nanog mailing list archives

Kenyan Route Hijack

From: Danny McPherson <danny () tcb net>
Date: Sat, 15 Mar 2008 11:57:50 -0600


[more accurate subject line]

On Mar 14, 2008, at 1:33 PM, Felix Bako wrote:

Hello,
There is a routing loop while accesing my network 194.9.82.0/24 fromsome networks on the Internet.
| This is a test done from  lg.above.net looking glass.
1 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0msec2 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label 78Exp 0] 0 msec 0 msec 0 msec
3 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 8 msec 8 msec 0 msec
4 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label 80Exp 0] 0 msec 4 msec 0 msec5 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0msec6 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label 78Exp 0] 0 msec 0 msec 4 msec
7 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 64 msec 0 msec 4 msec
8 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label 80Exp 0] 0 msec 4 msec 0 msec9 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0msec10 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label78 Exp 0] 0 msec 4 msec 0 msec11 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 4 msec 0 msec 4msec|


According to RIPE BGP play data looks to me like AS 6461
(Abovenet) began announcing 194.9.82.0/24 about 10 hours
ago, pulling traffic away from AS 39615 and triggering your
reachability problems (Note times are UTC):

# 1/361 2008-03-15 03:05:27 Path Change from 29636 6461 2914 851325228 36915

  rrc01  195.66.224.132                       to  29636 2914 6461
# 2/361  2008-03-15 03:05:27   Route Announcement   20485 2914 6461
  rrc01  195.66.224.212
....

About 17 minutes later AS 6461 they withdrew the route announcement:

# 41/361  2008-03-15 03:22:56   Route Withdrawal ( 4777 2497 2914 6461 )
   rrc06  202.249.2.20
....

And another 12 minutes or so later they began announcing it
again:

# 42/361 2008-03-15 03:35:26 Path Change from 29636 6461 29148513 25228 36915

   rrc01  195.66.224.132                       to  29636 2914 6461
...

Seemed to be a bunch more instability with this prefix around 5:53:

# 66/361  2008-03-15 05:53:40   Route Announcement   25462 6461
   rrc07  194.68.123.157
...

And then some withdraws around 7:43:

# 183/361  2008-03-15 07:43:48   Path Change  from  8468 6453 6461

rrc01 195.66.224.151 to 8468 3491 2522825228 25228 25228 25228 36915

...

With considerable oscillation for around 40 minutes between the legit
path via AS 36915 and the path via AS 6461.

And the latest was this transition from AS 6461 back to the 36915 path
about 2 hours ago, but only by a few ASNs, I suspect because those ASNs

explicitly modified policy (either preference or filtering) tode_prefer the

AS 6461 path.  This is illustrated pretty nicely with BGP play:

# 335/361  2008-03-15 14:59:43   Route Withdrawal ( 1916 3549 6461 )
    rrc15  200.219.130.4
# 361/361  2008-03-15 15:00:27   Path Change  from  13645 3356 6461

rrc11 198.32.160.150 to 13645 3491 2522825228 25228 25228 25228 36915


BGP Play applet here:

http://www.ris.ripe.net/bgplay/applet.html?

Although most folks are definitely still preferring the AS 6461
path.

An interesting bit is that the current announcement on routeviews
directly from AS 6461 has Community 6461:5999 attached:
...
  6461
    64.125.0.137 from 64.125.0.137 (64.125.0.137)
      Origin IGP, metric 0, localpref 100, valid, external, best
      Community: 6461:5999
...

According to this, that community is used for "internal prefixes":

http://onesc.net/communities/as6461/

"6461:5999 internal prefix"

A "sh ip bgp community 6461:5999" currently yields 130 prefixes
with Origin AS of 6461 and that community.  Nothing more specific
than a /24, although many many adjacent prefixes that would
presumably be aggregated normally are announced as well.

The closest adjacent prefix to 194.9.82/24 they're announcing
is 194.9.40/24, which is one of their prefixes:

*> 194.9.40.0       64.125.0.137             0             0 6461 i
*> 194.9.82.0       64.125.0.137             0             0 6461 i

Unfortunately, the AS6461 forwarding loops still exists, and most
ASNs still appear to be preferring their path over yours per BGP
AS path route selection rules:

---
danny@pork% date
Sat Mar 15 11:55:27 MDT 2008
...

14 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 188.278 ms172.714 ms 174.984 ms15 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) 176.234 ms174.013 ms 174.109 ms16 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 173.230 ms172.892 ms 174.765 ms17 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) 174.721 ms175.256 ms 174.738 ms18 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 174.437 ms220.815 ms 180.961 ms19 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) 177.564 ms181.966 ms 174.771 ms20 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 176.028 ms174.269 ms 174.365 ms21 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) 175.626 ms175.381 ms 175.831 ms22 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 174.046 ms174.841 ms 174.388 ms23 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) 174.861 ms174.857 ms 175.475 ms

...

My recommendation, stay on the phone with Abovenet (via your
upstream, and their upstream if necessary) until you see a withdraw
for the route on routeviews from AS 6461:

telnet route-views.routeviews.org
sh ip bgp 194.9.82.0/24

-danny

Current thread:

Routing Loop Felix Bako (Mar 14)
- RE: Routing Loop Darden, Patrick S. (Mar 14)
- Kenyan Route Hijack Danny McPherson (Mar 15)
  - Re: Kenyan Route Hijack Danny McPherson (Mar 15)
    - Re: Kenyan Route Hijack Glen Kent (Mar 15)
    - Re: Kenyan Route Hijack Bill Stewart (Mar 15)
    - Re: Kenyan Route Hijack Randy Bush (Mar 15)
    - Re: Kenyan Route Hijack Adrian Chadd (Mar 15)
  - Re: Kenyan Route Hijack Jeff Aitken (Mar 17)
- <Possible follow-ups>
- Routing Loop Felix Bako (Mar 15)
  - Re: Routing Loop Adrian Chadd (Mar 15)
    - RE: Routing Loop Frank Bulk (Mar 15)
  - RE: Routing Loop Robert D. Scott (Mar 15)

(Thread continues...)