Indonesian ISP Moratel announces Google's prefixes
Another case of route hijack - http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about I am curious if big networks have any pre-defined filters for big content providers like Google to avoid these? I am sure internet community would be working in direction to somehow prevent these issues. Curious to know developments so far. Thanks. -- Anurag Bhatia anuragbhatia.com Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place. On Tue, Nov 6, 2012 at 3:35 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Another case of route hijack - http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
I am curious if big networks have any pre-defined filters for big content providers like Google to avoid these? I am sure internet community would be working in direction to somehow prevent these issues. Curious to know developments so far.
Thanks.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
On Tue, Nov 6, 2012 at 11:48 PM, Jian Gu <guxiaojian@gmail.com> wrote:
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place.
curios to know which those are?
By reading cloudflare blog, cloudflare network engineer discovered that Google's authoritative DNS server networks (including Google's public DNS 8.8.8.0/24) were being routed to Indonesia according their cloudflare's SF office edge router, this is werid unless cloudflare is doing something crazy on their edge router, given that those networks are heavily anycasted across the Internet, if cloudflare sees those networks are being routed to Indonesia from San Francisco, then a lot more people should've been affected. On Tue, Nov 6, 2012 at 8:51 PM, Christopher Morrow <morrowc.lists@gmail.com>wrote:
On Tue, Nov 6, 2012 at 11:48 PM, Jian Gu <guxiaojian@gmail.com> wrote:
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place.
curios to know which those are?
It's widely accepted that you only advertise your peers' routes to customers, and you only advertise your own, and your customers' routes to your upstreams. On 07.11.2012 15:48, Jian Gu wrote:
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place.
On Tue, Nov 6, 2012 at 3:35 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Another case of route hijack -
http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
I am curious if big networks have any pre-defined filters for big content providers like Google to avoid these? I am sure internet community would be working in direction to somehow prevent these issues. Curious to know developments so far.
Thanks.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
On Nov 06, 2012, at 23:48 , Jian Gu <guxiaojian@gmail.com> wrote:
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place.
That doesn't make the slightest bit of sense. If a Moratel customer announced a Google-owned prefix to Moratel, and Moratel did not have the proper filters in place, there is nothing Google could do to stop the hijack from happening. Exactly what attribute do you think would stop this? -- TTFN, patrick
On Tue, Nov 6, 2012 at 3:35 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Another case of route hijack - http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
I am curious if big networks have any pre-defined filters for big content providers like Google to avoid these? I am sure internet community would be working in direction to somehow prevent these issues. Curious to know developments so far.
Thanks.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
Where did you get the idea that a Moratel customer announced a google-owned prefix to Moratel and Moratel did not have the proper filters in place? according to the blog, all google's 4 authoritative DNS server networks and 8.8.8.0/24 were wrongly routed to Moratel, what's the possiblity for a Moratel customers announce all those prefixes? On Tue, Nov 6, 2012 at 9:02 PM, Patrick W. Gilmore <patrick@ianai.net>wrote:
On Nov 06, 2012, at 23:48 , Jian Gu <guxiaojian@gmail.com> wrote:
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place.
That doesn't make the slightest bit of sense.
If a Moratel customer announced a Google-owned prefix to Moratel, and Moratel did not have the proper filters in place, there is nothing Google could do to stop the hijack from happening.
Exactly what attribute do you think would stop this?
-- TTFN, patrick
On Tue, Nov 6, 2012 at 3:35 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Another case of route hijack -
http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
I am curious if big networks have any pre-defined filters for big
content
providers like Google to avoid these? I am sure internet community would be working in direction to somehow prevent these issues. Curious to know developments so far.
Thanks.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
Nobody said a Moratel customer announced a Google prefix, they said the issue was within Moratel. This is a really good article that explains the issue in detail, maybe read it again? http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about Steve On 7 November 2012 05:07, Jian Gu <guxiaojian@gmail.com> wrote:
Where did you get the idea that a Moratel customer announced a google-owned prefix to Moratel and Moratel did not have the proper filters in place? according to the blog, all google's 4 authoritative DNS server networks and 8.8.8.0/24 were wrongly routed to Moratel, what's the possiblity for a Moratel customers announce all those prefixes?
On Tue, Nov 6, 2012 at 9:02 PM, Patrick W. Gilmore <patrick@ianai.net
wrote:
On Nov 06, 2012, at 23:48 , Jian Gu <guxiaojian@gmail.com> wrote:
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place.
That doesn't make the slightest bit of sense.
If a Moratel customer announced a Google-owned prefix to Moratel, and Moratel did not have the proper filters in place, there is nothing Google could do to stop the hijack from happening.
Exactly what attribute do you think would stop this?
-- TTFN, patrick
On Tue, Nov 6, 2012 at 3:35 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Another case of route hijack -
http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
I am curious if big networks have any pre-defined filters for big
content
providers like Google to avoid these? I am sure internet community would be working in direction to somehow prevent these issues. Curious to know developments so far.
Thanks.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
On Nov 07, 2012, at 00:07 , Jian Gu <guxiaojian@gmail.com> wrote:
Where did you get the idea that a Moratel customer announced a google-owned prefix to Moratel and Moratel did not have the proper filters in place? according to the blog, all google's 4 authoritative DNS server networks and 8.8.8.0/24 were wrongly routed to Moratel, what's the possiblity for a Moratel customers announce all those prefixes?
Ah, right, they just leaked Google's prefix. I thought a customer originated the prefix. Original question still stands. Which attribute do you expect Google to set to stop this? Hint: Don't say No-Advertise, unless you want peers to only talk to the adjacent AS, not their customers or their customers' customers, etc. Looking forward to your answer. -- TTFN, patrick
On Tue, Nov 6, 2012 at 9:02 PM, Patrick W. Gilmore <patrick@ianai.net>wrote:
On Nov 06, 2012, at 23:48 , Jian Gu <guxiaojian@gmail.com> wrote:
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place.
That doesn't make the slightest bit of sense.
If a Moratel customer announced a Google-owned prefix to Moratel, and Moratel did not have the proper filters in place, there is nothing Google could do to stop the hijack from happening.
Exactly what attribute do you think would stop this?
-- TTFN, patrick
On Tue, Nov 6, 2012 at 3:35 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Another case of route hijack -
http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
I am curious if big networks have any pre-defined filters for big
content
providers like Google to avoid these? I am sure internet community would be working in direction to somehow prevent these issues. Curious to know developments so far.
Thanks.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
I don't know what Google and Moratel's peering agreement, but "leak"? educate me, Google is announcing /24 for all of their 4 NS prefix and 8.8.8.0/24 for their public DNS server, how did Moratel leak those routes to Internet? On Tue, Nov 6, 2012 at 9:13 PM, Patrick W. Gilmore <patrick@ianai.net>wrote:
On Nov 07, 2012, at 00:07 , Jian Gu <guxiaojian@gmail.com> wrote:
Where did you get the idea that a Moratel customer announced a google-owned prefix to Moratel and Moratel did not have the proper filters in place? according to the blog, all google's 4 authoritative DNS server networks and 8.8.8.0/24 were wrongly routed to Moratel, what's the possiblity for a Moratel customers announce all those prefixes?
Ah, right, they just leaked Google's prefix. I thought a customer originated the prefix.
Original question still stands. Which attribute do you expect Google to set to stop this?
Hint: Don't say No-Advertise, unless you want peers to only talk to the adjacent AS, not their customers or their customers' customers, etc.
Looking forward to your answer.
-- TTFN, patrick
On Tue, Nov 6, 2012 at 9:02 PM, Patrick W. Gilmore <patrick@ianai.net wrote:
On Nov 06, 2012, at 23:48 , Jian Gu <guxiaojian@gmail.com> wrote:
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place.
That doesn't make the slightest bit of sense.
If a Moratel customer announced a Google-owned prefix to Moratel, and Moratel did not have the proper filters in place, there is nothing Google could do to stop the hijack from happening.
Exactly what attribute do you think would stop this?
-- TTFN, patrick
On Tue, Nov 6, 2012 at 3:35 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Another case of route hijack -
http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
I am curious if big networks have any pre-defined filters for big
content
providers like Google to avoid these? I am sure internet community would be working in direction to somehow prevent these issues. Curious to know developments so far.
Thanks.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
On Nov 07, 2012, at 00:21 , Jian Gu <guxiaojian@gmail.com> wrote:
I don't know what Google and Moratel's peering agreement, but "leak"? educate me, Google is announcing /24 for all of their 4 NS prefix and 8.8.8.0/24 for their public DNS server, how did Moratel leak those routes to Internet?
Downthread, someone said what is typical with peering prefixes, i.e. announce to customers, not to peers or upstreams. How do you think peering works? However, I place most of the blame on PCCW for crappy filtering of their customers. And I'm a little surprised to see nLayer in the path. Shame on them! (Does that have any effect any more? :) Oh, and we are still waiting for an answer: Which attribute do you think Google could have used to stop this? -- TTFN, patrick
On Tue, Nov 6, 2012 at 9:13 PM, Patrick W. Gilmore <patrick@ianai.net>wrote:
On Nov 07, 2012, at 00:07 , Jian Gu <guxiaojian@gmail.com> wrote:
Where did you get the idea that a Moratel customer announced a google-owned prefix to Moratel and Moratel did not have the proper filters in place? according to the blog, all google's 4 authoritative DNS server networks and 8.8.8.0/24 were wrongly routed to Moratel, what's the possiblity for a Moratel customers announce all those prefixes?
Ah, right, they just leaked Google's prefix. I thought a customer originated the prefix.
Original question still stands. Which attribute do you expect Google to set to stop this?
Hint: Don't say No-Advertise, unless you want peers to only talk to the adjacent AS, not their customers or their customers' customers, etc.
Looking forward to your answer.
-- TTFN, patrick
On Tue, Nov 6, 2012 at 9:02 PM, Patrick W. Gilmore <patrick@ianai.net wrote:
On Nov 06, 2012, at 23:48 , Jian Gu <guxiaojian@gmail.com> wrote:
What do you mean hijack? Google is peering with Moratel, if Google does not want Moratel to advertise its routes to Moratel's peers/upstreams, then Google should've set the correct BGP attributes in the first place.
That doesn't make the slightest bit of sense.
If a Moratel customer announced a Google-owned prefix to Moratel, and Moratel did not have the proper filters in place, there is nothing Google could do to stop the hijack from happening.
Exactly what attribute do you think would stop this?
-- TTFN, patrick
On Tue, Nov 6, 2012 at 3:35 AM, Anurag Bhatia <me@anuragbhatia.com> wrote:
Another case of route hijack -
http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
I am curious if big networks have any pre-defined filters for big
content
providers like Google to avoid these? I am sure internet community would be working in direction to somehow prevent these issues. Curious to know developments so far.
Thanks.
--
Anurag Bhatia anuragbhatia.com
Linkedin <http://in.linkedin.com/in/anuragbhatia21> | Twitter<https://twitter.com/anurag_bhatia>| Google+ <https://plus.google.com/118280168625121532854>
As for the, ``what is a leak'' question, a few of us just put a draft together to describe it, in the IETF: <http://tools.ietf.org/html/draft-foo-sidr-simple-leak-attack-bgpsec-no-help-02> Eric On Nov 7, 2012, at 12:21 AM, Jian Gu wrote:
I don't know what Google and Moratel's peering agreement, but "leak"? educate me, Google is announcing /24 for all of their 4 NS prefix and 8.8.8.0/24 for their public DNS server, how did Moratel leak those routes to Internet?
<snip>
http://bgplay.routeviews.org/bgplay/ gives a good idea of what happened On Wed, Nov 7, 2012 at 12:44 PM, Eric Osterweil <eosterweil@verisign.com>wrote:
As for the, ``what is a leak'' question, a few of us just put a draft together to describe it, in the IETF: < http://tools.ietf.org/html/draft-foo-sidr-simple-leak-attack-bgpsec-no-help-...
Eric
On Nov 7, 2012, at 12:21 AM, Jian Gu wrote:
I don't know what Google and Moratel's peering agreement, but "leak"? educate me, Google is announcing /24 for all of their 4 NS prefix and 8.8.8.0/24 for their public DNS server, how did Moratel leak those routes to Internet?
<snip>
On 11/7/12 12:13 AM, Patrick W. Gilmore wrote:
On Nov 07, 2012, at 00:07 , Jian Gu <guxiaojian@gmail.com> wrote:
Where did you get the idea that a Moratel customer announced a google-owned prefix to Moratel and Moratel did not have the proper filters in place? according to the blog, all google's 4 authoritative DNS server networks and 8.8.8.0/24 were wrongly routed to Moratel, what's the possiblity for a Moratel customers announce all those prefixes? Ah, right, they just leaked Google's prefix. I thought a customer originated the prefix.
Original question still stands. Which attribute do you expect Google to set to stop this?
Hint: Don't say No-Advertise, unless you want peers to only talk to the adjacent AS, not their customers or their customers' customers, etc.
Looking forward to your answer.
I would expect that moratel should have a route object which their transit providers can construct a prefix filter for. if moratel advertised an AS path including themselves and a google orgin pccw should not have accepted it. if they originated the prefix, pccw should not have accepted it.
Apologize for calling it an prefix hijack. I misunderstood in start. Clearly it was case of prefix leaking. Thanks (Sent from my mobile device) Anurag Bhatia http://anuragbhatia.com On Nov 7, 2012 11:22 AM, "joel jaeggli" <joelja@bogus.com> wrote:
On 11/7/12 12:13 AM, Patrick W. Gilmore wrote:
On Nov 07, 2012, at 00:07 , Jian Gu <guxiaojian@gmail.com> wrote:
Where did you get the idea that a Moratel customer announced a
google-owned prefix to Moratel and Moratel did not have the proper filters in place? according to the blog, all google's 4 authoritative DNS server networks and 8.8.8.0/24 were wrongly routed to Moratel, what's the possiblity for a Moratel customers announce all those prefixes?
Ah, right, they just leaked Google's prefix. I thought a customer originated the prefix.
Original question still stands. Which attribute do you expect Google to set to stop this?
Hint: Don't say No-Advertise, unless you want peers to only talk to the adjacent AS, not their customers or their customers' customers, etc.
Looking forward to your answer.
I would expect that moratel should have a route object which their transit providers can construct a prefix filter for. if moratel advertised an AS path including themselves and a google orgin pccw should not have accepted it. if they originated the prefix, pccw should not have accepted it.
participants (9)
-
Andrew Jones
-
Anurag Bhatia
-
Ben Bartsch
-
Christopher Morrow
-
Eric Osterweil
-
Jian Gu
-
joel jaeggli
-
Patrick W. Gilmore
-
Stephen Wilcox