AS hijacking (Philosophy, rants, GeoMind)
One of the companies I work for recently had an issue with AS 2 (University of Delaware) hijacking a prefix. Due to Origin AS, good upstreams, and the like this has not really affected the traffic to the legit blocks. However, GeoMind picked this up almost immediately it seems. The IP blocks when you go to speedtest.net come back to the university of Delaware. This seems to be the only issue at the moment so we are working through contacting the peers of AS2 and asking them to look into this. We had also contacted University of Delaware. Here is where the philosophy comes into play. The very terse e-mail we received back was basically “As2 gets hijacked a lot and it’s not our problem”. So my question for the NANOG folks. At what point do you say “it’s not your problem” when it involves your ASN? Rant I almost always have issues with GeoMind and others when it comes to IP space. Several of my folks have received allocations from Arin in March. A few are still fighting with geolocation stuff with a few of the providers. So why does GeoMind atomically accept a hijacked prefix as correct? All the right boxes have been ticked. Origin Validiation, registry sets, etc. Happy Friday! Justin Wilson j2sw@mtin.net — https://j2sw.com - All things jsw (AS209109) https://blog.j2sw.com - Podcast and Blog
Go back to them and tell them that a hijacked prefix is different from a hijacked AS. On Fri, May 29, 2020 at 11:39:46AM -0400, Justin Wilson (Lists) wrote:
One of the companies I work for recently had an issue with AS 2 (University of Delaware) hijacking a prefix. Due to Origin AS, good upstreams, and the like this has not really affected the traffic to the legit blocks. However, GeoMind picked this up almost immediately it seems. The IP blocks when you go to speedtest.net come back to the university of Delaware. This seems to be the only issue at the moment so we are working through contacting the peers of AS2 and asking them to look into this. We had also contacted University of Delaware.
Here is where the philosophy comes into play. The very terse e-mail we received back was basically “As2 gets hijacked a lot and it’s not our problem”. So my question for the NANOG folks. At what point do you say “it’s not your problem” when it involves your ASN?
Rant I almost always have issues with GeoMind and others when it comes to IP space. Several of my folks have received allocations from Arin in March. A few are still fighting with geolocation stuff with a few of the providers. So why does GeoMind atomically accept a hijacked prefix as correct? All the right boxes have been ticked. Origin Validiation, registry sets, etc.
I will probably just get another link to https://isbgpsafeyet.com/ <https://isbgpsafeyet.com/> like I did in the first e-mail. LOL Justin Wilson j2sw@mtin.net — https://j2sw.com - All things jsw (AS209109) https://blog.j2sw.com - Podcast and Blog
On May 29, 2020, at 11:57 AM, Chuck Anderson <cra@WPI.EDU> wrote:
Go back to them and tell them that a hijacked prefix is different from a hijacked AS.
On Fri, May 29, 2020 at 11:39:46AM -0400, Justin Wilson (Lists) wrote:
One of the companies I work for recently had an issue with AS 2 (University of Delaware) hijacking a prefix. Due to Origin AS, good upstreams, and the like this has not really affected the traffic to the legit blocks. However, GeoMind picked this up almost immediately it seems. The IP blocks when you go to speedtest.net come back to the university of Delaware. This seems to be the only issue at the moment so we are working through contacting the peers of AS2 and asking them to look into this. We had also contacted University of Delaware.
Here is where the philosophy comes into play. The very terse e-mail we received back was basically “As2 gets hijacked a lot and it’s not our problem”. So my question for the NANOG folks. At what point do you say “it’s not your problem” when it involves your ASN?
Rant I almost always have issues with GeoMind and others when it comes to IP space. Several of my folks have received allocations from Arin in March. A few are still fighting with geolocation stuff with a few of the providers. So why does GeoMind atomically accept a hijacked prefix as correct? All the right boxes have been ticked. Origin Validiation, registry sets, etc.
are you sure it was really udel? and not someone pretending to be udel from a random IX peering? On Fri, May 29, 2020 at 12:03 PM Justin Wilson (Lists) <lists@mtin.net> wrote:
I will probably just get another link to https://isbgpsafeyet.com/ like I did in the first e-mail. LOL
Justin Wilson j2sw@mtin.net
— https://j2sw.com - All things jsw (AS209109) https://blog.j2sw.com - Podcast and Blog
On May 29, 2020, at 11:57 AM, Chuck Anderson <cra@WPI.EDU> wrote:
Go back to them and tell them that a hijacked prefix is different from a hijacked AS.
On Fri, May 29, 2020 at 11:39:46AM -0400, Justin Wilson (Lists) wrote:
One of the companies I work for recently had an issue with AS 2 (University of Delaware) hijacking a prefix. Due to Origin AS, good upstreams, and the like this has not really affected the traffic to the legit blocks. However, GeoMind picked this up almost immediately it seems. The IP blocks when you go to speedtest.net come back to the university of Delaware. This seems to be the only issue at the moment so we are working through contacting the peers of AS2 and asking them to look into this. We had also contacted University of Delaware.
Here is where the philosophy comes into play. The very terse e-mail we received back was basically “As2 gets hijacked a lot and it’s not our problem”. So my question for the NANOG folks. At what point do you say “it’s not your problem” when it involves your ASN?
Rant I almost always have issues with GeoMind and others when it comes to IP space. Several of my folks have received allocations from Arin in March. A few are still fighting with geolocation stuff with a few of the providers. So why does GeoMind atomically accept a hijacked prefix as correct? All the right boxes have been ticked. Origin Validiation, registry sets, etc.
Thus spake Justin Wilson (Lists) (lists@mtin.net) on Fri, May 29, 2020 at 11:39:46AM -0400:
One of the companies I work for recently had an issue with AS 2 (University of Delaware) hijacking a prefix. Due to Origin AS, good upstreams, and the like this has not really affected the traffic to the legit blocks. However, GeoMind picked this up almost immediately it seems. The IP blocks when you go to speedtest.net come back to the university of Delaware. This seems to be the only issue at the moment so we are working through contacting the peers of AS2 and asking them to look into this. We had also contacted University of Delaware.
Here is where the philosophy comes into play. The very terse e-mail we received back was basically “As2 gets hijacked a lot and it’s not our problem”.
Given the ASN, have you ruled out that this is hijacking vs a case of prepending gone wrong. We see this happen quote a bit with ASN 16, and sometimes even with 50. Typically, ASN's 43, 44, and 45 usually get spared from this class of misconfiguration.
So my question for the NANOG folks. At what point do you say “it’s not your problem” when it involves your ASN?
Interdomain routing continues to be a community effort, but this certainly could be in the class of problems of which they had no hand in. Dale
On Fri, 29 May 2020, Justin Wilson (Lists) wrote:
One of the companies I work for recently had an issue with AS 2 (University of Delaware) hijacking a prefix.
Sounds like a misconfigured prepend, someone thinking the value to provide is the number of prepends instead of the ASN to prepend. /mark
On Fri, May 29, 2020 at 8:40 AM Justin Wilson (Lists) <lists@mtin.net> wrote:
Here is where the philosophy comes into play. The very terse e-mail we received back was basically “As2 gets hijacked a lot and it’s not our problem”. So my question for the NANOG folks. At what point do you say “it’s not your problem” when it involves your ASN?
The point where someone who isn't you is both hijacking your ASN *and* someone else's prefix? Have you confirmed that the hijack actually came from UDel, that the AS path matches one that's legitimate for UDel? The guy hijacking your route doesn't have to list just one AS as the origin; he can' list an entire chain. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Thanks Bill, As our canned Email stated, AS2 (and many low digit AS') get hijacked and often go on to hijack someone's prefix. AS2 (proper) is rarely changed and the chances of an actual prefix hijack from it is extremely low. So as I've asked our peers, I'll ask here: What is expected of us to be good "Net Citizens" with these hijacks? We don't have a FTE to assign to contact IX,ISP,etc. sites, often not in this country, to track down these weekly hijacks. The canned Email has resulted in some feedback where the hijack is found to be a prepending syntax error, or a lab config slipping through to production, but still a majority are supposed malicious and we never hear back. Seeing AS paths of the prefix hijacks would be helpful, but we're not aware of where we can get to them and offer the Email response asking the victim to inquire locally. thanks On 5/30/20 2:09 PM, William Herrin wrote:
Here is where the philosophy comes into play. The very terse e-mail we received back was basically “As2 gets hijacked a lot and it’s not our problem”. So my question for the NANOG folks. At what point do you say “it’s not your problem” when it involves your ASN? The point where someone who isn't you is both hijacking your ASN *and* someone else's prefix? Have you confirmed that the hijack actually came from UDel, that the AS path matches one that's legitimate for UDel? The guy hijacking your route doesn't have to list just one AS as
On Fri, May 29, 2020 at 8:40 AM Justin Wilson (Lists) <lists@mtin.net> wrote: the origin; he can' list an entire chain.
Regards, Bill Herrin
-- Mike Davis IT - University of Delaware - 302.831.8756 Newark, DE 19716 Email davis@udel.edu
participants (7)
-
Christopher Morrow
-
Chuck Anderson
-
Dale W. Carder
-
Justin Wilson (Lists)
-
Mark Milhollan
-
Michael Davis
-
William Herrin