Re: IPv4 and IPv6 hijacking by AS 6
Randy Bush writes: >> I believe we've seen bogus low AS number announcements a few times >> before, and they've usually been caused by attemts to configure >> AS path prepending without understanding and/or reading the docs. >> >> Someone might have wrongly assumed that >> >>set as-path prepend 133711 133711 >> >> could be written shorter like >> >>set as-path prepend 133711 2 >> >> and there you go... > > for someone else's prefix? No, of course not. At least I have no reason to beliece so. I briefly looked at a couple of the examples Anurag posted. And for those, the next AS number in the path seemed consistent with the prefix owner: * 43.227.224.0/24 208.51.134.254 0 0 3549 3356 6453 4755 133711 133711 133711 2 i * 91.143.144.0/20 208.51.134.254 0 0 3549 3356 12389 41837 41837 2 i bjorn@miraculix:~$ whois 43.227.224.0/24 |grep origin origin: AS133711 origin: AS58965 bjorn@miraculix:~$ whois 91.143.144.0/20 |grep origin origin: AS41837 Bjørn
Re: IPv4 and IPv6 hijacking by AS 6
On Fri, Apr 13, 2018 at 10:35 PM, Randy Bush wrote: > > I believe we've seen bogus low AS number announcements a few times > > before, and they've usually been caused by attemts to configure > > AS path prepending without understanding and/or reading the docs. > > > > Someone might have wrongly assumed that > > > >set as-path prepend 133711 133711 > > > > could be written shorter like > > > >set as-path prepend 133711 2 > > > > and there you go... > > for someone else's prefix? > Perhaps their policy is something like: "prepend all of transit-provider-1 prefixes by 2, their links are crappy today" followed by output policy: "permit all of my prefixes (matched by as-path-regex) and my customer prefixes (matched by community)" there's probably a bunch of ways this can go sideways, that's just one simple (and seen before) example.
Re: IPv4 and IPv6 hijacking by AS 6
> I believe we've seen bogus low AS number announcements a few times > before, and they've usually been caused by attemts to configure > AS path prepending without understanding and/or reading the docs. > > Someone might have wrongly assumed that > >set as-path prepend 133711 133711 > > could be written shorter like > >set as-path prepend 133711 2 > > and there you go... for someone else's prefix?
Re: IPv4 and IPv6 hijacking by AS 6
Dear Jason, On Fri, Apr 13, 2018 at 02:17:47PM -0400, Jason S. Cash wrote: > Yes, ASN2 sees about 1-4 configuration related "rogue" announcements > per month. What is going on right now does not appear to be a small > misconfiguration. > > The only route we (University of Delaware) are announcing w/ ASN2 is > 128.4.0.0/16. Is this actually causing your organisation issues in terms of reachability, or additional workload for staff, or is it just a strange artifact you've learned to live with? Kind regards, Job
Re: IPv4 and IPv6 hijacking by AS 6
On Fri, 13 Apr 2018, Bjørn Mork wrote: Date: Fri, 13 Apr 2018 10:13:47 +0200 From: Bjørn Mork To: Anurag Bhatia Cc: North American Network Operators' Group Subject: Re: IPv4 and IPv6 hijacking by AS 6 Anurag Bhatia writes: Similar for AS2. I believe we've seen bogus low AS number announcements a few times before, and they've usually been caused by attemts to configure AS path prepending without understanding and/or reading the docs. Someone might have wrongly assumed that set as-path prepend 133711 133711 could be written shorter like set as-path prepend 133711 2 and there you go... Yes, ASN2 sees about 1-4 configuration related "rogue" announcements per month. What is going on right now does not appear to be a small misconfiguration. The only route we (University of Delaware) are announcing w/ ASN2 is 128.4.0.0/16. Jason Jason Cash Deputy CIO University of Delaware c...@udel.edu 302-831-0461
Re: IPv4 and IPv6 hijacking by AS 6
Unfortunately, that's how it's done in route policy on XR, so people bouncing between flavors can easily make that mistake. On 4/13/18, 4:15 AM, "NANOG on behalf of Bjørn Mork" wrote: Anurag Bhatia writes: > Similar for AS2. I believe we've seen bogus low AS number announcements a few times before, and they've usually been caused by attemts to configure AS path prepending without understanding and/or reading the docs. Someone might have wrongly assumed that set as-path prepend 133711 133711 could be written shorter like set as-path prepend 133711 2 and there you go... Bjørn
Re: IPv4 and IPv6 hijacking by AS 6
> On Apr 13, 2018, at 12:27 AM, Vincent Bernat wrote: > > Maybe AS6 is used internally by the next AS on the path? I've definitely seen (and sadly, interacted with) operators that solved their "why doesn't non-meshed iBGP do what I'm expecting" problems by simply using different low-numbered ASNs internally (1,2,3... 19) instead of proper private ASNs. Theo
Re: IPv4 and IPv6 hijacking by AS 6
Anurag Bhatia writes: > Similar for AS2. I believe we've seen bogus low AS number announcements a few times before, and they've usually been caused by attemts to configure AS path prepending without understanding and/or reading the docs. Someone might have wrongly assumed that set as-path prepend 133711 133711 could be written shorter like set as-path prepend 133711 2 and there you go... Bjørn
Re: IPv4 and IPv6 hijacking by AS 6
❦ 12 avril 2018 13:51 -0500, Matt Harris : >> Have you tried their IRR entries? Bull appears to redirect to Atos now >> (site-wise). >> >> notify: ed.gie...@atos.net >> notify: charlie.mol...@atos.net >> changed:christophe.fra...@atos.net 20180117 #18:47:40Z >> > > I'm now in touch with Christophe; it looks as though perhaps there's a > separate, rogue AS 6 running around with a different set of peers/transits, > as he was able to confirm that none of his gear is advertising these > prefixes. Maybe AS6 is used internally by the next AS on the path? -- Choose variable names that won't be confused. - The Elements of Programming Style (Kernighan & Plauger)
Re: IPv4 and IPv6 hijacking by AS 6
Similar for AS2. A view from Oregon Route-views for AS2 related paths: * 43.227.224.0/24 208.51.134.254 0 0 3549 3356 6453 4755 133711 133711 133711 2 i *103.197.104.1 0 134708 6453 4755 133711 133711 133711 2 i *212.66.96.126 0 20912 174 6453 4755 133711 133711 133711 2 i *217.192.89.50 0 3303 6453 4755 133711 133711 133711 2 i *203.62.252.83 0 1221 4637 6453 4755 133711 133711 133711 2 i * 43.227.225.0/24 208.51.134.254 0 0 3549 3356 6453 4755 133711 133711 133711 2 i *103.197.104.1 0 134708 6453 4755 133711 133711 133711 2 i *212.66.96.126 0 20912 174 6453 4755 133711 133711 133711 2 i *217.192.89.50 0 3303 6453 4755 133711 133711 133711 2 i *203.62.252.83 0 1221 4637 6453 4755 133711 133711 133711 2 i * 91.143.144.0/20 208.51.134.254 0 0 3549 3356 12389 41837 41837 2 i *212.66.96.126 0 20912 1267 12389 41837 41837 2 i *37.139.139.0 0 57866 6762 12389 41837 41837 2 i *195.208.112.1610 3277 3267 12389 41837 41837 2 i *93.104.209.174 0 58901 51167 3356 12389 41837 41837 2 i *193.0.0.56 0 1103 12389 41837 41837 2 i * 103.63.234.0/24 208.51.134.254 0 0 3549 3356 2914 132602 58715 55406 2 134403 i *212.66.96.126 0 20912 174 132602 58715 55406 2 65501 134403 i *134.222.87.1 650 0 286 6762 132602 58715 55406 2 134403 i *194.85.40.15 0 0 3267 174 132602 58715 55406 2 65501 134403 i *12.0.1.63 0 7018 2914 132602 58715 55406 2 134403 i *37.139.139.0 0 57866 6762 132602 58715 55406 2 134403 i (and lot more!) On Fri, Apr 13, 2018 at 12:31 AM, Job Snijders wrote: > On Thu, 12 Apr 2018 at 11:52, Matt Harris wrote: > > > On Thu, Apr 12, 2018 at 12:05 PM, wrote: > > > > > Have you tried their IRR entries? Bull appears to redirect to Atos now > > > (site-wise). > > > > > > notify: ed.gie...@atos.net > > > notify: charlie.mol...@atos.net > > > changed:christophe.fra...@atos.net 20180117 #18:47:40Z > > > > > > > I'm now in touch with Christophe; it looks as though perhaps there's a > > separate, rogue AS 6 running around with a different set of > peers/transits, > > as he was able to confirm that none of his gear is advertising these > > prefixes. > > > > That is what I feared as well. It appears the single digit ASNs often fall > victim of other people’s misconfigurations or malicious activities. Hard to > separate the impersonator from the real autonomous system. > > Job > -- Anurag Bhatia anuragbhatia.com
Re: IPv4 and IPv6 hijacking by AS 6
On Thu, 12 Apr 2018 at 11:52, Matt Harris wrote: > On Thu, Apr 12, 2018 at 12:05 PM, wrote: > > > Have you tried their IRR entries? Bull appears to redirect to Atos now > > (site-wise). > > > > notify: ed.gie...@atos.net > > notify: charlie.mol...@atos.net > > changed:christophe.fra...@atos.net 20180117 #18:47:40Z > > > > I'm now in touch with Christophe; it looks as though perhaps there's a > separate, rogue AS 6 running around with a different set of peers/transits, > as he was able to confirm that none of his gear is advertising these > prefixes. That is what I feared as well. It appears the single digit ASNs often fall victim of other people’s misconfigurations or malicious activities. Hard to separate the impersonator from the real autonomous system. Job
Re: IPv4 and IPv6 hijacking by AS 6
On Thu, Apr 12, 2018 at 12:05 PM, wrote: > Have you tried their IRR entries? Bull appears to redirect to Atos now > (site-wise). > > notify: ed.gie...@atos.net > notify: charlie.mol...@atos.net > changed:christophe.fra...@atos.net 20180117 #18:47:40Z > I'm now in touch with Christophe; it looks as though perhaps there's a separate, rogue AS 6 running around with a different set of peers/transits, as he was able to confirm that none of his gear is advertising these prefixes. Thanks, Matt
Re: IPv4 and IPv6 hijacking by AS 6
Have you tried their IRR entries? Bull appears to redirect to Atos now (site-wise). notify: ed.gie...@atos.net notify: charlie.mol...@atos.net changed:christophe.fra...@atos.net 20180117 #18:47:40Z On Thu, Apr 12, 2018, at 9:34 AM, Matt Harris wrote: > AS 6 is now announcing several IPv4 and IPv6 blocks of mine, and it looks > like I'm not alone. Does anyone have any contacts there, or know what > might be going on? The number of prefixes they're currently advertising is > tremendous. The phone numbers associated with AS6's RIR whois data are > non-functional. I've sent emails to their contacts listed in RIR whois > (Mike Abbott and John Luke Mills), but with phone numbers being dead, I'm > not optimistic. > > If anyone is there who has any control over AS 6 or knows whom I can reach > out to, please let me know. > > Thanks, > Matt
Re: IPv4 and IPv6 hijacking by AS 6
On Thu, Apr 12, 2018 at 8:34 PM, Matt Harris wrote: > AS 6 is now announcing several IPv4 and IPv6 blocks of mine, and it looks > like I'm not alone. Does anyone have any contacts there, or know what > might be going on? The number of prefixes they're currently advertising is > tremendous. The phone numbers associated with AS6's RIR whois data are > non-functional. I've sent emails to their contacts listed in RIR whois > (Mike Abbott and John Luke Mills), but with phone numbers being dead, I'm > not optimistic. > I think that it's an issue. Perhaps, also consider filing a request here: https://www.arin.net/public/whoisinaccuracy/index.xhtml > If anyone is there who has any control over AS 6 or knows whom I can reach > out to, please let me know. > > Thanks, > Matt
IPv4 and IPv6 hijacking by AS 6
AS 6 is now announcing several IPv4 and IPv6 blocks of mine, and it looks like I'm not alone. Does anyone have any contacts there, or know what might be going on? The number of prefixes they're currently advertising is tremendous. The phone numbers associated with AS6's RIR whois data are non-functional. I've sent emails to their contacts listed in RIR whois (Mike Abbott and John Luke Mills), but with phone numbers being dead, I'm not optimistic. If anyone is there who has any control over AS 6 or knows whom I can reach out to, please let me know. Thanks, Matt