-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Bill Stewart" <nonobvious@gmail.com> wrote:
I've seen two popular reasons for doing it accidentally - Fat fingers when configuring IP addresses by hand - Using old routing protocols such as IGRP or RIP and autosummarizing routes, usually done by a customer of an ISP that doesn't bother filtering carefully. This doesn't give you a /24 address by accident, but it lets you take two /24 subnets of a Class B or Class A and turn them into an advertisement for the whole network.
Also: I have seen instances where a static route points to a next hop that (inadvertently) may be "redistribute-static" injected into BGP. This happens occasionally due to ad hoc configurations, back- hole null routing, etc. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFH3LBoq1pz9mNUZTMRAm8qAJwLWej/LjWQo8svLbgmOhe3kOOMCwCg7XZ/ V8/XCEkVEu0h2MAndAIpZ5g= =jQfu -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Paul,
Also: I have seen instances where a static route points to a next hop that (inadvertently) may be "redistribute-static" injected into BGP. This happens occasionally due to ad hoc configurations, back- hole null routing, etc.
And why would an ISP locally try to blackhole traffic bound to some other legitimate address space? Wouldnt this result in this service provider's customers to lose connectivity to whatever websites fall behind the IP address block in question? Or is that the intention? If its done intentionally then it would only make sense if theres a DOS attack coming from that address block, or if theres something "blasphemous" put up there. If none of these, then why locally blackhole traffic? Thanks, Glen
On Sun, Mar 16, 2008 at 2:07 AM, Glen Kent <glen.kent@gmail.com> wrote:
Paul,
Also: I have seen instances where a static route points to a next hop that (inadvertently) may be "redistribute-static" injected into BGP. This happens occasionally due to ad hoc configurations, back- hole null routing, etc.
And why would an ISP locally try to blackhole traffic bound to some other legitimate address space? Wouldnt this result in this service
I think it was Abovenet that blackholed a /24 of (I want to say MAPS, but that's not right) an anti-spam-RBL sometime pre-1999?
provider's customers to lose connectivity to whatever websites fall behind the IP address block in question? Or is that the intention?
perhaps they had a significant number of complaints about the address block and no reaction from the owner(s)? or the address block (or hosts in it) were scanning their infrastucture, or dos'ing it or??? There are a whole host of reasons one might conjecture. In ALL cases you'd never put in a /24 but a pair of /25 so that you didn't become the best path for the rest of the internets...
If its done intentionally then it would only make sense if theres a DOS attack coming from that address block, or if theres something
dos attack mitigation works best on destinations, not sources... urpf-loose aside a filter would have solved that form of problem quicker.
"blasphemous" put up there. If none of these, then why locally blackhole traffic?
once upon a time we had a noc person null route a 210.x.x.0/24 block because someone used their email address in the 'from' for a spam run... a swift 'discussion' ensued and they learned there was a better solution to their problem. (swift after the owners of the ip space got a little irrate :( ) -Chris
Christopher Morrow wrote:
I think it was Abovenet that blackholed a /24 of (I want to say MAPS, but that's not right) an anti-spam-RBL sometime pre-1999?
If I'm not mistaken, that was ORBS.
perhaps they had a significant number of complaints about the address block and no reaction from the owner(s)? or the address block (or hosts in it) were scanning their infrastucture, or dos'ing it or???
Such action has always been a last-ditch when I've had to deal with severe network abuse/denial of service. Doing it on routers at the network core and not just at the edge where the affected systems or customers interconnect seems pretty severe, though.
There are a whole host of reasons one might conjecture. In ALL cases you'd never put in a /24 but a pair of /25 so that you didn't become the best path for the rest of the internets...
Even then, one would hope filters would be in place to keep it from traversing outside of their local AS, at least in a more perfect world. Of course, another recent incident disproving that theory comes to mind... -Kam
Kameron Gasso wrote:
Christopher Morrow wrote:
I think it was Abovenet that blackholed a /24 of (I want to say MAPS, but that's not right) an anti-spam-RBL sometime pre-1999?
If I'm not mistaken, that was ORBS.
Correct. A particularly interesting case, since ORBS' transit provider was also a transit customer of Above.net. Said transit provider would announce their /16s, of which ORBS sat in a /24 or two of, and have their traffic blackholed. IIRC they punched /24s via their other transit providers to partly resolve the issue. But the rest of the story - let's not go there.
On Mon, 17 Mar 2008, Alastair Johnson wrote:
Correct. A particularly interesting case, since ORBS' transit provider was also a transit customer of Above.net. Said transit provider would announce their /16s, of which ORBS sat in a /24 or two of, and have their traffic blackholed.
IIRC they punched /24s via their other transit providers to partly resolve the issue.
But the rest of the story - let's not go there.
Why not? We _used_ to be an Above.net OC3 customer. Back around 2003, we ran into issues with Above.net deciding for us which parts of the internet should be accessible. We got customer complaints that certain web sites were unreachable through us, but worked fine on other internet services. I eventually got Above.net to give me a list of the several dozen /24's they were null routing. This was particularly annoying because they had nothing setup to notify customers of these null routes or allow us to choose not to send them traffic they'd null route. To me, this seemed rather inappropriate behavior for a transit provider. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Mar 16, 2008, at 2:36 AM, Christopher Morrow wrote:
I think it was Abovenet that blackholed a /24 of (I want to say MAPS, but that's not right) an anti-spam-RBL sometime pre-1999?
ORBS, and the only reason it became such a big deal was that Abovenet was the upstream of ORBS' upstream. And that's something people still haven't gotten over.
john@sackheads.org (John Payne) writes:
I think it was Abovenet that blackholed a /24 of (I want to say MAPS, but that's not right) an anti-spam-RBL sometime pre-1999?
ORBS, and the only reason it became such a big deal was that Abovenet was the upstream of ORBS' upstream. And that's something people still haven't gotten over.
this was a simple AUP violation, blown way out of proportion because two of abovenet's executives were also owners of MAPS. without that element, this would just have been a matter of ORBS doing forced open relay scans of the internet and especially of abovenet's other customers, and noone would have been shocked or surprised to see abovenet blackhole them, citing chapter and verse of the abovenet AUP, as well as many equivilent examples. i think, at this stage and at this date, that bringing up the ORBS/abovenet debacle constitutes a "canard", and should be avoided, for the good of all. -- Paul Vixie
On 17 Mar 2008 04:12:13 +0000, Paul Vixie <vixie@isc.org> wrote:
i think, at this stage and at this date, that bringing up the ORBS/abovenet debacle constitutes a "canard", and should be avoided, for the good of all.
Completely unrelated to l'affaire ORBS of course, but in this more recent example, was uunet kenya a transit customer (or customer of a customer) of abovenet? And quoting from a previous email - -------- An interesting bit is that the current announcement on routeviews directly from AS 6461 has Community 6461:5999 attached: ... 6461 64.125.0.137 from 64.125.0.137 (64.125.0.137) Origin IGP, metric 0, localpref 100, valid, external, best Community: 6461:5999 ... According to this, that community is used for "internal prefixes": http://onesc.net/communities/as6461/ "6461:5999 internal prefix" A "sh ip bgp community 6461:5999" currently yields 130 prefixes with Origin AS of 6461 and that community. Nothing more specific than a /24, although many many adjacent prefixes that would presumably be aggregated normally are announced as well. ------- anybody see similar routing loops for those other prefixes that'd make it look like 5999 is a blackhole community at abovenet, so this dude is seeing what ORBS saw way back when (2000, right) - that is, he had abuse issues, was downstream of a downstream of abovenet and got his /24 blackholed? srs
On Mon, Mar 17, 2008 at 01:13:04PM +0530, Suresh Ramasubramanian wrote:
anybody see similar routing loops for those other prefixes that'd make it look like 5999 is a blackhole community at abovenet, so this dude is seeing what ORBS saw way back when (2000, right) - that is, he had abuse issues, was downstream of a downstream of abovenet and got his /24 blackholed?
No, 6461:5999 is definitely not a blackhole community. I'm seeing prefixes tagged 5999 that are reachable. See for example 62.80.96.0/19. The only common factors I can see with these prefixes: 1) They are all announced with an AS path of 6461. 2) A large number seem to be related to dyanmic IP internet service. Some are registered to wireless providers, some have reverse DNS that indicates there's DSL behind them. But then there's some stuff that looks to be non-ISP: 204.227.66.0/24 is registered to "Ann Taylor Stores Corp", is part of ARIN assigned 204.227.64/19. However, none of the rest of that /19 is there. Puzzling... -- Ross Vandegrift ross@kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37
participants (10)
-
Alastair Johnson -
Christopher Morrow -
Glen Kent -
John Payne -
Jon Lewis -
Kameron Gasso -
Paul Ferguson -
Paul Vixie -
Ross Vandegrift -
Suresh Ramasubramanian