Re: prefix hijack by ASN 8997
--- tme@multicasttech.com wrote: From: Marshall Eubanks <tme@multicasttech.com> : You didn't specify the time zone you are in, : so I looked at +- 1 day around it. If the : hijack lasted 6 hours, we should have seen it. My apologies, I just used the time zone the tool (bgplay.routeviews.org/bgplay) was using when I said: 22/9/2008 9:00:00 and 22/9/2008 15:00:00 I'm sure it was in GMT. Seeing the many responses, we now know something happened and it was only about 15 minutes in duration. bgplay shows the problem with the above data and I was just wondering if I was understanding the impact correctly:
If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected?
I was not following the rules properly: never attribute to malice that which can be explained by human error. I thought there might be some testing-of-the-water in preparation for future 'events' and I guess I was starting to be trigger happy after all the talk about the new BGP attack. scott --- tme@multicasttech.com wrote: From: Marshall Eubanks <tme@multicasttech.com> To: surfer@mauigateway.com Cc: <nanog@merit.edu> Subject: Re: prefix hijack by ASN 8997 Date: Tue, 23 Sep 2008 07:51:36 -0400 On Sep 22, 2008, at 9:06 PM, Scott Weeks wrote:
I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North- West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia).
Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates:
22/9/2008 9:00:00 and 22/9/2008 15:00:00
If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent).
I cannot confirm that from the monitoring program at AS 16517 : [tme@lennon mcast]$ grep 72.234.0.0 bgp.full.Sep_2*2008 bgp.full.Sep_21_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_21_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_21_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_21_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_23_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_23_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? You didn't specify the time zone you are in, so I looked at +- 1 day around it. If the hijack lasted 6 hours, we should have seen it. Regards Marshall
If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected?
scott
On Sep 23, 2008, at 8:15 AM, Scott Weeks wrote:
--- tme@multicasttech.com wrote: From: Marshall Eubanks <tme@multicasttech.com>
: You didn't specify the time zone you are in, : so I looked at +- 1 day around it. If the : hijack lasted 6 hours, we should have seen it.
My apologies, I just used the time zone the tool (bgplay.routeviews.org/bgplay) was using when I said: 22/9/2008 9:00:00 and 22/9/2008 15:00:00
I'm sure it was in GMT. Seeing the many responses, we now know something happened and it was only about 15 minutes in duration.
These two times are separated by 6 hours exactly (0500 and 1100 EDT). There is a positive report at 1330 Moscow time or 0930 UTC or 0530 EDT. There is a positive report "a few minutes" before 0122 UTC - say 0115 There is a positive report at 1222091563 which I cannot interpret. (1222 UTC ?) We have my negative reports at 0607 EDT and 1207 EDT, etc., or 1007 UTC and 1607 UTC, etc. So (all times UTC) 0407 no 0900 yes 0930 yes 1007 no 1500 yes 1607 no 2207 no 0115 yes 0407 no So, do you think this was lots of little tests / hijacks / mistakes ? Or did it just not propagate very far ? Marshall
bgplay shows the problem with the above data and I was just wondering if I was understanding the impact correctly:
If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected?
I was not following the rules properly: never attribute to malice that which can be explained by human error. I thought there might be some testing-of-the-water in preparation for future 'events' and I guess I was starting to be trigger happy after all the talk about the new BGP attack.
scott
--- tme@multicasttech.com wrote:
From: Marshall Eubanks <tme@multicasttech.com> To: surfer@mauigateway.com Cc: <nanog@merit.edu> Subject: Re: prefix hijack by ASN 8997 Date: Tue, 23 Sep 2008 07:51:36 -0400
On Sep 22, 2008, at 9:06 PM, Scott Weeks wrote:
I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North- West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia).
Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates:
22/9/2008 9:00:00 and 22/9/2008 15:00:00
If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent).
I cannot confirm that from the monitoring program at AS 16517 :
[tme@lennon mcast]$ grep 72.234.0.0 bgp.full.Sep_2*2008 bgp.full.Sep_21_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_21_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_21_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_21_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_23_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_23_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
You didn't specify the time zone you are in, so I looked at +- 1 day around it. If the hijack lasted 6 hours, we should have seen it.
Regards Marshall
If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected?
scott
participants (2)
-
Marshall Eubanks -
Scott Weeks