Regarding smaller prefix for hijack protection
Hello everyone! I tried looking on net but couldn't found direct answer, so thought to ask here for some advise. Is using /24 a must to protect (a bit) against route hijacking? We all remember case of YouTube 2008 and hijacking in Pakistan. At that time YouTube was using /22 and thus /24 (more specific) announcement took almost all of Google's traffic even when AS path was long. So Google's direct also likely sent packets to Pakistan. Later Google too used /24 (and I guess /25 too to effect some region of internet). Similar case I remember for issue reported between Altus and hijacking by someone connected to Cleaveland exchange when ISP was using /23 and spammer used /24. So can we conclude that one should always use /24 to make sure that they loose as little as possible traffic during prefix hijacking? Also, if one uses /22 and /24 - will both prefixes will show in Global routing table? I know /24 will be prefered but will ISP see /22 as well or it will pop up only when /24 is filtered? For one of IP's of Google.com, it seems it is coming from /16 and /24 http://bgp.he.net/ip/74.125.224.137 How can one print similar result from a route server like say Oregon route views or any ISP's server? I always /24 when looking for that IP. (in simple words - how bgp.he.net does this magic of popping both prefixes? I failed to do get same result from HE's route server) Thanks! -- Anurag Bhatia anuragbhatia.com Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
You might find your /24 routes filtered out at a lot of places that do have sensible route filtering But then yes, it'd protect you against the idiots who dont know bgp from a hole in the ground anyway and let whatever hijacking happen But I'd suggest do whatever such announcement if and only if you see a hijack, as a mitigation measure. On Thu, Aug 30, 2012 at 5:24 PM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Hello everyone!
I tried looking on net but couldn't found direct answer, so thought to ask here for some advise.
Is using /24 a must to protect (a bit) against route hijacking? We all remember case of YouTube 2008 and hijacking in Pakistan. At that time YouTube was using /22 and thus /24 (more specific) announcement took almost all of Google's traffic even when AS path was long. So Google's direct also likely sent packets to Pakistan. Later Google too used /24 (and I guess /25 too to effect some region of internet). Similar case I remember for issue reported between Altus and hijacking by someone connected to Cleaveland exchange when ISP was using /23 and spammer used /24.
So can we conclude that one should always use /24 to make sure that they loose as little as possible traffic during prefix hijacking?
Also, if one uses /22 and /24 - will both prefixes will show in Global routing table? I know /24 will be prefered but will ISP see /22 as well or it will pop up only when /24 is filtered?
For one of IP's of Google.com, it seems it is coming from /16 and /24
http://bgp.he.net/ip/74.125.224.137
How can one print similar result from a route server like say Oregon route views or any ISP's server? I always /24 when looking for that IP. (in simple words - how bgp.he.net does this magic of popping both prefixes? I failed to do get same result from HE's route server)
Thanks!
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
-- Suresh Ramasubramanian (ops.lists@gmail.com)
Or better. Sign your prefixes and create ROAs to monitor any suspicious activity. There is an app for that: http://bgpmon.net Besides the normal service you can use also RPKI data to trigger alarms of possible hijacks http://www.labs.lacnic.net/rpkitools/looking_glass/ You can query periodically with a simple curl/wget to see if your prefix is valid or invalid (possibly hijacked), e.g. http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.7.84.0/... Polluting the routing table to protect against hijacks should be the last option and against an attack that is happening, and not for "just in case". Regards, /as On 30 Aug 2012, at 08:00, Suresh Ramasubramanian wrote:
You might find your /24 routes filtered out at a lot of places that do have sensible route filtering
But then yes, it'd protect you against the idiots who dont know bgp from a hole in the ground anyway and let whatever hijacking happen
But I'd suggest do whatever such announcement if and only if you see a hijack, as a mitigation measure.
On Thu, 30 Aug 2012, Anurag Bhatia wrote:
I tried looking on net but couldn't found direct answer, so thought to ask here for some advise.
Is using /24 a must to protect (a bit) against route hijacking? We all remember case of YouTube 2008 and hijacking in Pakistan. At that time YouTube was using /22 and thus /24 (more specific) announcement took almost all of Google's traffic even when AS path was long. So Google's direct also likely sent packets to Pakistan. Later Google too used /24 (and I guess /25 too to effect some region of internet). Similar case I remember for issue reported between Altus and hijacking by someone connected to Cleaveland exchange when ISP was using /23 and spammer used /24.
So can we conclude that one should always use /24 to make sure that they loose as little as possible traffic during prefix hijacking?
As an exercise, grab a copy of the global routing table, convert all shorter than /24 networks into /24s and tell us, how big is your hijack-resistant global table now? How many networks will be unable to handle it because it overflows their routers route table capacity? In short, no...you/everyone should not announce all their space as /24s just in case someone tries to or accidentally hijacks some of their space. Your solution does not scale. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Thu, Aug 30, 2012 at 7:54 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Is using /24 a must to protect (a bit) against route hijacking?
Hi Anurag, Not only is it _not_ a must, it doesn't work and it impairs your ability to detect the fault. In a route hijacking scenario, traffic for a particular prefix will flow to the site with the shortest AS path from the origin. Your /24 competes with their /24. Half the Internet, maybe more maybe less depending on how well connected each of you are, will be inaccessible to you. The fault presents as a partial outage: you can get to everything nearby but the further away the customer is, the worse chance he has of reaching you. Since there are lots of partial outages on the Internet and BGP hijacks are rare, your customer support team won't take the first couple calls seriously. I can reach it from our test ISP so the problem must lie with your ISP. Sorry. On the flip side, if you announce a covering route and someone hijacks with a /24, all traffic follows the most specific route: the hijacker. You detect this condition pretty much immediately, at which point you can collide him with a /24 announcement while contacting him and his peers to get the offending announcement killed.
Also, if one uses /22 and /24 - will both prefixes will show in Global routing table? I know /24 will be prefered but will ISP see /22 as well or it will pop up only when /24 is filtered?
Unless one of the transit providers is behaving badly or you use BGP communities to explicitly limit propagation of the announcement, all routers in the default-free zone (DFZ, aka Internet core) will see both the /22 and the /24 in their routing information base (RIB). When this is processed into the forwarding information base (FIB) only one next hop will be selected - the one from the /24. A number of very smart people have sought an algorithm to allow intermediate nodes to aggregate the /24 into the /22 without damaging the network (black holes). No such algorithm has been identified. As near as anyone can figure, only the source of the announcement can safely aggregate it. On the other hand, if you announce, say, the /24 via multiple ISPs most routers will only see the path to one of them (the closest one) at any given time. When a router reannounces the path to you via BGP to its peers, it only offers the path it selected as best for that particular prefix. A fair bit of traffic engineering is based on announcing a covering route to everybody (the /22 in your example) and then announcing a more specific (the /24) to a particular ISP peer with a set community strings attached that tells the ISP to only propagate the route to specific peers. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Thu, Aug 30, 2012 at 8:41 AM, William Herrin <bill@herrin.us> wrote:
On Thu, Aug 30, 2012 at 7:54 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Is using /24 a must to protect (a bit) against route hijacking?
Hi Anurag,
Not only is it _not_ a must, it doesn't work and it impairs your ability to detect the fault.
In a route hijacking scenario, traffic for a particular prefix will flow to the site with the shortest AS path from the origin. Your /24 competes with their /24. Half the Internet, maybe more maybe less depending on how well connected each of you are, will be inaccessible to you.
Preventively there seems to be no utility to this. Reactively, after a hijacking starts, has anyone tried announcing both (say) /24s for the block and (say) 2x /25s for it as well, to get more-specific under the hijacker? Yes, a lot of places will filter and ignore, but those that don't ... (Yes, sign your prefixes now, on general principles) -- -george william herbert george.herbert@gmail.com
I didn't realized the routing table size problem with /24's. Stupid me. Thanks everyone for updates. Appreciate good answers. On Fri, Aug 31, 2012 at 4:18 AM, George Herbert <george.herbert@gmail.com>wrote:
On Thu, Aug 30, 2012 at 8:41 AM, William Herrin <bill@herrin.us> wrote:
On Thu, Aug 30, 2012 at 7:54 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Is using /24 a must to protect (a bit) against route hijacking?
Hi Anurag,
Not only is it _not_ a must, it doesn't work and it impairs your ability to detect the fault.
In a route hijacking scenario, traffic for a particular prefix will flow to the site with the shortest AS path from the origin. Your /24 competes with their /24. Half the Internet, maybe more maybe less depending on how well connected each of you are, will be inaccessible to you.
Preventively there seems to be no utility to this.
Reactively, after a hijacking starts, has anyone tried announcing both (say) /24s for the block and (say) 2x /25s for it as well, to get more-specific under the hijacker? Yes, a lot of places will filter and ignore, but those that don't ...
(Yes, sign your prefixes now, on general principles)
-- -george william herbert george.herbert@gmail.com
-- Anurag Bhatia anuragbhatia.com Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
The thing to acknowledge is that you've realized it otherwise if you follow the CIDR report than you will find bunch of arrogant folks/SPs not willing to understand the dilemma they are causing through de-aggregation. Regards, Aftab A. Siddiqui On Tue, Sep 4, 2012 at 10:19 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
I didn't realized the routing table size problem with /24's. Stupid me.
Thanks everyone for updates. Appreciate good answers.
This seems like an opportune time to remind people about RPKI-based origin validation as a hijack mitigation: <http://tools.ietf.org/html/draft-ietf-sidr-pfx-validate-08> <http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-2s/irg-origin-as.pdf> I haven't run the numbers, but it seems like doing RPKI-based origin validation is probably a lot cheaper than upgrading routers to store a fully deaggregated route table :) On Tue, Sep 4, 2012 at 12:29 PM, Aftab Siddiqui <aftab.siddiqui@gmail.com> wrote:
The thing to acknowledge is that you've realized it otherwise if you follow the CIDR report than you will find bunch of arrogant folks/SPs not willing to understand the dilemma they are causing through de-aggregation.
Regards,
Aftab A. Siddiqui
On Tue, Sep 4, 2012 at 10:19 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
I didn't realized the routing table size problem with /24's. Stupid me.
Thanks everyone for updates. Appreciate good answers.
On 30/08/12 12:54, Anurag Bhatia wrote:
Is using /24 a must to protect (a bit) against route hijacking?
Announcing your, say /19 as 32 /24s does not prevent someone from trying to hijack you, you will still get some disruption if someone tries, but you might limit the scope of their success or the scope of your perceived outage (which is why temporary shorter prefixes are announced in order to limit the effects of hijacks, including in the example you cited.) Far more useful to monitor and take evasive action in the event of a hijack.
So can we conclude that one should always use /24 to make sure that they loose as little as possible traffic during prefix hijacking?
There is not room for 4bn entries in the routing table. You deserved to be filtered off the net if you try this stunt ! Andy
participants (9)
-
Aftab Siddiqui
-
Andy Davidson
-
Anurag Bhatia
-
Arturo Servin
-
George Herbert
-
Jon Lewis
-
Richard Barnes
-
Suresh Ramasubramanian
-
William Herrin