Dreamhost/AS26347 unauthorized bgp announcement
According to RIPE RIS, AS26347 announced a bunch of prefixes again. - http://www.ris.ripe.net/dashboard/26347 First suspicious announcement was started 2013-03-06 07:52:40 UTC, and last seen 2013-03-06 08:33:56 UTC. 195 prefixes total. It seems these unauthorized announcements have the same profile as before - AS26347 shrinks the prefix lenght of their received prefix somehow upto /20, and re-originates the prefix with origin AS26347. Any known bugs? Regards, ----- Matsuzaki Yoshinobu <maz@iij.ad.jp> - IIJ/AS2497 INOC-DBA: 2497*629
Hi Mat, I see the same thing, we learn the prefix from the route-server in LAX: telnet@r1.lax1.us>show ip bgp routes detail 90.201.80.0/20 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH S:SUPPRESSED F:FILTERED s:STALE 1 Prefix: 90.201.80.0/20, Status: BE, Age: 0h22m15s NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer: 206.223.143.253 (19996) LOCAL_PREF: 400, MED: none, ORIGIN: incomplete, Weight: 0 AS_PATH: 26347 COMMUNITIES: 5580:12431 Adj_RIB_out count: 18, Admin distance 20 Last update to IP routing table: 0h22m15s, 1 path(s) installed: Kind regards, Job On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz@iij.ad.jp> wrote:
According to RIPE RIS, AS26347 announced a bunch of prefixes again. - http://www.ris.ripe.net/dashboard/26347
First suspicious announcement was started 2013-03-06 07:52:40 UTC, and last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
It seems these unauthorized announcements have the same profile as before - AS26347 shrinks the prefix lenght of their received prefix somehow upto /20, and re-originates the prefix with origin AS26347.
Any known bugs?
Regards, ----- Matsuzaki Yoshinobu <maz@iij.ad.jp> - IIJ/AS2497 INOC-DBA: 2497*629
-- AS5580 - Atrato IP Networks
They're doing this to our routes in any2 in LA as well. ... -----Original Message----- From: Job Snijders [mailto:job.snijders@atrato.com] Sent: Wednesday, March 06, 2013 4:04 AM To: Matsuzaki Yoshinobu Cc: nanog@nanog.org Subject: Re: Dreamhost/AS26347 unauthorized bgp announcement Hi Mat, I see the same thing, we learn the prefix from the route-server in LAX: telnet@r1.lax1.us>show ip bgp routes detail 90.201.80.0/20 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH S:SUPPRESSED F:FILTERED s:STALE 1 Prefix: 90.201.80.0/20, Status: BE, Age: 0h22m15s NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer: 206.223.143.253 (19996) LOCAL_PREF: 400, MED: none, ORIGIN: incomplete, Weight: 0 AS_PATH: 26347 COMMUNITIES: 5580:12431 Adj_RIB_out count: 18, Admin distance 20 Last update to IP routing table: 0h22m15s, 1 path(s) installed: Kind regards, Job On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz@iij.ad.jp> wrote:
According to RIPE RIS, AS26347 announced a bunch of prefixes again. - http://www.ris.ripe.net/dashboard/26347
First suspicious announcement was started 2013-03-06 07:52:40 UTC, and last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
It seems these unauthorized announcements have the same profile as before - AS26347 shrinks the prefix lenght of their received prefix somehow upto /20, and re-originates the prefix with origin AS26347.
Any known bugs?
Regards, ----- Matsuzaki Yoshinobu <maz@iij.ad.jp> - IIJ/AS2497 INOC-DBA: 2497*629
-- AS5580 - Atrato IP Networks
Hi all, I tried contacting Coresite/Any2 to have somebody login to the routeserver and doublecheck which peer is actually announcing this NLRI. Because there is a remote possibility that the route-server is being manipulated by a third party and dreamhost is a victim here. After the usual hurdles like "What is your circuit ID?" "Without a workorder I cannot login to the routeserver!" and "5580? that can't be an AS number" I unfortunately got nowhere so I still don't know who exactly announced these prefixes to the route-server. As of now the announcements for the more specifics seem to be gone. Can anybody (preferably from Any2 or Dreamhost) shed more light on this matter? Kind regards, Job On Mar 6, 2013, at 2:43 PM, Drew Weaver <drew.weaver@thenap.com> wrote:
They're doing this to our routes in any2 in LA as well.
...
-----Original Message----- From: Job Snijders [mailto:job.snijders@atrato.com] Sent: Wednesday, March 06, 2013 4:04 AM To: Matsuzaki Yoshinobu Cc: nanog@nanog.org Subject: Re: Dreamhost/AS26347 unauthorized bgp announcement
Hi Mat,
I see the same thing, we learn the prefix from the route-server in LAX:
telnet@r1.lax1.us>show ip bgp routes detail 90.201.80.0/20 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH S:SUPPRESSED F:FILTERED s:STALE 1 Prefix: 90.201.80.0/20, Status: BE, Age: 0h22m15s NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer: 206.223.143.253 (19996) LOCAL_PREF: 400, MED: none, ORIGIN: incomplete, Weight: 0 AS_PATH: 26347 COMMUNITIES: 5580:12431 Adj_RIB_out count: 18, Admin distance 20 Last update to IP routing table: 0h22m15s, 1 path(s) installed:
Kind regards,
Job
On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz@iij.ad.jp> wrote:
According to RIPE RIS, AS26347 announced a bunch of prefixes again. - http://www.ris.ripe.net/dashboard/26347
First suspicious announcement was started 2013-03-06 07:52:40 UTC, and last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
It seems these unauthorized announcements have the same profile as before - AS26347 shrinks the prefix lenght of their received prefix somehow upto /20, and re-originates the prefix with origin AS26347.
Any known bugs?
Regards, ----- Matsuzaki Yoshinobu <maz@iij.ad.jp> - IIJ/AS2497 INOC-DBA: 2497*629
-- AS5580 - Atrato IP Networks
-- AS5580 - Atrato IP Networks
Hi Guys, Sorry to see this come up again. We are no announcing the prefix in question. I am happy to work with you to investigate. dh_admin@gar-bdr-01> show route advertising-protocol bgp 206.223.143.122 inet.0: 447113 destinations, 1801741 routes (447105 active, 8 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * 64.111.96.0/19 Self I * 66.33.192.0/19 Self I * 66.33.197.0/24 Self 6 I * 67.205.0.0/18 Self I * 69.163.128.0/17 Self I * 75.119.192.0/19 Self I * 173.236.128.0/17 Self I * 205.196.208.0/20 Self I * 208.97.128.0/18 Self I * 208.113.128.0/17 Self I * 208.113.200.0/24 Self 6 I Best, Kenneth {master} dh_admin@gar-bdr-01> On Wed, Mar 6, 2013 at 8:11 AM, Job Snijders <job.snijders@atrato.com>wrote:
Hi all,
I tried contacting Coresite/Any2 to have somebody login to the routeserver and doublecheck which peer is actually announcing this NLRI. Because there is a remote possibility that the route-server is being manipulated by a third party and dreamhost is a victim here.
After the usual hurdles like "What is your circuit ID?" "Without a workorder I cannot login to the routeserver!" and "5580? that can't be an AS number" I unfortunately got nowhere so I still don't know who exactly announced these prefixes to the route-server.
As of now the announcements for the more specifics seem to be gone.
Can anybody (preferably from Any2 or Dreamhost) shed more light on this matter?
Kind regards,
Job
On Mar 6, 2013, at 2:43 PM, Drew Weaver <drew.weaver@thenap.com> wrote:
They're doing this to our routes in any2 in LA as well.
...
-----Original Message----- From: Job Snijders [mailto:job.snijders@atrato.com] Sent: Wednesday, March 06, 2013 4:04 AM To: Matsuzaki Yoshinobu Cc: nanog@nanog.org Subject: Re: Dreamhost/AS26347 unauthorized bgp announcement
Hi Mat,
I see the same thing, we learn the prefix from the route-server in LAX:
telnet@r1.lax1.us>show ip bgp routes detail 90.201.80.0/20 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH S:SUPPRESSED F:FILTERED s:STALE 1 Prefix: 90.201.80.0/20, Status: BE, Age: 0h22m15s NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer: 206.223.143.253 (19996) LOCAL_PREF: 400, MED: none, ORIGIN: incomplete, Weight: 0 AS_PATH: 26347 COMMUNITIES: 5580:12431 Adj_RIB_out count: 18, Admin distance 20 Last update to IP routing table: 0h22m15s, 1 path(s) installed:
Kind regards,
Job
On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz@iij.ad.jp> wrote:
According to RIPE RIS, AS26347 announced a bunch of prefixes again. - http://www.ris.ripe.net/dashboard/26347
First suspicious announcement was started 2013-03-06 07:52:40 UTC, and last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
It seems these unauthorized announcements have the same profile as before - AS26347 shrinks the prefix lenght of their received prefix somehow upto /20, and re-originates the prefix with origin AS26347.
Any known bugs?
Regards, ----- Matsuzaki Yoshinobu <maz@iij.ad.jp> - IIJ/AS2497 INOC-DBA: 2497*629
-- AS5580 - Atrato IP Networks
-- AS5580 - Atrato IP Networks
.-- My secret spy satellite informs me that at 2013-03-06 12:59 AM Matsuzaki Yoshinobu wrote:
According to RIPE RIS, AS26347 announced a bunch of prefixes again. - http://www.ris.ripe.net/dashboard/26347
First suspicious announcement was started 2013-03-06 07:52:40 UTC, and last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
It seems these unauthorized announcements have the same profile as before - AS26347 shrinks the prefix lenght of their received prefix somehow upto /20, and re-originates the prefix with origin AS26347.
Any known bugs?
Sounds indeed like an exact copy of the incident on January 11: http://seclists.org/nanog/2013/Jan/243 That time the prefixes seem to also have been learned via a route-server in LA. The strange thing is that the majority of the 'hijacked' prefixes (today and in January) are new more specifics (not seen before). (Using some kind of BGP route optimizer?). This time it affected 203 unique prefixes and 133 ASns. Below a list of some of the affected ASns 20115 Charter Telecom. 4837 China Unicom 8151 UNINET Mexico 11427 Roadrunner 42961 MTC GPRS Kuwait 7303 Telecom Argentina S.A. 25135 Vodafone 7018 AT&T 6389 BellSouth.net 8220 Colt 19262 Verizon 9143 ZIGGO 6830 UPC 5089 Virgin Media Cheers, Andree
Hi all, Just a small update. Off-list Andree and me have been working together with Kenneth from dreamhost to try and figure out what exactly happened and which device or party orginated these prefixes. Unfortunately no hard conclusions can be drawn from the data available to us, especially since we lack proper insight into this Any2 routeserver. I also want to emphasize that Kenneth and Dreamhost have been very forth coming in sharing data (configs, stats, networkplans) to find the root cause. We have put additional monitoring in place to try and catch more data if this happens a next time. Thank you all for being on top of incidents like this! Kind regards, Job On Mar 6, 2013, at 7:29 PM, Andree Toonk <andree+nanog@toonk.nl> wrote:
.-- My secret spy satellite informs me that at 2013-03-06 12:59 AM Matsuzaki Yoshinobu wrote:
According to RIPE RIS, AS26347 announced a bunch of prefixes again. - http://www.ris.ripe.net/dashboard/26347
First suspicious announcement was started 2013-03-06 07:52:40 UTC, and last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
It seems these unauthorized announcements have the same profile as before - AS26347 shrinks the prefix lenght of their received prefix somehow upto /20, and re-originates the prefix with origin AS26347.
Any known bugs?
Sounds indeed like an exact copy of the incident on January 11: http://seclists.org/nanog/2013/Jan/243
That time the prefixes seem to also have been learned via a route-server in LA.
The strange thing is that the majority of the 'hijacked' prefixes (today and in January) are new more specifics (not seen before). (Using some kind of BGP route optimizer?).
This time it affected 203 unique prefixes and 133 ASns. Below a list of some of the affected ASns
20115 Charter Telecom. 4837 China Unicom 8151 UNINET Mexico 11427 Roadrunner 42961 MTC GPRS Kuwait 7303 Telecom Argentina S.A. 25135 Vodafone 7018 AT&T 6389 BellSouth.net 8220 Colt 19262 Verizon 9143 ZIGGO 6830 UPC 5089 Virgin Media
Cheers, Andree
-- AS5580 - Atrato IP Networks
participants (5)
-
Andree Toonk -
Drew Weaver -
Job Snijders -
Kenneth McRae -
Matsuzaki Yoshinobu