nanog mailing list archives
Re: [renesys] The New Threat: Targeted Internet Traffic Misdirection
From: Stephane Bortzmeyer <bortzmeyer () nic fr>
Date: Tue, 26 Nov 2013 22:09:24 +0100
On Wed, Nov 20, 2013 at 01:54:00PM -0500, Christopher Morrow <morrowc.lists () gmail com> wrote a message of 11 lines which said:
someone has already parsed out all route announcements from ris/routeviews for the 2 specific incidents in question in the article? and posted the contents somewhere for review? I didn't see Renesys do that :(
Indeed. But the data is public. Let's use RouteViews. Renesys gave us the exact time (0736 UTC) and the origin AS. From the time, let's find the relevant RouteViews file, whose URL is made of date and time: ftp://archive.routeviews.org/route-views.linx/bgpdata/2013.07/UPDATES/updates.20130731.0730.bz2 Download, bunzip2, bgpdump to translate the MRT to text, then Control-S in emacs to find announces by AS 48685. And here it is: TIME: 07/31/13 07:36:46 TYPE: BGP4MP/MESSAGE/Update FROM: 195.66.236.35 AS6067 TO: 195.66.237.222 AS6447 ORIGIN: IGP ASPATH: 6067 6677 48685 NEXT_HOP: 195.66.236.35 ANNOUNCE 64.81.96.0/24 64.81.97.0/24 64.81.101.0/24 64.81.103.0/24 64.81.110.0/24 64.81.112.0/24 64.81.113.0/24 64.81.115.0/24 64.81.116.0/24 64.81.122.0/24 64.81.125.0/24 64.81.127.0/24 64.81.161.0/24 64.81.162.0/24 64.81.163.0/24 64.81.164.0/24 64.81.166.0/24 64.81.167.0/24 64.81.169.0/24 64.81.170.0/24 64.81.171.0/24 64.81.172.0/24 64.81.177.0/24 64.81.192.0/19 64.81.199.0/24 64.81.203.0/24 64.81.204.0/24 64.81.205.0/24 64.81.208.0/24 64.81.209.0/24 64.81.212.0/24 64.81.214.0/24 64.105.6.0/23 64.105.14.0/23 64.105.20.0/23 64.105.24.0/21 64.105.32.0/21 64.105.52.0/23 64.105.54.0/23 64.105.56.0/23 64.105.58.0/23 64.105.60.0/23 64.105.62.0/23 64.105.66.0/23 64.105.70.0/23 64.105.72.0/21 64.105.82.0/23 64.105.88.0/21 64.105.114.0/23 64.105.128.0/21 64.105.144.0/21 64.105.160.0/23 64.105.162.0/23 64.105.176.0/23 64.105.180.0/22 64.105.192.0/23 64.105.194.0/23 64.105.202.0/23 64.105.210.0/23 64.105.212.0/23 64.105.218.0/23 64.105.220.0/23 64.105.226.0/23 64.105.230.0/23 64.105.240.0/23 64.105.242.0/23 64.105.244.0/22 64.105.252.0/23 66.92.20.0/24 66.92.22.0/24 66.92.46.0/24 66.92.52.0/22 66.92.64.0/19 66.92.99.0/24 66.92.100.0/24 66.92.106.0/24 66.92.144.0/24 66.92.145.0/24 66.92.147.0/24 66.92.149.0/24 66.92.152.0/24 66.92.159.0/24 66.92.160.0/24 66.92.161.0/24 66.92.162.0/24 66.92.176.0/23 66.92.213.0/24 66.92.215.0/24 66.92.224.0/20 66.92.240.0/23 66.92.241.0/24 66.93.24.0/24 66.93.25.0/24 66.93.38.0/24 66.93.39.0/24 66.93.40.0/24 66.93.49.0/24 66.93.56.0/24 66.93.59.0/24 66.93.62.0/24 66.93.74.0/24 66.93.81.0/24 66.93.82.0/24 66.93.83.0/24 66.93.84.0/23 66.93.88.0/22 66.93.99.0/24 66.93.100.0/24 66.93.103.0/24 66.93.106.0/24 66.93.107.0/24 66.93.115.0/24 66.93.168.0/23 66.93.174.0/24 66.93.176.0/23 66.93.214.0/24 66.93.216.0/24 66.93.216.0/21 66.93.224.0/24 66.93.224.0/22 66.93.228.0/24 66.93.232.0/22 66.93.240.0/24 66.93.241.0/24 66.93.242.0/24 66.93.243.0/24 66.93.244.0/24 66.93.246.0/24 66.93.248.0/24 66.93.251.0/24 66.93.252.0/23 66.134.2.0/23 66.134.18.0/23 66.134.36.0/23 66.134.38.0/23 66.134.40.0/21 66.134.48.0/21 66.134.58.0/23 66.134.60.0/23 66.134.64.0/21 66.134.76.0/23 66.134.78.0/23 66.134.98.0/23 66.134.106.0/23 66.134.116.0/23 66.134.118.0/23 66.134.136.0/21 66.134.150.0/23 66.134.152.0/21 66.134.168.0/21 66.134.176.0/23 66.134.178.0/23 66.134.182.0/23 66.134.184.0/21 66.134.208.0/21 66.134.216.0/23 66.134.220.0/23 66.134.224.0/21 66.134.232.0/21 66.134.240.0/21 66.166.10.0/23 66.166.46.0/23 66.166.64.0/21 66.166.94.0/23 66.166.112.0/23 66.166.114.0/23 66.166.136.0/23 66.166.138.0/23 66.166.144.0/21 66.166.160.0/23 66.166.162.0/23 66.166.176.0/23 66.166.180.0/23 66.166.184.0/23 66.166.200.0/21 66.166.216.0/21 66.166.244.0/23 66.166.246.0/23 66.166.248.0/23 66.166.254.0/23 66.167.0.0/21 66.167.10.0/23 66.167.26.0/23 66.167.32.0/21 66.167.50.0/23 66.167.60.0/23 66.167.62.0/23 66.167.64.0/21 66.167.72.0/21 66.167.80.0/21 66.167.96.0/21 66.167.104.0/21 66.167.118.0/23 66.167.136.0/22 66.167.152.0/21 66.167.170.0/23 66.167.176.0/21 66.167.196.0/23 66.167.208.0/23 66.167.216.0/21 66.167.224.0/21 66.167.252.0/23 66.167.254.0/23 66.253.10.0/24 66.253.20.0/24 66.253.21.0/24 66.253.22.0/24 66.253.28.0/22 66.253.40.0/22 66.253.44.0/24 66.253.45.0/24 66.253.46.0/24 66.253.47.0/24 66.253.52.0/22 66.253.56.0/24 66.253.81.0/24 66.253.82.0/24 66.253.83.0/24 66.253.84.0/24 66.253.92.0/24 66.253.93.0/24 66.253.118.0/24 67.100.0.0/23 67.100.4.0/23 67.100.48.0/21 67.100.56.0/21 67.100.72.0/21 67.100.80.0/21 67.100.96.0/21 67.100.104.0/21 67.100.112.0/21 67.100.124.0/22 67.100.128.0/23 67.100.136.0/23 67.100.138.0/23 67.100.144.0/21 67.100.168.0/21 67.100.184.0/21 67.100.192.0/21 67.100.220.0/23 67.101.14.0/23 67.101.16.0/21 67.101.72.0/21 67.101.92.0/23 67.101.94.0/23 67.101.124.0/22 67.101.128.0/21 67.101.140.0/23 67.101.142.0/23 67.101.152.0/21 67.101.176.0/21 67.101.192.0/21 67.101.200.0/21 67.101.224.0/23 67.101.230.0/23 67.101.240.0/21 67.101.248.0/21 67.102.0.0/21 67.102.8.0/23 67.102.32.0/21 67.102.40.0/21 67.102.48.0/21 67.102.60.0/23 67.102.96.0/21 67.102.112.0/21 67.102.120.0/23 67.102.124.0/23 67.102.144.0/21 67.102.152.0/21 67.102.166.0/23 67.102.168.0/21 67.102.176.0/21 67.102.200.0/21 67.102.234.0/23 67.102.240.0/21 67.102.248.0/21 67.103.0.0/21 67.103.8.0/21 67.103.24.0/21 67.103.64.0/21 67.103.102.0/23 67.103.110.0/23 67.103.112.0/21 67.103.160.0/23 67.103.162.0/23 67.103.192.0/21 67.103.200.0/23 67.103.202.0/23 67.103.226.0/23 67.103.250.0/23 67.103.252.0/23 67.103.254.0/23 68.164.24.0/21 68.164.32.0/21 68.164.44.0/23 68.164.78.0/23 68.164.80.0/20 68.164.96.0/21 68.164.126.0/23 68.164.160.0/21 68.164.192.0/21 68.164.208.0/23 These addresses have no relationship with Iceland so we can say it's a hijacking. But do note there is no AS prepending in the announce (the trick described by Kapela & PIlosov to create a clean return path). Finding the other announces in RouteViews is left as an exercice (hint: use a RouteViews collector close from the announce, here in England, because the hijacking announce did not propagate everywhere).
Current thread:
- [renesys] The New Threat: Targeted Internet Traffic Misdirection Stephane Bortzmeyer (Nov 19)
- Re: [renesys] The New Threat: Targeted Internet Traffic Misdirection Christopher Morrow (Nov 20)
- Re: [renesys] The New Threat: Targeted Internet Traffic Misdirection Stephane Bortzmeyer (Nov 26)
- Re: [renesys] The New Threat: Targeted Internet Traffic Misdirection Christopher Morrow (Nov 26)
- Re: [renesys] The New Threat: Targeted Internet Traffic Misdirection Christopher Morrow (Nov 26)
- Re: [renesys] The New Threat: Targeted Internet Traffic Misdirection Stephane Bortzmeyer (Nov 26)
- Re: [renesys] The New Threat: Targeted Internet Traffic Misdirection Christopher Morrow (Nov 20)