nanog mailing list archives
Re: Dreamhost/AS26347 unauthorized bgp announcement
From: Job Snijders <job.snijders () atrato com>
Date: Thu, 7 Mar 2013 12:30:07 +0100
Hi all, Just a small update. Off-list Andree and me have been working together with Kenneth from dreamhost to try and figure out what exactly happened and which device or party orginated these prefixes. Unfortunately no hard conclusions can be drawn from the data available to us, especially since we lack proper insight into this Any2 routeserver. I also want to emphasize that Kenneth and Dreamhost have been very forth coming in sharing data (configs, stats, networkplans) to find the root cause. We have put additional monitoring in place to try and catch more data if this happens a next time. Thank you all for being on top of incidents like this! Kind regards, Job On Mar 6, 2013, at 7:29 PM, Andree Toonk <andree+nanog () toonk nl> wrote:
.-- My secret spy satellite informs me that at 2013-03-06 12:59 AM Matsuzaki Yoshinobu wrote:According to RIPE RIS, AS26347 announced a bunch of prefixes again. - http://www.ris.ripe.net/dashboard/26347 First suspicious announcement was started 2013-03-06 07:52:40 UTC, and last seen 2013-03-06 08:33:56 UTC. 195 prefixes total. It seems these unauthorized announcements have the same profile as before - AS26347 shrinks the prefix lenght of their received prefix somehow upto /20, and re-originates the prefix with origin AS26347. Any known bugs?Sounds indeed like an exact copy of the incident on January 11: http://seclists.org/nanog/2013/Jan/243 That time the prefixes seem to also have been learned via a route-server in LA. The strange thing is that the majority of the 'hijacked' prefixes (today and in January) are new more specifics (not seen before). (Using some kind of BGP route optimizer?). This time it affected 203 unique prefixes and 133 ASns. Below a list of some of the affected ASns 20115 Charter Telecom. 4837 China Unicom 8151 UNINET Mexico 11427 Roadrunner 42961 MTC GPRS Kuwait 7303 Telecom Argentina S.A. 25135 Vodafone 7018 AT&T 6389 BellSouth.net 8220 Colt 19262 Verizon 9143 ZIGGO 6830 UPC 5089 Virgin Media Cheers, Andree
-- AS5580 - Atrato IP Networks
Current thread:
- Dreamhost/AS26347 unauthorized bgp announcement Matsuzaki Yoshinobu (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Job Snijders (Mar 06)
- RE: Dreamhost/AS26347 unauthorized bgp announcement Drew Weaver (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Job Snijders (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Kenneth McRae (Mar 06)
- RE: Dreamhost/AS26347 unauthorized bgp announcement Drew Weaver (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Job Snijders (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Andree Toonk (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Job Snijders (Mar 07)