Low-numbered ASes being hijacked? [Re: BGP Update Report]
cidr-report writes: BGP Update Report Interval: 20-Nov-14 -to- 27-Nov-14 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name [...] 11 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US Disappointing to see Symbolics (AS5) on this list. I would expect these Lisp Machines to have very stable BGP implementations, especially given the leisurely release rhythm for Genera for the past few decades. Has the size of the IPv4 unicast table started triggering global GCs? Seriously, all these low-numbered ASes in the report look fishy. I would have liked this to be an artifact of the reporting software (maybe an issue with 4-byte ASes?), but I do see some strange paths in the BGP table that make it look like (accidental or malicious) hi-hacking of these low-numbered ASes. Now the fact that these AS numbers are low makes me curious. If I wanted to hijack other folks' ASes deliberately, I would probably avoid such numbers because they stand out. Maybe these are just non-standard private-use ASes that are leaked? Some suspicious paths I'm seeing right now: 133439 5 197945 4 Hm, maybe 32-bit ASes do have something to do with this... Any ideas? -- Simon. (Just curious) [...] 17 - AS3 30043 0.4%3185.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US [...] TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name [...] 13 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US [...] 15 - AS4 21237 0.3% 871.0 -- ISI-AS - University of Southern California,US [...] 19 - AS45345 0.1%1437.0 -- ISI-AS - University of Southern California,US 20 - AS48784 0.1%2303.0 -- ISI-AS - University of Southern California,US
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
Simon == Simon Leinen simon.lei...@switch.ch writes: Simon Some suspicious paths I'm seeing right now: Simon 133439 5 Simon 197945 4 my bet is on someone using the syntax prepend asnX timesY on a router that instead wants prepend asnX asnX -- Pierfrancesco Caci, ik5pvx
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case? On 11/30/2014 午後 11:24, Pierfrancesco Caci wrote: Simon == Simon Leinen simon.lei...@switch.ch writes: Simon Some suspicious paths I'm seeing right now: Simon 133439 5 Simon 197945 4 my bet is on someone using the syntax prepend asnX timesY on a router that instead wants prepend asnX asnX
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
I'm currently looking into AS3 in an attempt to figure out what's going on. Always interested to hear what others have found out. Cheers, Harry On Nov 30, 2014 8:57 AM, Simon Leinen simon.lei...@switch.ch wrote: cidr-report writes: BGP Update Report Interval: 20-Nov-14 -to- 27-Nov-14 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name [...] 11 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US Disappointing to see Symbolics (AS5) on this list. I would expect these Lisp Machines to have very stable BGP implementations, especially given the leisurely release rhythm for Genera for the past few decades. Has the size of the IPv4 unicast table started triggering global GCs? Seriously, all these low-numbered ASes in the report look fishy. I would have liked this to be an artifact of the reporting software (maybe an issue with 4-byte ASes?), but I do see some strange paths in the BGP table that make it look like (accidental or malicious) hi-hacking of these low-numbered ASes. Now the fact that these AS numbers are low makes me curious. If I wanted to hijack other folks' ASes deliberately, I would probably avoid such numbers because they stand out. Maybe these are just non-standard private-use ASes that are leaked? Some suspicious paths I'm seeing right now: 133439 5 197945 4 Hm, maybe 32-bit ASes do have something to do with this... Any ideas? -- Simon. (Just curious) [...] 17 - AS3 30043 0.4% 3185.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US [...] TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name [...] 13 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US [...] 15 - AS4 21237 0.3% 871.0 -- ISI-AS - University of Southern California,US [...] 19 - AS4 5345 0.1% 1437.0 -- ISI-AS - University of Southern California,US 20 - AS4 8784 0.1% 2303.0 -- ISI-AS - University of Southern California,US
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
On Mon, 01 Dec 2014 00:53:07 +0900, Paul S. said: Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case? You're new here, aren't you? :) pgpeSOBr2fqm8.pgp Description: PGP signature
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
On Mon, Dec 01, 2014 at 12:53:07AM +0900, Paul S. wrote: Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case? Of course not because their neighbors are allowing it to pass; so as with all hijacks, deaggregation, and other unfiltered noise, the only care is traffic going in and out. QA (let alone automated sanity checks) are alien concepts to many, and well it works is the answer from some when contacted. It smells like this is as PF surmises and might just be folks amenable to fixing it when contacted. We'll see... Cheers! Joe -- RSUC / GweepNet / Spunk / FnB / CotSG / Usenix / NANOG
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
On 11/30/2014 11:26 AM, valdis.kletni...@vt.edu wrote: On Mon, 01 Dec 2014 00:53:07 +0900, Paul S. said: Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case? You're new here, aren't you? :) Thank you, I needed the laugh. Sometimes, getting the idea that checking one's work is necessary proves to be a hard lesson to teach to some of those young whippersnappers. I live and work in Reno NV, so I put the lesson in terms they can understand: A triple check beats a double-cross. This is sufficiently annoying to people that they do indeed check their work...so they don't have to listen to me spout this cliche when things get screwed up.
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
.-- My secret spy satellite informs me that at 2014-11-30 6:24 AM Pierfrancesco Caci wrote: Simon == Simon Leinen simon.lei...@switch.ch writes: Simon Some suspicious paths I'm seeing right now: Simon 133439 5 Simon 197945 4 my bet is on someone using the syntax prepend asnX timesY on a router that instead wants prepend asnX asnX I agree. When looking at distribution of ASns that appear to be hijacking prefixes, the lower number ASns stand out. AS1,2,3,4,5 are common. When looking closer, the next-hop AS is typically the 'expected' AS, which would confirm the prepend theory. 185.78.114.0/24 was announced as .* 47551 5 and but now as .* 47551. I guess they found out the 5x prepending didn't work as expected. AS3 (MIT) seems to be particularly popular, probably by folks who attempt to prepend 3 times. Here's a current example: 212.69.8.0/23 [BGP/170] 6d 05:45:32, MED 22007, localpref 100 AS path: 3356 15958 52116 3 I This is a prefix in Serbia, routes to Serbia and doesn't seem to be related to MIT (AS3) at all. Another example: AS35819, Etihad Etisalat was originating some of its prefixes as AS1 earlier this week as well. https://twitter.com/bgpmon/status/537062576002064385 Just a few examples. Cheers, Andree
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
- Original Message - From: Joe Provo nanog-p...@rsuc.gweep.net On Mon, Dec 01, 2014 at 12:53:07AM +0900, Paul S. wrote: Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case? Of course not because their neighbors are allowing it to pass; so as with all hijacks, deaggregation, and other unfiltered noise, the only care is traffic going in and out. QA (let alone automated sanity checks) are alien concepts to many, and well it works is the answer from some when contacted. That's sort of the BGP equivalent to BCP38 filtering, isn't it? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
I’m not new here but the thread caught my eye, as I am one of the lower ASs being mentioned. I guess there isn’t really anything one can do to prevent these things other than listening to route servers, etc. I guess it’s all on what the upstream decides to allow-in and re-advertise. Jason Jason Bothe, Manager of Networking o +1 713 348 5500 m +1 713 703 3552 ja...@rice.edu On 30, Nov 2014, at 2:37 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Joe Provo nanog-p...@rsuc.gweep.net On Mon, Dec 01, 2014 at 12:53:07AM +0900, Paul S. wrote: Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case? Of course not because their neighbors are allowing it to pass; so as with all hijacks, deaggregation, and other unfiltered noise, the only care is traffic going in and out. QA (let alone automated sanity checks) are alien concepts to many, and well it works is the answer from some when contacted. That's sort of the BGP equivalent to BCP38 filtering, isn't it? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
- Original Message - Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case? Of course not because their neighbors are allowing it to pass; so as with all hijacks, deaggregation, and other unfiltered noise, the only care is traffic going in and out. QA (let alone automated sanity checks) are alien concepts to many, and well it works is the answer from some when contacted. That's sort of the BGP equivalent to BCP38 filtering, isn't it? --- ja...@rice.edu wrote: From: Jason Bothe ja...@rice.edu I’m not new here but the thread caught my eye, as I am one of the lower ASs being mentioned. I guess there isn’t really anything one can do to prevent these things other than listening to route servers, etc. I guess it’s all on what the upstream decides to allow-in and re-advertise. First, obviously, set BGP filters to allow only what you expect to send upstream. Then, look at what your routers are advertising to your upstreams using 'sho bgp advertised routes' type commands to make sure it's exactly what you're expecting to send. Last, look on route servers at various places around the internet to make sure everything is advertised to expectations . You can find a lot here: http://www.traceroute.org/#Route%20Servers Also, of course, all of this can be done on a regular basis using programs instead of being done manually. scott
