BGP more specific prefixes
Sorry for sending this "huge" mail :-) At this moment we have a very simple multihomed ASN with a /20 prefix (x.y.0.0/20) like many other companys in the world. Some days ago, a BGP issue was announced about "IP hijacking". OK, we understand that this is some "new" because the traffic is also sent back to the "real owner" of the block. What kind of security can we have (and all internet providers) about that there is nobody announcing a subset of their prefix or a subset of their customer prefixes (i.e. x.y.0.0/24) disturbing the "normal" traffic flow? Of course, we know about prefix monitoring tools (from RIPE and others) but... it is the best solution? Or simply anyone can announce the /24 prefix that he want "capturing" that /24 prefix (of course if the "normal" prefix is smaller than that (i.e. /16))? In other words... can anybody "capture" the /24 prefix that he want? For example, what hapens if somebody announces a /24 from company "A" meanwhile the "normal" valid prefix of company "A"is a /16 and directs it to null0? That /24 is "shutted down". That is not the "new IP hijacking" issue because the traffic is not sent back to company "A". The question is very simply, It is very very difficult for me to believe that anybody can "shutdown" the /24 network that he wants in the world. I am right? Or may be that simply internet works like this and the providers are very careful about what accepts from their customers and what announces to other providers? I don't know the details of how internet providers work, but I know that when we made our multihoming for our ASN both providers did not setup the BGP session until we have created the "route object" in RIPE that makes a relationship between our ASN and our prefix. Also both providers have made filters in order to accept only our prefix in our BGP session. In other words... There is anybody in internet that can be sure that their traffic (traffic destined to their prefix) is not going to be "stoled"? If yes... how? Keep in mind that announcing the same prefixes than the attacker will not solve totally the problem because it is only a partial solution. If announcing a more specific /24 network is so easy... why does this not happen every day (for example for shutting down competitors sites)? Best regards
Hi!
Some days ago, a BGP issue was announced about "IP hijacking". OK, we understand that this is some "new" because the traffic is also sent back to the "real owner" of the block.
Traffic will walk the shotest path, so you can never tell its the 'real' owner that will receive this traffic.
What kind of security can we have (and all internet providers) about that there is nobody announcing a subset of their prefix or a subset of their customer prefixes (i.e. x.y.0.0/24) disturbing the "normal" traffic flow? Of course, we know about prefix monitoring tools (from RIPE and others) but... it is the best solution?
Or simply anyone can announce the /24 prefix that he want "capturing" that /24 prefix (of course if the "normal" prefix is smaller than that (i.e. /16))? In other words... can anybody "capture" the /24 prefix that he want?
If i start announing your /24, and my upstreams dont do proper filtering, i steal your prefix, easy as that. As little this may be, my most direct peerings will accept the routes and off you go. And prefix filtering is within some providers not even per customer, we personally had for example issues with a big carrier, somethhing with a 3 inside their name, who only had a large prefix filter with *ALL* their customers, so if another customer of that same 3 would announce our prefixes, it would be ok for them, and that happened. So we were blackholed, since that other customer had many peerings with '3' on various locations. So even with 'some' filtering in place bad things can and will happen.
The question is very simply, It is very very difficult for me to believe that anybody can "shutdown" the /24 network that he wants in the world. I am right?
No? Its dead simple in fact. Totally shut down, no, since you most likely have direct peers who have a shorter path.
Or may be that simply internet works like this and the providers are very careful about what accepts from their customers and what announces to other providers?
Ghe ... you think route leaking and stealing dont happen on a daily base? Go look and see where a major part of your spam is comming from, yes, stolen prefixes.
In other words... There is anybody in internet that can be sure that their traffic (traffic destined to their prefix) is not going to be "stoled"? If yes... how?
Keep in mind that announcing the same prefixes than the attacker will not solve totally the problem because it is only a partial solution.
If announcing a more specific /24 network is so easy... why does this not happen every day (for example for shutting down competitors sites)?
It does happen daily, wake up! Bye, Raymond.
Raymond: Thanks a lot for your comments, but... nobody can be sure that their complete prefix is routed OK to him (the "owner" AS). Right? Do you see this as a normal behavior? What do you think that is the best way to protect about this? Do you think that our upstreams can help us? Best regards On Saturday 30 August 2008 10:32:08 Raymond Dijkxhoorn wrote:
Hi!
Some days ago, a BGP issue was announced about "IP hijacking". OK, we understand that this is some "new" because the traffic is also sent back to the "real owner" of the block.
Traffic will walk the shotest path, so you can never tell its the 'real' owner that will receive this traffic.
What kind of security can we have (and all internet providers) about that there is nobody announcing a subset of their prefix or a subset of their customer prefixes (i.e. x.y.0.0/24) disturbing the "normal" traffic flow? Of course, we know about prefix monitoring tools (from RIPE and others) but... it is the best solution?
Or simply anyone can announce the /24 prefix that he want "capturing" that /24 prefix (of course if the "normal" prefix is smaller than that (i.e. /16))? In other words... can anybody "capture" the /24 prefix that he want?
If i start announing your /24, and my upstreams dont do proper filtering, i steal your prefix, easy as that. As little this may be, my most direct peerings will accept the routes and off you go.
And prefix filtering is within some providers not even per customer, we personally had for example issues with a big carrier, somethhing with a 3 inside their name, who only had a large prefix filter with *ALL* their customers, so if another customer of that same 3 would announce our prefixes, it would be ok for them, and that happened. So we were blackholed, since that other customer had many peerings with '3' on various locations.
So even with 'some' filtering in place bad things can and will happen.
The question is very simply, It is very very difficult for me to believe that anybody can "shutdown" the /24 network that he wants in the world. I am right?
No? Its dead simple in fact. Totally shut down, no, since you most likely have direct peers who have a shorter path.
Or may be that simply internet works like this and the providers are very careful about what accepts from their customers and what announces to other providers?
Ghe ... you think route leaking and stealing dont happen on a daily base? Go look and see where a major part of your spam is comming from, yes, stolen prefixes.
In other words... There is anybody in internet that can be sure that their traffic (traffic destined to their prefix) is not going to be "stoled"? If yes... how?
Keep in mind that announcing the same prefixes than the attacker will not solve totally the problem because it is only a partial solution.
If announcing a more specific /24 network is so easy... why does this not happen every day (for example for shutting down competitors sites)?
It does happen daily, wake up!
Bye, Raymond.
participants (3)
-
mauricio elelgrande
-
Raymond Dijkxhoorn
-
Sergio