.linkedin.com/in/anuragbhatia21> | > Twitter<https://twitter.com/anurag_bhatia>| > Google+ <https://plus.google.com/118280168625121532854> >