Re: BGPMON Alert Questions
Yes, we don't validate those prefixes cause we filter them strict. in our measurements, an rpki-based origin check is significantly faster than an acl of non-trivial length. randy
Re: BGPMON Alert Questions
On Thursday, April 10, 2014 09:18:34 AM Randy Bush wrote: in our measurements, an rpki-based origin check is significantly faster than an acl of non-trivial length. Ultimately, at some point in the future, it is not completely unreasonable to think that some operators could attempt control plane filtering based purely on RPKI-based origin and AS_PATH validation, without actually needing to configure prefix or AS_PATH lists :-). Wouldn't that be something... Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
as folk start to roll out rejection of invalids, we might think about how we report problems with folk registering inadequate roas, covering their customers, covering their deaggs (maybe deaggs get what they deserve), etc. if they are not clued enough to generate prudent roas, they will not be clued enough to generate ghostbusters (and neither ripe's nor apnic's software supports gbrs today). if my customer can not reach foo's customer, will foo's rir be willing to help? if foo's customer can not reach mine, how to let foo know who to call/write? do we need conventions? randy
Re: BGPMON Alert Questions
On Thursday, April 10, 2014 12:30:51 PM Randy Bush wrote: as folk start to roll out rejection of invalids, we might think about how we report problems with folk registering inadequate roas, covering their customers, covering their deaggs (maybe deaggs get what they deserve), etc. if they are not clued enough to generate prudent roas, they will not be clued enough to generate ghostbusters (and neither ripe's nor apnic's software supports gbrs today). Agree. If you are clued enough to generate ROA's, you are clued enough to generate ROA's for the de-aggregates (or, at least, respond to the errors that indicate that). But the reverse is also true. It would be useful to use BGPmon's free RPKI validation feature, which e-mails you, incessantly, about validation failures due to un-ROA'd de-aggregates. It will also help if the CA's run by the RIR's support prefix length definitions. For the Africa region, AFRINIC currently do not, meaning every de-aggregate needs to be ROA'd. It's planned, though... if my customer can not reach foo's customer, will foo's rir be willing to help? if foo's customer can not reach mine, how to let foo know who to call/write? do we need conventions? This was one of the questions I've always pondered, and if you recall, was part of our panel discussion on the subject in Xi'an last year. I think it would be helpful if CA delegation was supported by RIR's, and supported well, so that customers can deal with their ISP's CA instead of having to deal with the RIR instead (particularly for situations where RIR's aren't 24/7 shops). On the monitoring side, it will be critical for ISP's to provide looking glasses that customers can use to verify the delta between what has been ROA'd and what has been announced/rejected, particularly in the case of un-ROA'd de- aggregates. Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
On Thu, Apr 10, 2014 at 9:26 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Thursday, April 10, 2014 12:30:51 PM Randy Bush wrote: as folk start to roll out rejection of invalids, we might think about how we report problems with folk registering inadequate roas, covering their customers, covering their deaggs (maybe deaggs get what they deserve), etc. if they are not clued enough to generate prudent roas, they will not be clued enough to generate ghostbusters (and neither ripe's nor apnic's software supports gbrs today). snip It would be useful to use BGPmon's free RPKI validation feature, which e-mails you, incessantly, about validation failures due to un-ROA'd de-aggregates. This seems like good idea and would also be good to know how else to know I've broken something.. There's a BGP Visibility Project http://visibility.it.uc3m.es/ which perhaps could be brought to bear. Other thoughts out there? Tony
Re: BGPMON Alert Questions
Hi Mark, On Thu, 3 Apr 2014, Mark Tinka wrote: On Thursday, April 03, 2014 02:22:44 AM Randy Bush wrote: and, btw, how many of those whose prefixes were mis-originated had registered those prefixes in the rpki? It is probably a bit of a hammer at this stage, but we are in limited deployment of dropping all Invalids using RPKI. We shall be rolling out, network-wide, in 2014, where all Invalids are dropped. At this stage, short of a mis- origination, it's mostly longer prefixes of an aggregate that are not ROA'd. Great to hear more people are planning on dropping all Invalids. We (SURFnet, AS1103) are in the same position and I wrote an article about the evaluation we did before deciding on dropping invalids (https://blog.surfnet.nl/?p=3159) I would encourage more people to do a similar analysis and start using a RPKI routing policy and start dropping invalids. Only when people start using RPKI the way it is proposted to (http://tools.ietf.org/html/rfc7115) we _all_ can benefit from this. Regards, Jac -- Jac Kloots Network Services SURFnet bv
Re: BGPMON Alert Questions
On Tuesday, April 08, 2014 11:24:07 AM Jac Kloots wrote: We (SURFnet, AS1103) are in the same position and I wrote an article about the evaluation we did before deciding on dropping invalids (https://blog.surfnet.nl/?p=3159) Sounds great, Jac! In your report, you mention that you're not validating customer prefixes. Is this still the case? Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
Mark, On Tue, 8 Apr 2014, Mark Tinka wrote: On Tuesday, April 08, 2014 11:24:07 AM Jac Kloots wrote: We (SURFnet, AS1103) are in the same position and I wrote an article about the evaluation we did before deciding on dropping invalids (https://blog.surfnet.nl/?p=3159) Sounds great, Jac! In your report, you mention that you're not validating customer prefixes. Is this still the case? Yes, we don't validate those prefixes cause we filter them strict. We know from all our customers which prefixes they use so we have prefix-filters placed on all their connections. Jac -- Jac Kloots Network Services SURFnet bv
Re: BGPMON Alert Questions
On Tuesday, April 08, 2014 01:20:23 PM Jac Kloots wrote: Yes, we don't validate those prefixes cause we filter them strict. We know from all our customers which prefixes they use so we have prefix-filters placed on all their connections. Good point. We do both - prefix list + AS_PATH filtering as well as origin validation. At this point, you're likely to lose longer prefixes from customers if they forgot to ROA them, but the rationale is that if a customer has sufficient clue to ROA their aggregate, they can quickly ROA a de-aggregate or fix it in case they forgot. Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
On Sat, Apr 5, 2014 at 7:11 AM, Mark Tinka mark.ti...@seacom.mu wrote: So do you know whether anyone has any idea about what the top 10 global carriers are doing re: RPKI? Thinking? Justifying? Testing? Ignoring? These looking glasses are helpful: http://www.labs.lacnic.net/rpkitools/looking_glass/ http://www-x.antd.nist.gov/rpki-monitor/ http://certification-stats.ripe.net/ http://rpki.surfnet.nl/index.html But naturally it's harder to see who has turned on origin validation. Sharon -- Sharon Goldberg Computer Science, Boston University http://www.cs.bu.edu/~goldbe
Re: BGPMON Alert Questions
On Sunday, April 06, 2014 02:34:47 PM Sharon Goldberg wrote: But naturally it's harder to see who has turned on origin validation. Indeed, especially since there is no co-relation between providers issuing ROA's for their own allocations and turning on origin validation in their network. Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
On Friday, April 04, 2014 09:58:42 AM Vitkovský Adam wrote: I wonder when (or if ever) we'll have such a discussion about data packets, i.e. finding that someone is not doing packet-filtering based on BGP updates is absolutely and unacceptably shocking! Well, filtering in the data plane is slightly easier because a single subnet can cover all traffic coming from individual sources or going to individual destinations. In the control plane, the industry like to filter on specific prefixes agreed between customer and provider, especially when using automated tools such as RPSL. This can get hairy as configurations become large, where a single entry with le 24 or le 48 could have sufficed. On the other hand, if you're not automating control plane filters to some extent, it becomes messy as you get bigger. Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
On Friday, April 04, 2014 12:31:35 PM Benno Overeinder wrote: With ROAs published and a small percentage (order of 5%) of the largest ISPs doing route origin validation, this would filter the incorrect announcement and result in about ~98% globally correct routes in the 35000 ASes (this work is done a couple years ago). With no route origin validation (or any other filtering) the percentage of correct routes at the ASes would be ~25% globally. Again, this was a specific scenario. So do you know whether anyone has any idea about what the top 10 global carriers are doing re: RPKI? Thinking? Justifying? Testing? Ignoring? Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
On Friday, April 04, 2014 05:17:36 PM Sharon Goldberg wrote: Right, we didn't include that in our analysis because we didn't have a good sense for how many ISPs actually do filter their downstream downstreams. So we chose to give a conservative estimate of the impact of prefix filtering in partial deployment: we assumed that no one filters their downstreams downstreams. I'm honestly not sure exactly what including this assumption would do to our results, except to say that it would make them better (ie. that more attacks would be stopped). Might be a good experiment for one of my summer interns. I've typically been on the side where we filter just the downstream and apply AS_PATH filtering liberally for their downstreams. At $current_job, we're now filtering both downstream and downstream's downstreams on AS_PATH + prefix list, taking the prefix aggregate and suffixing le 24 or le 48. We are now thinking about how to scale this without using RPSL, as that creates lots and lots of clutter in the configuration, as well as sub-optimal forwarding when customers are sending routes you aren't accepting when they forget that RPSL-based filtering is prefix-specific. Mark. signature.asc Description: This is a digitally signed message part.
RE: BGPMON Alert Questions
That Upstream B is simply accepting everything their customer is sending to them without applying proper filters, or checking to confirm that what their customer needs to send them should come from them is absolutely and unacceptably shocking! I wonder when (or if ever) we'll have such a discussion about data packets, i.e. finding that someone is not doing packet-filtering based on BGP updates is absolutely and unacceptably shocking! adam
Re: BGPMON Alert Questions
On 04/04/2014 05:06 AM, Sharon Goldberg wrote: Finally, like Randy says, RPKI deploys quite different from BGPSEC. My intuition says that (1) once the RPKI is fully populated with ROAs for all originated prefixes, then (2) a partial deployment of origin validation at a few large ISPs should be fairly effective. But I would have to validate this with experiments before I can be sure, or say exactly how many ISPs, etc. Indeed. A MSc. project did a (limited) evaluation measuring the effects of RPKI route origin validation of a Dutch ISP xs4all which prefixes where incorrectly injected by another (larger according to CAIDA cone ranking) European ISP. With ROAs published and a small percentage (order of 5%) of the largest ISPs doing route origin validation, this would filter the incorrect announcement and result in about ~98% globally correct routes in the 35000 ASes (this work is done a couple years ago). With no route origin validation (or any other filtering) the percentage of correct routes at the ASes would be ~25% globally. Again, this was a specific scenario. See for results and figures the slides at http://www.caida.org/workshops/bgp-traceroute/slides/bgp-traceroute1108_rpki_deployment_study.pdf (slide 18). Best, -- Benno -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/
Re: BGPMON Alert Questions
On Fri, Apr 4, 2014 at 1:15 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Friday, April 04, 2014 05:06:22 AM Sharon Goldberg wrote: We also looked at prefix filtering and found that it has better partial deployment characteristics. Our analysis assumed that ISPs only filter routes from their *stub* customers. (We defined a stub an AS that does not have its own customers.) Just curious; in your considerations, how would/did you treat cases where ISP's filter their downstreams, to include their downstream's downstreams? Right, we didn't include that in our analysis because we didn't have a good sense for how many ISPs actually do filter their downstream downstreams. So we chose to give a conservative estimate of the impact of prefix filtering in partial deployment: we assumed that no one filters their downstreams downstreams. I'm honestly not sure exactly what including this assumption would do to our results, except to say that it would make them better (ie. that more attacks would be stopped). Might be a good experiment for one of my summer interns. Actually, since this is NANOG, might as well ask: Do you all view filtering your downstream's downstreams as much more difficult than filtering only downstreams, or only stub ASes? Do you have a sense for how many networks filter only their direct downstreams but no further, versus those that also filter downstreams downstreams? Sharon -- Sharon Goldberg Computer Science, Boston University http://www.cs.bu.edu/~goldbe
Re: BGPMON Alert Questions
On 04/04/2014 16:17, Sharon Goldberg wrote: we assumed that no one filters their downstreams downstreams. plenty of organisations do this. it can easily be done with irrdb AS sets. Nick
Re: BGPMON Alert Questions
On Fri, Apr 4, 2014 at 11:17 AM, Sharon Goldberg gol...@cs.bu.edu wrote Actually, since this is NANOG, might as well ask: Do you all view filtering your downstream's downstreams as much more difficult than filtering only downstreams, or only stub ASes? Do you have a sense for how many networks filter only their direct downstreams but no further, versus those that also filter downstreams downstreams? I set up a quick anonymous survey (2 questions) to gather some info on this. If you have a minute, go here: https://docs.google.com/forms/d/1x6Bbe7OYvuWeOzO8xpxbIZzW3N14wI1SVVbQer4FSa4/viewform We will share our anonymized results on NANOG. Thanks, Sharon
Re: BGPMON Alert Questions
So we're somewhat safe until the fast food burger grills and fries cookers advance to level-3 routing? Or Daquiri blenders get their own ASNs? that happened in the late '90s Bad enough that professional folks can goof to this extent luckily, you, valdis, and i never make mistakes :) the point it to engineer the network so we are not affected by the inevitable mistakes as chris and i were noting privately, this seems not to have damaged a lot of traffic, more than compensated for by the traffic on nanog :) randy
Re: BGPMON Alert Questions
On Thu, 03 Apr 2014 15:00:41 +0900, Randy Bush said: Bad enough that professional folks can goof to this extent luckily, you, valdis, and i never make mistakes :) You must have me confused with somebody else. I wouldn't have a world-wide reputation for getting myself out of holes I've dug if I wasn't incredible at hole digging in the first place. :) pgpEI9muX7POb.pgp Description: PGP signature
Re: BGPMON Alert Questions
On 3 April 2014 04:43, Randy Bush ra...@psg.com wrote: i very much doubt this is a 7007, where bgp was redistributed into rip, which sliced it into a jillion /24s, and then redistributed from rip back into bgp. I could be wrong, but I thought AS7007 was nothing to do with RIP? http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html M
Re: BGPMON Alert Questions
On Wednesday, April 02, 2014 08:59:58 PM Justin M. Streiner wrote: It's pretty clear that both parties have dropped the ball in a big way, in terms of sane BGP filtering practices. It's amazing, isn't it? I have a customer of one my upstreams (Upstream A), at the moment, who are leaking my routes to another one of their upstreams (Upstream B). The problem is that Upstream B is re-announcing my leaked routes from their customer to the rest of the Internet. So both Upstream B's customer as well as Upstream B are at fault. That Upstream B is simply accepting everything their customer is sending to them without applying proper filters, or checking to confirm that what their customer needs to send them should come from them is absolutely and unacceptably shocking! A lot of people seem to have forgotten 2008. Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
On 4/2/2014 11:30 PM, Barry Greene wrote: Hi Team, Confirmation from my team talking directly to Indosat - self inflected with a bad update during a maintenance window. Nothing malicious or intentional. Barry Did you get any details on what specifically went wrong? I don't recall any switch in my routing gear to re-originate every prefix on the planet as my own.
Re: BGPMON Alert Questions
On 03/04/2014 13:09, ML wrote: Did you get any details on what specifically went wrong? I don't recall any switch in my routing gear to re-originate every prefix on the planet as my own. Easy enough to do by e.g. redistributing your ebgp into your IGP and then back again, or by a variety of other means. It happened between 05:00 and 06:00 local time, so it's reasonable to assume that it was maintenance gone wrong. Horribly wrong. Nick
Re: BGPMON Alert Questions
On Thursday, April 03, 2014 02:22:44 AM Randy Bush wrote: and, btw, how many of those whose prefixes were mis-originated had registered those prefixes in the rpki? It is probably a bit of a hammer at this stage, but we are in limited deployment of dropping all Invalids using RPKI. We shall be rolling out, network-wide, in 2014, where all Invalids are dropped. At this stage, short of a mis- origination, it's mostly longer prefixes of an aggregate that are not ROA'd. I was asleep when Indosat was mis-originating, but it'd have been nice to see what our test-bed was doing to any Indosat- injected prefixes that have ROA's. Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
It is probably a bit of a hammer at this stage, but we are in limited deployment of dropping all Invalids using RPKI. We shall be rolling out, network-wide, in 2014, where all Invalids are dropped. At this stage, short of a mis- origination, it's mostly longer prefixes of an aggregate that are not ROA'd. sadly, my (legacy) address space is in the arin region. and arin does not see allowing me to protect my prefixes from mis-origination as a serious goal. randy
Re: BGPMON Alert Questions
I wonder who we should be going after here? Indosat or their upstream? Probably both, since if this happened with an ISP deeper in the Internet core, chances are they don't have what our concept of an upstream is. you want revenge or to prevent the effects of recurrence? one nice thing about origin validation is that anyone who validates anywhere on the internet can reject the mis-origination(s). randy
Re: BGPMON Alert Questions
Was a specific Upstream at fault or several upstream providers? It appears they have 9 upstream links -- http://www.cidr-report.org/cgi-bin/as-report?as=4761 On 4/3/2014 8:41 AM, Mark Tinka wrote: I wonder who we should be going after here? Indosat or their upstream?
Re: BGPMON Alert Questions
On 03/04/2014 13:41, Mark Tinka wrote: max-prefix could have come in handy here. But this is an old song (let alone prefix filtering or RPKI). I'm currently seeing ~100 prefixes originating from 4761, and an additional 725 transited through 4761. This would not be difficult to handle with prefix lists, assuming some level of automation. Nick
Re: BGPMON Alert Questions
On Thursday, April 03, 2014 02:51:20 PM Randy Bush wrote: you want revenge or to prevent the effects of recurrence? I'd like to consider targeted suggestions for fixes that address the specific challenges affecting seasoned upstreams vs. their downstream customers. I can understand how an ISP with relatively little experience can mess this up (and glad to help here to educate wherever possible). But if an established provider is still struggling with this, why is that? one nice thing about origin validation is that anyone who validates anywhere on the internet can reject the mis-origination(s). +1. Mark. signature.asc Description: This is a digitally signed message part.
RE: BGPMON Alert Questions
We have a registered prefix that was affected. The RPKI may have helped though; only one BGPMON peer saw the mis-originated route. Much better than being on the 10+ list. -Original Message- From: Randy Bush [mailto:ra...@psg.com] Sent: Wednesday, April 02, 2014 7:23 PM To: North American Network Operators' Group Subject: Re: BGPMON Alert Questions note joels careful use of 'injected'. imiho, 'hijacked' is perjorative implying evil intent. i very much doubt that is the case here. it looks much more like an accident. could we try to be less accusatory with our language. 'injected', 'mis-originated', ... would seem to descrive the situation. and, btw, how many of those whose prefixes were mis-originated had registered those prefixes in the rpki? randy This message and any attachments should be treated as confidential information of Griffin Technology, Inc.
Re: BGPMON Alert Questions
On Thu, Apr 3, 2014 at 9:15 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Thursday, April 03, 2014 02:51:20 PM Randy Bush wrote: you want revenge or to prevent the effects of recurrence? I'd like to consider targeted suggestions for fixes that address the specific challenges affecting seasoned upstreams vs. their downstream customers. at this point it's hard to come up with a suggestion aside from: stop being negligent :( if after so many incidents and so many years, and seeing so many of your friends trip on the stairs and break an arm, you'd think providers would route-filter their customers just to avoid going to the hospital. I can understand how an ISP with relatively little experience can mess this up (and glad to help here to educate wherever possible). But if an established provider is still struggling with this, why is that? I'm going to guess: 1) who's going to pay for the filtering setup work? 2) we have always done it this way... why change? 3) adrenaline rush? one nice thing about origin validation is that anyone who validates anywhere on the internet can reject the mis-origination(s). +1. Mark.
Re: BGPMON Alert Questions
On Thursday, April 03, 2014 02:57:31 PM Nick Hilliard wrote: I'm currently seeing ~100 prefixes originating from 4761, and an additional 725 transited through 4761. This would not be difficult to handle with prefix lists, assuming some level of automation. Indeed. I, for example, have an upstream that filters only on AS_PATH. Naturally, we are quite aggressive and insistent about filtering both on AS_PATH and prefix list across interconnects to our downstreams, but if things were to blow up on our side, the upstream in question would not be protected (unless, of course, they are relying on max- prefix as well). Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
On Thursday, April 03, 2014 02:52:16 PM Anthony Williams wrote: Was a specific Upstream at fault or several upstream providers? It appears they have 9 upstream links -- http://www.cidr-report.org/cgi-bin/as-report?as=4761 There probably won't be only one provider at fault. It could be all an ISP's providers are at fault, or it could be that two providers along a single AS_PATH are simultaneously at fault. It's a big weakness of our Internet, but we still need to figure out the best way to fix it, until, at least, RPKI is more widely adopted. At this stage, it appears education, and implementation of that education, is our only recourse. But how do we do this at scale? Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
On Thursday, April 03, 2014 03:55:11 PM Christopher Morrow wrote: I'm going to guess: 1) who's going to pay for the filtering setup work? Well, your customers are paying you to ensure they don't get cut off due to your negligence. You also don't want to become a watch-out-for-that-one peer within the community. But, perhaps those two ideals are not significant motivation for change :-\. 2) we have always done it this way... why change? This is probably a more endemic issue of our industry, where operators find it hard to keep up with the times (there is no shortage of -bis or BCP documents) through actual useful implementation (BCP-38) vs. talk (SDN hype). In the case of nailing routing filters for customers, one thought that comes to mind is if your organization is large enough, throw a warm body at the issue. There are lots of interns or folk you can hire on a temporary basis to focus on cleaning all this up, and getting the NOC trained and clued up on the new strategy. The new strategy is not just shiny, it could actually save you loss of customers and community respect. But that's just me... Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
On Thu, Apr 3, 2014 at 11:05 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Thursday, April 03, 2014 03:55:11 PM Christopher Morrow wrote: I'm going to guess: 1) who's going to pay for the filtering setup work? Well, your customers are paying you to ensure they don't get cut off due to your negligence. I think you mean they are paying me to carry their bits across the network... and they are paying me to do it with minimal hassle to THEM... telling me prefixes to add to their list is hassle. You also don't want to become a watch-out-for-that-one peer within the community. sure... not sure how much that matters to higher-ups? there's no such thing as bad PR, right? But, perhaps those two ideals are not significant motivation for change :-\. apparently they are not. 2) we have always done it this way... why change? This is probably a more endemic issue of our industry, where operators find it hard to keep up with the times (there is no shortage of -bis or BCP documents) through actual useful implementation (BCP-38) vs. talk (SDN hype). In the case of nailing routing filters for customers, one thought that comes to mind is if your organization is large enough, throw a warm body at the issue. There are lots of interns or folk you can hire on a temporary basis to focus on cleaning all this up, and getting the NOC trained and there's a salient point about training time and internal systems complexity to keep in mind here as well :( clued up on the new strategy. The new strategy is not just shiny, it could actually save you loss of customers and community respect. agreed. But that's just me... it's not just you.
Re: BGPMON Alert Questions
On Thursday, April 03, 2014 05:13:40 PM Christopher Morrow wrote: I think you mean they are paying me to carry their bits across the network... and they are paying me to do it with minimal hassle to THEM... telling me prefixes to add to their list is hassle. Agree - but, as an operator, that is my problem. Not my customer's problem. there's a salient point about training time and internal systems complexity to keep in mind here as well :( The ground is littered with pot holes. They are everywhere you turn. Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
On Thu, Apr 3, 2014 at 11:13 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, Apr 3, 2014 at 11:05 AM, Mark Tinka mark.ti...@seacom.mu wrote: On Thursday, April 03, 2014 03:55:11 PM Christopher Morrow wrote: I'm going to guess: 1) who's going to pay for the filtering setup work? Well, your customers are paying you to ensure they don't get cut off due to your negligence. I think you mean they are paying me to carry their bits across the network... and they are paying me to do it with minimal hassle to THEM... telling me prefixes to add to their list is hassle. I know this old saw and sales people will apply pressure to Ops if their customers balk at the extra overhead. The time is now to push back, hard, against that practice. I realize you know this, Chris but are trying to characterize the mindset. The new strategy is not just shiny, it could actually save you loss of customers and community respect. agreed. But that's just me... it's not just you Yes, let's seize the bull by the horns. Tony
Re: BGPMON Alert Questions
On Thu, Apr 3, 2014 at 2:31 PM, Tony Tauber ttau...@1-4-5.net wrote: On Thu, Apr 3, 2014 at 11:13 AM, Christopher Morrow morrowc.li...@gmail.com wrote: I know this old saw and sales people will apply pressure to Ops if their customers balk at the extra overhead. The time is now to push back, hard, against that practice. I realize you know this, Chris but are trying to characterize the mindset. I agree with you (both tony and mark)... the mindset was the point, and getting over that is certainly something we all should do. -chris
Re: BGPMON Alert Questions
one nice thing about origin validation is that anyone who validates anywhere on the internet can reject the mis-origination(s). +1. a non-op sec person who follows nanog in read-only mode pointed out in private email that this is a subtle difference from prefix filtering. in general, i can not prefix filter N hops away. randy
Re: BGPMON Alert Questions
Good point, which makes me ask: So which 5 to 10 networks, implementing source validation, could result in the greatest coverage or protection for the largest part of the Internet to the best of my knowledge, no one has looked at this for origin validation. sharon goldberg and co-conspirators have done a lot of work in the area, see her pubs at https://www.cs.bu.edu/~goldbe/. but the concentration seems to be on bgpsec which deploys quite differently randy
Re: BGPMON Alert Questions
On Thu, Apr 3, 2014 at 8:50 PM, Randy Bush ra...@psg.com wrote: Good point, which makes me ask: So which 5 to 10 networks, implementing source validation, could result in the greatest coverage or protection for the largest part of the Internet to the best of my knowledge, no one has looked at this for origin validation. sharon goldberg and co-conspirators have done a lot of work in the area, see her pubs at https://www.cs.bu.edu/~goldbe/. but the concentration seems to be on bgpsec which deploys quite differently Right, we (and others) have not looked at the efficacy of a partial deployment of origin validation (using the RPKI) yet. But, we did look at partial deployments of BGPSEC. We found that a large number of networks (around 50% of ASes) need to deploy BGPSEC before its security benefits really kick in. The reasons for this include (1) routing policies during partial deployment might not prioritize the BGPSEC validity over its AS path or local pref, (2) you need every node on an AS path to deploy BGPSEC before it works. Full paper here: https://www.cs.bu.edu/~goldbe/papers/partialSec.pdf We also looked at prefix filtering and found that it has better partial deployment characteristics. Our analysis assumed that ISPs only filter routes from their *stub* customers. (We defined a stub an AS that does not have its own customers.) Then we looked at the fraction of attacks that would be eliminated, if the X largest ISPs correctly implemented prefix filtering. (Large was measured in terms of the number of customers ASes the ISP had.) See Figure 18 on pg 15 of this paper, and the text explaining it in the middle of the right column on pg 15: http://research.microsoft.com/pubs/120428/BGPAttack-full.pdf Finally, like Randy says, RPKI deploys quite different from BGPSEC. My intuition says that (1) once the RPKI is fully populated with ROAs for all originated prefixes, then (2) a partial deployment of origin validation at a few large ISPs should be fairly effective. But I would have to validate this with experiments before I can be sure, or say exactly how many ISPs, etc. Sharon -- Sharon Goldberg Computer Science, Boston University http://www.cs.bu.edu/~goldbe
Re: BGPMON Alert Questions
On Friday, April 04, 2014 05:06:22 AM Sharon Goldberg wrote: We also looked at prefix filtering and found that it has better partial deployment characteristics. Our analysis assumed that ISPs only filter routes from their *stub* customers. (We defined a stub an AS that does not have its own customers.) Just curious; in your considerations, how would/did you treat cases where ISP's filter their downstreams, to include their downstream's downstreams? Mark. signature.asc Description: This is a digitally signed message part.
Re: BGPMON Alert Questions
I just received the same exact notification -- same AS announcing one of my blocks. On Wed, Apr 2, 2014 at 2:51 PM, Joseph Jenkins j...@breathe-underwater.comwrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
RE: BGPMON Alert Questions
I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
I have received those for two prefixes so far. Same origin+transit Br, Tolli On 2.4.2014, at 18:57, Joseph Jenkins j...@breathe-underwater.com wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
RE: BGPMON Alert Questions
I just got the same thing. Possible Prefix Hijack (Code: 10) Your prefix: 173.44.32.0/19: Prefix Description: AS8100 Update time: 2014-04-02 18:40 (UTC) Detected by #peers: 1 Detected prefix: 173.44.32.0/19 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41639483 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41639483 Possible Prefix Hijack (Code: 10) Your prefix: 173.205.80.0/20: Prefix Description: AS8100 Update time: 2014-04-02 18:40 (UTC) Detected by #peers: 1 Detected prefix: 173.205.80.0/20 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41639484 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41639484 -- Kate Gerry Network Manager k...@quadranet.com 1-888-5-QUADRA Ext 206 | www.QuadraNet.com Dedicated Servers, Colocation, Cloud Services and more. Datacenters in Los Angeles, Dallas and Miami. Follow us on: -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 2, 2014 11:52 AM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
On 4/2/14, 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Same here for one of my /21s. Origin of AS4761 through AS4651. ~Seth
RE: BGPMON Alert Questions
If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
RE: BGPMON Alert Questions
Lol, and two minutes after I replied to you, I got the same alert about the same AS with two of my prefixes. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
Same alert for me on two of my prefixes. Still looking into it. On Wed, Apr 2, 2014 at 1:59 PM, Frank Bulk frnk...@iname.com wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
On 02/04/14 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Same here. I got an alert for two prefixes. Same origin AS, same AS path for one of them: 18356 9931 4651 4761, but a different one for the other: 18356 38794 4651 4761.
RE: BGPMON Alert Questions
Sadly, it doesn't look like this is the first for Indosat either: January 14th, 2011 http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/ Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 -Original Message- From: Þórhallur Hálfdánarson [mailto:thorhallur.halfdanar...@advania.is] Sent: Wednesday, April 02, 2014 2:59 PM To: Joseph Jenkins Cc: nanog@nanog.org Subject: Re: BGPMON Alert Questions I have received those for two prefixes so far. Same origin+transit Br, Tolli
Prefix hijack by AS4761 (was Re: BGPMON Alert Questions)
I'm seeing the same hijack of prefixes by multiple networks under my watch, at 18:40 UTC and 19:06 UTC. -- Stephen On 2014-04-02 2:51 PM, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
On 4/2/14, 8:51 PM, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? You can check RIPEstat's BGP looking-glass: https://stat.ripe.net/widget/looking-glass#w.resource=8.37.93.0%2F24 This combines the result of 13 RIPE RIS route collectors. A minute ago I saw the INDOSAT announcement at 2 locations (Amsterdam, Frankfurt) from 3 out of 101 peers, but it seems to have stopped just now. -- Rene Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
RE: BGPMON Alert Questions
This seems to be occurring to many, I have two of my prefixes being announced by the same AS's, and I have confirmation from several others who are seeing this as well. Chris -Original Message- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Wednesday, April 02, 2014 12:03 PM To: nanog@nanog.org Subject: Re: BGPMON Alert Questions On 4/2/14, 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Same here for one of my /21s. Origin of AS4761 through AS4651. ~Seth
RE: BGPMON Alert Questions
bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
... and same here. Indosat looks now to have developed a solid experience in BGP prefix hijack mess (last time was in 2011). Olivier On 4/2/14, 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Same here for one of my /21s. Origin of AS4761 through AS4651. ~Seth
Re: BGPMON Alert Questions
I can confirm that indosat appears to be hijacking many prefixes. HE 6939 is one of the networks picking it up and distributing it further. Here's an example for a Syrian prefix: http://portal.bgpmon.net/data/indosat-hijack.png Possible Prefix Hijack (Code: 10) Your prefix: 5.0.0.0/18: Prefix Description: STE Public Data Network Backbone and LIR Update time: 2014-04-02 18:47 (UTC) Detected by #peers: 13 Detected prefix: 5.0.0.0/18 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS6939 (HURRICANE - Hurricane Electric, Inc.,US) ASpath: 271 6939 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41644877 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41644877 Andree (BGPMON.net) .-- My secret spy satellite informs me that at 2014-04-02 11:59 AM Kate Gerry wrote: I just got the same thing. Possible Prefix Hijack (Code: 10) Your prefix: 173.44.32.0/19: Prefix Description: AS8100 Update time: 2014-04-02 18:40 (UTC) Detected by #peers: 1 Detected prefix: 173.44.32.0/19 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41639483 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41639483 Possible Prefix Hijack (Code: 10) Your prefix: 173.205.80.0/20: Prefix Description: AS8100 Update time: 2014-04-02 18:40 (UTC) Detected by #peers: 1 Detected prefix: 173.205.80.0/20 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41639484 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41639484 -- Kate Gerry Network Manager k...@quadranet.com 1-888-5-QUADRA Ext 206 | www.QuadraNet.com Dedicated Servers, Colocation, Cloud Services and more. Datacenters in Los Angeles, Dallas and Miami. Follow us on: -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 2, 2014 11:52 AM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
RE: BGPMON Alert Questions
Snap, announcing a few of our /21s and a /23. Seems they did something similar a few year ago: http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/ I can't make any contact with Indosat (website non responsive / email queuing). This is what I have back from Aware Corp. AS18356 (first AS in the path): I can confirm that we are seeing your prefixes as advertised by AS4761, via one of our upstreams CAT AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) We (Aware Corporation - AS18356) operate a BGPMon PeerMon node which is probably why you are seeing this alert from our AS. It is likely that your highjacked prefixes are being advertised to all of CAT's customers. I suggest contacting AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) directly for resolution as there is little we can do as a stub AS. Regards, Lee. -Original Message- From: Vlade Ristevski [mailto:vrist...@ramapo.edu] Sent: 02 April 2014 20:05 To: nanog@nanog.org Subject: Re: BGPMON Alert Questions I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: Prefix hijack by AS4761 (was Re: BGPMON Alert Questions)
yeah you're seeing the impact of a pretty broad prefix injection indosat's upstream filters seem to be working for the most part. On 4/2/14, 12:10 PM, Stephen Fulton wrote: I'm seeing the same hijack of prefixes by multiple networks under my watch, at 18:40 UTC and 19:06 UTC. -- Stephen On 2014-04-02 2:51 PM, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 signature.asc Description: OpenPGP digital signature
Re: BGPMON Alert Questions
Just got the same for 5 of my prefixes. Possible Prefix Hijack (Code: 10) Your prefix: 192.225.232.0/21: Prefix Description: ARIN direct allocation Update time: 2014-04-02 19:26 (UTC) Detected by #peers: 1 Detected prefix: 192.225.232.0/21 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41651791 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41651791 Possible Prefix Hijack (Code: 10) Your prefix: 199.87.232.0/21: Prefix Description: Direct ARIN allocation Update time: 2014-04-02 19:26 (UTC) Detected by #peers: 1 Detected prefix: 199.87.232.0/21 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41651792 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41651792 Possible Prefix Hijack (Code: 10) Your prefix: 162.245.228.0/24: Update time: 2014-04-02 19:26 (UTC) Detected by #peers: 1 Detected prefix: 162.245.228.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41651793 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41651793 Possible Prefix Hijack (Code: 10) Your prefix: 198.44.191.0/24: Prefix Description: ARIN direct allocation Update time: 2014-04-02 19:26 (UTC) Detected by #peers: 1 Detected prefix: 198.44.191.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41651794 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41651794 Possible Prefix Hijack (Code: 10) Your prefix: 23.249.176.0/20: Prefix Description: ARIN direct allocation Update time: 2014-04-02 19:26 (UTC) Detected by #peers: 1 Detected prefix: 23.249.176.0/20 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41651795 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41651795 On Wed, Apr 2, 2014 at 1:12 PM, Rene Wilhelm wilh...@ripe.net wrote: On 4/2/14, 8:51 PM, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? You can check RIPEstat's BGP looking-glass: https://stat.ripe.net/widget/looking-glass#w.resource=8.37.93.0%2F24 This combines the result of 13 RIPE RIS route collectors. A minute ago I saw the INDOSAT announcement at 2 locations (Amsterdam, Frankfurt) from 3 out of 101 peers, but it seems to have stopped just now. -- Rene Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
Another 5 of ours just got hit. Anyone have any ideas on what will be done about it? On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote: bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
Re: Prefix hijack by AS4761 (was Re: BGPMON Alert Questions)
On Wed, Apr 2, 2014 at 3:41 PM, joel jaeggli joe...@bogus.com wrote: yeah you're seeing the impact of a pretty broad prefix injection indosat's upstream filters seem to be working for the most part. Based on the image they tweeted, I don't think they are doing much filtering; the Syrian prefix was spread to a number of countries and AS. If you have good US connectivity the impact seems limited due to better AS Paths winning, but for less well connected prefixes I'm assuming it's more up in the air. Bob
Re: BGPMON Alert Questions
Yes, I too have alerts for some of our prefixes from the same offending origin 4761 On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change event for your prefix (66.201.48.0/20 slash 20 bottom of nor cal) The detected prefix: 66.201.48.0/20, was announced by AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Alert description: Origin AS Change Detected Prefix: 66.201.48.0/20 Detected Origin AS: 4761 Expected Origin AS: 26803 Bob Evans CTO So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
I have someone from cat.net.th on the phone and he doesn't speak a lot of English and I don't speak any Thai. He knew what indosat was and their AS number. He further stated he got my email (never told him who I was), but he said he would be replying ASAP. We only had one /24 announced by indosat. James Laszko Mythos Technology Inc Sent from my iPad On Apr 2, 2014, at 1:08 PM, Bryan Tong cont...@nullivex.com wrote: Another 5 of ours just got hit. Anyone have any ideas on what will be done about it? On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote: bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
Re: BGPMON Alert Questions
I called into +66 2104-2374 James Laszko Mythos Technology Inc Sent from my iPad On Apr 2, 2014, at 1:08 PM, Bryan Tong cont...@nullivex.com wrote: Another 5 of ours just got hit. Anyone have any ideas on what will be done about it? On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote: bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
Re: BGPMON Alert Questions
Seeing the same here for a /21. This seems to have happened before with AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from january 2011. On Wed, Apr 2, 2014 at 8:51 PM, Joseph Jenkins j...@breathe-underwater.comwrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad smime.p7s Description: S/MIME cryptographic signature
Re: BGPMON Alert Questions
route-views4 /64.25.208.71 has seen updates that contains large amount of prefixes at time 1396464452 (04 / 02 / 14 @ 6:47:32pm UTC) with path [20225, 6939, 4761] full prefixes list: http://pastebin.com/Eu4ePgp4 is it normal for single update to contain such large amount NLRI info? On Wed, Apr 2, 2014 at 12:08 PM, Octavio Alvarez alvar...@alvarezp.ods.orgwrote: On 02/04/14 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Same here. I got an alert for two prefixes. Same origin AS, same AS path for one of them: 18356 9931 4651 4761, but a different one for the other: 18356 38794 4651 4761.
Re: BGPMON Alert Questions
They have advertised all of ours now. On Wed, Apr 2, 2014 at 2:16 PM, Bob Evans b...@fiberinternetcenter.comwrote: Yes, I too have alerts for some of our prefixes from the same offending origin 4761 On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change event for your prefix (66.201.48.0/20 slash 20 bottom of nor cal) The detected prefix: 66.201.48.0/20, was announced by AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Alert description: Origin AS Change Detected Prefix: 66.201.48.0/20 Detected Origin AS: 4761 Expected Origin AS: 26803 Bob Evans CTO So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
Re: BGPMON Alert Questions
Saw this as well on my blocks. Is this malicious or did someone redistribute all of bgp with bad upstream filtering? On Wed, Apr 2, 2014 at 3:16 PM, James Laszko jam...@mythostech.com wrote: I have someone from cat.net.th on the phone and he doesn't speak a lot of English and I don't speak any Thai. He knew what indosat was and their AS number. He further stated he got my email (never told him who I was), but he said he would be replying ASAP. We only had one /24 announced by indosat. James Laszko Mythos Technology Inc Sent from my iPad On Apr 2, 2014, at 1:08 PM, Bryan Tong cont...@nullivex.com wrote: Another 5 of ours just got hit. Anyone have any ideas on what will be done about it? On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote: bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
Re: BGPMON Alert Questions
where did you get that number ? aut-num:AS4761 as-name:INDOSAT-INP-AP descr: INDOSAT Internet Network Provider descr: Internet Network Access Point in INDONESIA country:ID admin-c:IH151-AP tech-c: DA205-AP mnt-by: MAINT-ID-INDOSAT-INP changed:hostmas...@indosat.com 20081006 source: APNIC person: Dewi Amalia nic-hdl:DA205-AP e-mail: dewi.ama...@indosat.com address:PT INDOSAT address:JL. Medan Merdeka Barat 21 address:Jakarta Pusat phone: +62-21-30444066 fax-no: +62-21-30001073 country:ID changed:dewi.ama...@indosat.com 20080117 mnt-by: MAINT-ID-INDOSAT-INP source: APNIC person: INDOSAT INP Hostmaster nic-hdl:IH151-AP e-mail: hostmas...@indosat.com address:PT Indosat address:Jl. Medan Merdeka Barat 21 address:Jakarta Pusat phone: +62-21-30444066 fax-no: +62-21-30001073 country:ID changed:hostmas...@indosat.com 20120104 mnt-by: MAINT-ID-INDOSAT-INP source: APNIC Bob Evans CTO I called into +66 2104-2374 James Laszko Mythos Technology Inc Sent from my iPad On Apr 2, 2014, at 1:08 PM, Bryan Tong cont...@nullivex.com wrote: Another 5 of ours just got hit. Anyone have any ideas on what will be done about it? On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote: bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
RE: BGPMON Alert Questions
Three of ours just got jacked. I have tried to contact via email for update / fix of their end. -Mike -Original Message- From: Felix Aronsson [mailto:fe...@mrfriday.com] Sent: Wednesday, April 02, 2014 3:22 PM To: Joseph Jenkins Cc: nanog@nanog.org Subject: Re: BGPMON Alert Questions Seeing the same here for a /21. This seems to have happened before with AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from january 2011. On Wed, Apr 2, 2014 at 8:51 PM, Joseph Jenkins j...@breathe-underwater.comwrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
Same here: Possible Prefix Hijack (Code: 10) Your prefix: 132.206.0.0/16: Prefix Description: MCGILL-NET-132-206 Update time: 2014-04-02 20:11 (UTC) Detected by #peers: 1 Detected prefix: 132.206.0.0/16 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41664976 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41664976 Possible Prefix Hijack (Code: 10) Your prefix: 142.157.128.0/18: Prefix Description: McGill Update time: 2014-04-02 20:11 (UTC) Detected by #peers: 1 Detected prefix: 142.157.128.0/18 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41664977 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41664977 On Wed, Apr 2, 2014 at 3:21 PM, Felix Aronsson fe...@mrfriday.com wrote: Seeing the same here for a /21. This seems to have happened before with AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from january 2011. On Wed, Apr 2, 2014 at 8:51 PM, Joseph Jenkins j...@breathe-underwater.comwrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
I emailed hostmas...@indosat.com a little over an hour ago, and no response as yet. Anyone having luck making contact with Indosat themselves? On Wed, Apr 2, 2014 at 2:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: BGPMON Alert Questions
Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: BGPMON Alert Questions
We are getting multiple alerts for a mix of our and customers prefixes. Could someone from HE tell if they started filtering yet ? Erik Bais Verstuurd vanaf mijn iPad Op 2 apr. 2014 om 21:21 heeft Felix Aronsson fe...@mrfriday.com het volgende geschreven: Seeing the same here for a /21. This seems to have happened before with AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from january 2011. On Wed, Apr 2, 2014 at 8:51 PM, Joseph Jenkins j...@breathe-underwater.comwrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
On 4/2/14, 13:31, Bob Evans wrote: where did you get that number ? I think that was a number for CAT, AS4651. ~Seth
Re: BGPMON Alert Questions
On Wed, Apr 2, 2014 at 1:24 PM, Blake Dunlap iki...@gmail.com wrote: Is this malicious or did someone redistribute all of bgp with bad upstream filtering? They perfectly re-advertized all mine. Loos like a huge mistake. And still ongoing. Although this was nice to see: RPKI Validation Failed (Code: 9) Your prefix: 199.47.80.0/21: Prefix Description: NET-199-47-80-0-1 Update time: 2014-04-02 20:29 (UTC) Detected by #peers: 1 Detected prefix: 199.47.80.0/21 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 RPKI Status: ROA validation failed: Invalid Origin ASN, expected 46851 Albeit ineffective. ../C
Re: BGPMON Alert Questions
I got a bounce from Indosat saying: Dear Senders, Thank you for your email, started March,1st 2012 email address for correspondence with Indosat IP Support All Support INP will be change and not active with detail information as follows : 1. Correspondence and complain handling for Indosat Corporate customers (INP, IDIA and INIX services) please kindly address to : corporatesolut...@indosat.com (Service Desk MIDI Indosat Corporate Solution) 2. Correspondence and coordination for upstream and peering purpose please kindly address to : snocips...@indosat.com (SNOC IP Surveillance) Thank you for your kind cooperation and understanding. Indosat IP Support Perhaps the ³SNOC IP Surveillance² address is better? For CAT Thailand, the contact details I have are: NOC call center CAT Telecom Tel: 66 2 104 2382 FAX: 66 2 104 2281 e-mail: cuss...@cattelecom.com As someone mentioned, English may be an issue, especially at this time of the morning over there. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th From: Aris Lambrianidis effulge...@gmail.com Date: Wednesday 02 April 2014 at 22:40 To: Andrew Ashley andre...@aware.co.th Cc: nanog@nanog.org nanog@nanog.org Subject: Re: BGPMON Alert Questions Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.th wrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 tel:%2B27%2021%20673%206841 E-mail: andre...@aware.co.th Web: www.aware.co.th http://www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24 http://8.37.93.0/24 : Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 http://8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad smime.p7s Description: S/MIME cryptographic signature
Re: BGPMON Alert Questions
They are advertising one of /22 right now as well, Bret On 04/02/2014 04:21 PM, Bryan Tong wrote: They have advertised all of ours now. On Wed, Apr 2, 2014 at 2:16 PM, Bob Evans b...@fiberinternetcenter.comwrote: Yes, I too have alerts for some of our prefixes from the same offending origin 4761 On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change event for your prefix (66.201.48.0/20 slash 20 bottom of nor cal) The detected prefix: 66.201.48.0/20, was announced by AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Alert description: Origin AS Change Detected Prefix: 66.201.48.0/20 Detected Origin AS: 4761 Expected Origin AS: 26803 Bob Evans CTO So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Spectra Access 25 Lowell Street Manchester, NH 03042 603-296-0760 www.spectraaccess.net
Re: BGPMON Alert Questions
Same here : Your prefix: 178.212.137.0/24: Prefix Description: Engine Networks EU Update time: 2014-04-02 20:54 (UTC) Detected by #peers: 1 Detected prefix: 178.212.137.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 and many others -- Luca Simonetti Engine Networks http://www.enginenetworks.net http://www.facebook.com/enginenetworks http://twitter.com/enginenetworks Datacenter GENEVA 1: Rue de la Confédération, 6 1204 Geneve - CH Datacenter ZURICH 1: Josefstrasse, 225 - 8005 Zürich - CH Datacenter MILAN 1: Via Caldera, 21 - 20100 Milan - IT Datacenter TURIN 1: C.so Svizzera, 185 - 10149 Turin - IT
Re: BGPMON Alert Questions
So, Just tired e-mailing to that address. *Delivery has failed to these recipients or groups:* indriana.triyunianingt...@indosat.com mailto:indriana.triyunianingt...@indosat.com The recipient's mailbox is full and can't accept messages now. Please try resending this message later, or contact the recipient directly. Sincerely, Mark Keymer CFO/COO Vivio Technologies On 4/2/2014 1:40 PM, Aris Lambrianidis wrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: BGPMON Alert Questions
Tried the recipients mailbox is full, but it looks like all of the bgpmon alerts have cleared. On Wed, Apr 2, 2014 at 1:40 PM, Aris Lambrianidis effulge...@gmail.comwrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: BGPMON Alert Questions
Thanks, also emailed support@ noc@. Didn't receive any bounce emails.. e...@zerofail.com AS40191 On Apr 2, 2014 5:06 PM, Aris Lambrianidis effulge...@gmail.com wrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.thhttp://www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: BGPMON Alert Questions
Got this response from HE We are not in the as-path of the routes listed below. It seems we accepted some of them from a route server. I'm not seeing them in the table at this time. -- Rob Mosher Senior Network and Software Engineer Hurricane Electric / AS6939 On Wed, Apr 2, 2014 at 2:51 PM, Seth Mattinen se...@rollernet.us wrote: On 4/2/14, 13:31, Bob Evans wrote: where did you get that number ? I think that was a number for CAT, AS4651. ~Seth -- eSited LLC (701) 390-9638
Re: BGPMON Alert Questions
They're just leaking every route right? Is it possible to poison the AS paths you announce with their own AS to get them to let go of your prefixes until it's fixed? Would that work, or some other trick that can be done without their cooperation? Thanks, Laszlo
Re: BGPMON Alert Questions
Same here. AS path is 18356 38794 4651 4761. Did anybody had any contact with AS 4761? Regards, Peter Op 2 apr. 2014 om 22:57 heeft Curtis Doty cur...@greenkey.net het volgende geschreven: On Wed, Apr 2, 2014 at 1:24 PM, Blake Dunlap iki...@gmail.com wrote: Is this malicious or did someone redistribute all of bgp with bad upstream filtering? They perfectly re-advertized all mine. Loos like a huge mistake. And still ongoing. Although this was nice to see: RPKI Validation Failed (Code: 9) Your prefix: 199.47.80.0/21: Prefix Description: NET-199-47-80-0-1 Update time: 2014-04-02 20:29 (UTC) Detected by #peers: 1 Detected prefix: 199.47.80.0/21 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 RPKI Status: ROA validation failed: Invalid Origin ASN, expected 46851 Albeit ineffective. ../C
Re: BGPMON Alert Questions
Already too late :( *Delivery has failed to these recipients or groups:* indriana.triyunianingt...@indosat.com mailto:indriana.triyunianingt...@indosat.com The recipient's mailbox is full and can't accept messages now. Please try resending this message later, or contact the recipient directly. On 02.04.2014 23:40, Aris Lambrianidis wrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. -- Best regards, Adrian Minta
Re: BGPMON Alert Questions
On Wed, 2 Apr 2014, Laszlo Hanyecz wrote: They're just leaking every route right? Is it possible to poison the AS paths you announce with their own AS to get them to let go of your prefixes until it's fixed? Would that work, or some other trick that can be done without their cooperation? Keep in mind that the more AS hops there are between you and Indosat, the less effective that any hackery you do in your own BGP table will be. Two things need to happen: 1. Indosat needs to clean their mess up. 2. Indosat's upstreams need to apply some BGP clue to Indosat's announcements. It's pretty clear that both parties have dropped the ball in a big way, in terms of sane BGP filtering practices. jms
Re: BGPMON Alert Questions
On Thu, 3 Apr 2014, Adrian Minta wrote: Already too late :( *Delivery has failed to these recipients or groups:* indriana.triyunianingt...@indosat.com mailto:indriana.triyunianingt...@indosat.com The recipient's mailbox is full and can't accept messages now. Please try resending this message later, or contact the recipient directly. As long as that's not the only person behind the ip@indosat.com mail alias, all hope is not lost. Still, I imagine their NOC is getting crushed with reports right now. jms On 02.04.2014 23:40, Aris Lambrianidis wrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. -- Best regards, Adrian Minta
Re: BGPMON Alert Questions
On 4/2/14, 11:59 AM, Justin M. Streiner wrote: Two things need to happen: 1. Indosat needs to clean their mess up. 2. Indosat's upstreams need to apply some BGP clue to Indosat's announcements. It's pretty clear that both parties have dropped the ball in a big way, in terms of sane BGP filtering practices. actually that's no at all clear. https://twitter.com/renesys/status/451456391656796161 it looked like the filtering worked rather well. certainly as a customer of many of 4761s transit providers I did not see any of them pick up this advertisement in asia. the impact was limited even when it began, and it should be largely over. One of the things it says as that this sort of announcement is highly visible to the monitoring infrastructure, which is rather good to know. jms signature.asc Description: OpenPGP digital signature
Re: BGPMON Alert Questions
Quick update from BGPmon: We've detected 415,652 prefixes being hijacked by Indosat today. 8,233 of those were seen by more than 10 of our BGP collectors. When receiving a BGPmon alerts, one of the metrics to look at that will help with determining the scope and impact is the 'Detected by #peers' value. Many of the alerts where only seen by one or two peers in Thailand. This indicates that communications for those prefixes would likely have been affected for some in Thailand. 8,233 of the hijacked prefixes were seen by more than 10 of our peers. For those the impact would have been more severe. Since we're on Nanog, here's al list of US based networks affected by Indosat hijack that were seen by more than 10 unique ASns: http://portal.bgpmon.net/data/indosat-us.txt it includes apple, telia, ntt, level3, comcast, cableone, akamai, Joyent Same for Canadian prefixes (keep in mind there were more hijacked prefixes, this is just the list for which the hijack was seen by more than 10 of our peers) http://portal.bgpmon.net/data/indosat-ca.txt Cheers, Andree .-- My secret spy satellite informs me that at 2014-04-02 2:20 PM Laszlo Hanyecz wrote: They're just leaking every route right? Is it possible to poison the AS paths you announce with their own AS to get them to let go of your prefixes until it's fixed? Would that work, or some other trick that can be done without their cooperation? Thanks, Laszlo
Re: BGPMON Alert Questions
note joels careful use of 'injected'. imiho, 'hijacked' is perjorative implying evil intent. i very much doubt that is the case here. it looks much more like an accident. could we try to be less accusatory with our language. 'injected', 'mis-originated', ... would seem to descrive the situation. and, btw, how many of those whose prefixes were mis-originated had registered those prefixes in the rpki? randy
Re: BGPMON Alert Questions
On Wed, 02 Apr 2014 16:16:23 -0700, Andree Toonk said: Quick update from BGPmon: We've detected 415,652 prefixes being hijacked by Indosat today. Those who do not understand AS7007 are doomed to repeat it? pgpU55zVC12U9.pgp Description: PGP signature
Re: BGPMON Alert Questions
Agreed - focus on the fix. Then take a deep breath and figure out what happened. BTW - Indosat is down hard. Cannot call into their network (cell phone). I've got my team reaching in to their buddies to help. On Apr 3, 2014, at 7:22 AM, Randy Bush ra...@psg.com wrote: note joels careful use of 'injected'. imiho, 'hijacked' is perjorative implying evil intent. i very much doubt that is the case here. it looks much more like an accident. could we try to be less accusatory with our language. 'injected', 'mis-originated', ... would seem to descrive the situation. and, btw, how many of those whose prefixes were mis-originated had registered those prefixes in the rpki? randy signature.asc Description: Message signed with OpenPGP using GPGMail
Re: BGPMON Alert Questions
Hi Team, Confirmation from my team talking directly to Indosat - self inflected with a bad update during a maintenance window. Nothing malicious or intentional. Barry signature.asc Description: Message signed with OpenPGP using GPGMail
