nanog mailing list archives
RE: Level 3 Outage
From: "Frank Bulk" <frnkblk () iname com>
Date: Fri, 27 Mar 2015 22:44:41 -0500
Yes, see this thread: https://puck.nether.net/pipermail/outages/2015-March/007687.html Frank -----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Debottym Mukherjee Sent: Friday, March 27, 2015 10:14 AM To: nanog () nanog org Subject: Level 3 Outage Did anyone else experience a Level 3 outage in the last couple of days? Seems like we've been affected with quite a few VPNV4 outages (one that lasted for upto 9 hrs) and didn't get resolved until they rebuilt their vpnv4 address family on their PE router(s)? On Thu, Mar 26, 2015 at 8:00 AM, <nanog-request () nanog org> wrote:
Send NANOG mailing list submissions to nanog () nanog org To subscribe or unsubscribe via the World Wide Web, visit http://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-request () nanog org You can reach the person managing the list at nanog-owner () nanog org When replying, please edit your Subject line so it is more specific than "Re: Contents of NANOG digest..." Today's Topics: 1. godaddy contact (Tim) 2. Frontier: Blocking port 22 because of illegal files? (Aaron C. de Bruyn) 3. Re: Frontier: Blocking port 22 because of illegal files? (Eygene Ryabinkin) 4. Re: Frontier: Blocking port 22 because of illegal files? (Jon Lewis) 5. Re: Frontier: Blocking port 22 because of illegal files? (Stephen Satchell) 6. Re: Frontier: Blocking port 22 because of illegal files? (Seth Mos) 7. booster to gain distance above 60km (Rodrigo Augusto) 8. Re: Frontier: Blocking port 22 because of illegal files? (Jens Link) 9. Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) 10. Re: Frontier: Blocking port 22 because of illegal files? (Livingood, Jason) 11. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) 12. Re: Frontier: Blocking port 22 because of illegal files? (Jeff Richmond) 13. Re: Frontier: Blocking port 22 because of illegal files? (Daniel Corbe) 14. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) 15. RE: Prefix hijack by INDOSAT AS4795 / AS4761 (Peter Rocca) 16. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) 17. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) 18. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) 19. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Pierre Emeriaud) 20. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Paul S.) 21. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Chuck Anderson) 22. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christian Teuschel) 23. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Andree Toonk) 24. RE: Prefix hijack by INDOSAT AS4795 / AS4761 (Peter Rocca) 25. Charter Engineer (Shawn L) 26. RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] (Randy) ---------------------------------------------------------------------- Message: 1 Date: Wed, 25 Mar 2015 16:41:50 -0600 From: Tim <timphp () progressivemarketingnetwork com> To: nanog () nanog org Subject: godaddy contact Message-ID: <551339AE.8010203 () progressivemarketingnetwork com> Content-Type: text/plain; charset=utf-8 Anyone from godaddy on here or have contact details for them? We are having a routing issue to them. ------------------------------ Message: 2 Date: Wed, 25 Mar 2015 19:31:35 -0700 From: "Aaron C. de Bruyn" <aaron () heyaaron com> To: NANOG mailing list <nanog () nanog org> Subject: Frontier: Blocking port 22 because of illegal files? Message-ID: <CAEE+rGqimJYAfgmzm9AJ72+gcmJxfZLM7n4Rf03vynxKN= Qfeg () mail gmail com> Content-Type: text/plain; charset=UTF-8 I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP. After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked. When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files. I called them, and got the same ridiculous excuse. Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block: 80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names -A ------------------------------ Message: 3 Date: Thu, 26 Mar 2015 07:21:45 +0300 From: Eygene Ryabinkin <rea+nanog () grid kiae ru> To: "Aaron C. de Bruyn" <aaron () heyaaron com> Cc: NANOG mailing list <nanog () nanog org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <nwCOvNPJTWOEp6pB7jt97dzYZ/0@xD7c2HZfPDzIruDUr3Qm9QhN1kk> Content-Type: text/plain; charset=us-ascii Wed, Mar 25, 2015 at 07:31:35PM -0700, Aaron C. de Bruyn wrote:Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block: 80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a securemanner69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal namesCan't help to add that there are - port 21 that allow users to give commands to examine the existence and initiate transfers of illegal files; - ports 1025 - 65535 that allow users to create data streams to actually transfer illegal files in an (oh my) passive mode. ;) -- Eygene Ryabinkin, National Research Centre "Kurchatov Institute" Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live. ------------------------------ Message: 4 Date: Thu, 26 Mar 2015 00:56:21 -0400 (EDT) From: Jon Lewis <jlewis () lewis org> To: "Aaron C. de Bruyn" <aaron () heyaaron com> Cc: NANOG mailing list <nanog () nanog org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <Pine.LNX.4.61.1503260052100.10544 () soloth lewis org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Wed, 25 Mar 2015, Aaron C. de Bruyn wrote:I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP. After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked. When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files. I called them, and got the same ridiculous excuse. Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:I wonder if their support is just confused, and Frontier is really blocking outbound tcp/22 to stop complaints generated by infected customers with sshd scanners. After all, most of their customers probably don't know what SSH is. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ------------------------------ Message: 5 Date: Thu, 26 Mar 2015 04:24:38 -0700 From: Stephen Satchell <list () satchell net> To: nanog () nanog org Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <5513EC76.5060306 () satchell net> Content-Type: text/plain; charset=UTF-8 On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.It's been a while since I did this, but you can select an additional port to accept SSH connections. A Google search indicates you can specify multiple ports in OpenSSH. Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server. People with sane ISPs can use the standard port. People on Frontier can use the alternate port, which shouldn't be firewalled by the provider. If Frontier is running a mostly-closed firewall configuration, then you have to be damn careful about the port you select. ------------------------------ Message: 6 Date: Thu, 26 Mar 2015 12:56:31 +0100 From: Seth Mos <seth.mos () dds nl> To: nanog () nanog org Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <5513F3EF.2080805 () dds nl> Content-Type: text/plain; charset=utf-8 Stephen Satchell schreef op 26-3-2015 om 12:24:On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.It's been a while since I did this, but you can select an additional port to accept SSH connections. A Google search indicates you can specify multiple ports in OpenSSH. Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server. People with sane ISPs can use the standard port. People on Frontier can use the alternate port, which shouldn't be firewalled by the provider. If Frontier is running a mostly-closed firewall configuration, then you have to be damn careful about the port you select.Ahem, just to clarify, he is not talking about inbound on the Frontier connection, but outbound *from* the Frontier network. Akin to the "Let's block outbound port 25 (smtp)". This is just a really really bad idea m'kay. Cheers ------------------------------ Message: 7 Date: Thu, 26 Mar 2015 09:07:39 -0300 From: Rodrigo Augusto <rodrigo () 1telecom com br> To: nanog <nanog () nanog org> Subject: booster to gain distance above 60km Message-ID: <D1397CDB.35C0B%rodrigo () 1telecom com br> Content-Type: text/plain; charset="ISO-8859-1" Hi folksŠ we have a point and have a 63km between point A to point BŠ. We have a sigle fiber ( only one fiber) and use a fiberstore sfp+ 10GB dibi 1270/1330 module to connect these sites. All attenuation are okŠI don¹t have any trouble on fiber Š. I have received this signal on my sfp+: Receiver signal average optical power : 0.0026 mW / -25.85 dBm Does anyone know if have some possible to amplifier this scenario to get more 7db ? Is it possible to put any booster or any way to solve this? I think to use a optical PreAmlifierŠbut I don¹t know if is possible because my scenario have just one fiberŠor, use a ROPA- remote optical pumping amplifier) because I have 63kmŠ Does anyone have some idea? Rodrigo Augusto Gestor de T.I. Grupo Connectoway http://www.connectoway.com.br <http://www.connectoway.com.br/> http://www.1telecom.com.br <http://www.1telecom.com.br/> * rodrigo () connectoway com br <mailto:rodrigo () connectoway com br> ( (81) 3497-6060 ( (81) 8184-3646 ( INOC-DBA 52965*100 ------------------------------ Message: 8 Date: Thu, 26 Mar 2015 13:10:35 +0100 From: Jens Link <lists () quux de> To: nanog () nanog org Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <87mw30hscj.fsf () pc8 berlin quux de> Content-Type: text/plain Stephen Satchell <list () satchell net> writes:It's been a while since I did this, but you can select an additional port to accept SSH connections.That's easy: jens@screen:~$ grep Port /etc/ssh/sshd_config Port 22 Port 443Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server.I always have at least one sshd listening on port 443. For all the hotel, coffee house, customer networks blocking ssh. You can even multiplex and run ssh and ssl on the same port: http://www.rutschle.net/tech/sslh.shtml Jens -- ---------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink () jabber quux de | --------------- | ---------------------------------------------------------------------------- ------------------------------ Message: 9 Date: Thu, 26 Mar 2015 07:08:20 -0700 From: Randy <amps () djlab com> To: nanog () nanog org Subject: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <b8636bc52cdc7f7f595ff96c7b078445 () mailbox fastserv com> Content-Type: text/plain; charset=US-ASCII; format=flowed On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us? 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 -- Randy ------------------------------ Message: 10 Date: Thu, 26 Mar 2015 14:09:52 +0000 From: "Livingood, Jason" <Jason_Livingood () cable comcast com> To: "Aaron C. de Bruyn" <aaron () heyaaron com>, NANOG mailing list <nanog () nanog org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <D1398B6B.FDE9E%jason_livingood () cable comcast com> Content-Type: text/plain; charset="Windows-1252" ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list: http://www.frontierhelp.com/faq.cfm?qstid=277 On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron () heyaaron com<mailto: aaron () heyaaron com>> wrote: I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP. After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked. When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files. I called them, and got the same ridiculous excuse. Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block: 80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names -A ------------------------------ Message: 11 Date: Thu, 26 Mar 2015 10:27:21 -0400 From: Christopher Morrow <morrowc.lists () gmail com> To: amps () djlab com Cc: nanog list <nanog () nanog org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <CAL9jLaY17-8nVwXDDs1dncU= 252pBSEFpdi1QaGXq5ZEJ-AyvA () mail gmail com> Content-Type: text/plain; charset=UTF-8 On Thu, Mar 26, 2015 at 10:08 AM, Randy <amps () djlab com> wrote:On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeingmorespecifics on one of our prefixes. Anyone else seeing similar or is itjustus?is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 -- Randy------------------------------ Message: 12 Date: Thu, 26 Mar 2015 07:28:57 -0700 From: Jeff Richmond <jeff.richmond () gmail com> To: "Livingood, Jason" <Jason_Livingood () cable comcast com> Cc: "Aaron C. de Bruyn" <aaron () heyaaron com>, NANOG mailing list <nanog () nanog org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <006E35AD-00E6-4B61-890F-29E580CE91C9 () gmail com> Content-Type: text/plain; charset=windows-1252 All, I have reached out to Aaron privately for details, but we do not block port 22 traffic unless it is in direct response to an attack or related item. Please let me know directly if you have any specific questions. Thanks, -JeffOn Mar 26, 2015, at 7:09 AM, Livingood, Jason <Jason_Livingood () cable comcast com> wrote:ISPs are generally expected to disclose any port blocking. A quickGoogle search shows this is Frontier’s list:http://www.frontierhelp.com/faq.cfm?qstid=277 On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron () heyaaron com<mailto:aaron () heyaaron com>> wrote:I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP. After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked. When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files. I called them, and got the same ridiculous excuse. Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block: 80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a securemanner69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names -A------------------------------ Message: 13 Date: Thu, 26 Mar 2015 10:32:31 -0400 From: Daniel Corbe <corbe () corbe net> To: "Livingood\, Jason" <Jason_Livingood () cable comcast com> Cc: "Aaron C. de Bruyn" <aaron () heyaaron com>, NANOG mailing list <nanog () nanog org> Subject: Re: Frontier: Blocking port 22 because of illegal files? Message-ID: <874mp7hls0.fsf () corbe net> Content-Type: text/plain; charset=utf-8 Nothing helps promote a free and open Internet more than micromanaging your users' download activity. Not really sure how someone comes to the conclusion that nobody really *needs* ssh for anything. "Livingood, Jason" <Jason_Livingood () cable comcast com> writes:ISPs are generally expected to disclose any port blocking. A quickGoogle search shows this is Frontier’s list:http://www.frontierhelp.com/faq.cfm?qstid=277 On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron () heyaaron com<mailto:aaron () heyaaron com>> wrote:I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP. After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked. When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files. I called them, and got the same ridiculous excuse. Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block: 80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a securemanner69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names -A------------------------------ Message: 14 Date: Thu, 26 Mar 2015 07:38:08 -0700 From: Randy <amps () djlab com> To: Christopher Morrow <morrowc.lists () gmail com> Cc: christopher.morrow () gmail com, nanog list <nanog () nanog org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <d9f578bfd7e75bf125e26a2911c670bb () mailbox fastserv com> Content-Type: text/plain; charset=US-ASCII; format=flowed On 03/26/2015 7:27 am, Christopher Morrow wrote:is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)Sorry, we're 29889. ------------------------------ Message: 15 Date: Thu, 26 Mar 2015 14:43:20 +0000 From: Peter Rocca <rocca () start ca> To: "nanog () nanog org" <nanog () nanog org> Subject: RE: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <44c3b7398b0c46b8a842c44da3f379be@APP02.start.local> Content-Type: text/plain; charset="us-ascii" We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788. 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 -----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog () nanog org Subject: Prefix hijack by INDOSAT AS4795 / AS4761 On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us? 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 -- Randy ------------------------------ Message: 16 Date: Thu, 26 Mar 2015 10:44:28 -0400 From: Christopher Morrow <morrowc.lists () gmail com> To: amps () djlab com Cc: nanog list <nanog () nanog org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <CAL9jLaYvGYc6s4uhAqfKG+qikWSa4U3Mp= Xo6UUVfAz_4gGR9w () mail gmail com> Content-Type: text/plain; charset=UTF-8 On Thu, Mar 26, 2015 at 10:38 AM, Randy <amps () djlab com> wrote:On 03/26/2015 7:27 am, Christopher Morrow wrote:is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)Sorry, we're 29889.ok, and it looks like the path you clipped is: 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 possibly LAIX is passing along your /24 you didn't mean them to pass on? ------------------------------ Message: 17 Date: Thu, 26 Mar 2015 10:45:09 -0400 From: Christopher Morrow <morrowc.lists () gmail com> To: Peter Rocca <rocca () start ca> Cc: "nanog () nanog org" <nanog () nanog org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: < CAL9jLaaLxcncc4uyTKz7SuDUks4B+VjzA56NO6n_tdHRmhJsZA () mail gmail com> Content-Type: text/plain; charset=UTF-8 On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <rocca () start ca> wrote:We just received a similar alert from bgpmon - part of 108.168.0.0/17is being advertised as /20's - although we're still listed as the origin. We are 40788.108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788common point looks like LAIX ? their routeserver go crazy perhaps? or did they change in/out prefix management information?-----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog () nanog org Subject: Prefix hijack by INDOSAT AS4795 / AS4761 On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us? 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 -- Randy------------------------------ Message: 18 Date: Thu, 26 Mar 2015 07:46:31 -0700 From: Randy <amps () djlab com> To: Christopher Morrow <morrowc.lists () gmail com> Cc: christopher.morrow () gmail com, nanog list <nanog () nanog org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <78c55aee9b1853c827c78adb8527fafb () mailbox fastserv com> Content-Type: text/plain; charset=US-ASCII; format=flowed All, Info gathered off-list indicates this may be a couple of issues in our case - possible routing leak by 18978 (check your tables!) and more specifics on our prefixes from 4795 that we couldn't see before the leak hence the apparent hijack. -- ~Randy ------------------------------ Message: 19 Date: Thu, 26 Mar 2015 15:46:51 +0100 From: Pierre Emeriaud <petrus.lt () gmail com> To: amps () djlab com Cc: nanog () nanog org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: < CA+PSOpyoEOAsWgQ1mzG+mLs0zrMOw35o7YTRE_R5YsSM8uCAxA () mail gmail com> Content-Type: text/plain; charset=UTF-8 Hi, 2015-03-26 15:08 GMT+01:00 Randy <amps () djlab com>:On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeingmorespecifics on one of our prefixes. Anyone else seeing similar or is itjustus? 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889We (as3215) are seeing almost the same path with 40633 18978 3257 3215, for some quite a lot of prefixes. Some alerts from bgpmon: 193.251.32.0/20 271 6939 40633 18978 3257 3215 193.251.32.0/20 271 6939 40633 18978 3257 3215 We are not directly connected to 3257. Looks like 18978 deaggregated to /20 and reannounced to 40633 (LAIX). Rgds, pierre ------------------------------ Message: 20 Date: Thu, 26 Mar 2015 23:48:12 +0900 From: "Paul S." <contact () winterei se> To: nanog () nanog org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <55141C2C.40706 () winterei se> Content-Type: text/plain; charset=UTF-8; format=flowed Same here. These Indosat guys can't seem to catch a break =/ On 3/26/2015 午後 11:43, Peter Rocca wrote:We just received a similar alert from bgpmon - part of 108.168.0.0/17is being advertised as /20's - although we're still listed as the origin. We are 40788.108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 -----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog () nanog org Subject: Prefix hijack by INDOSAT AS4795 / AS4761 On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us? 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889------------------------------ Message: 21 Date: Thu, 26 Mar 2015 11:00:31 -0400 From: Chuck Anderson <cra () WPI EDU> To: nanog () nanog org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <20150326150030.GO9776 () angus ind WPI EDU> Content-Type: text/plain; charset=us-ascii We are AS 10326 130.215.0.0/16 and I just received a BGPmon alert as well: 130.215.160.0/20 4795 4795 4761 9304 40633 18978 4436 10326 130.215.176.0/20 4795 4795 4761 9304 40633 18978 4436 10326 On Thu, Mar 26, 2015 at 10:45:09AM -0400, Christopher Morrow wrote:On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <rocca () start ca> wrote:We just received a similar alert from bgpmon - part of 108.168.0.0/17is being advertised as /20's - although we're still listed as the origin. We are 40788.108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788common point looks like LAIX ? their routeserver go crazy perhaps? or did they change in/out prefix management information?-----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog () nanog org Subject: Prefix hijack by INDOSAT AS4795 / AS4761 On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us? 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 -- Randy------------------------------ Message: 22 Date: Thu, 26 Mar 2015 16:02:00 +0100 From: Christian Teuschel <christian.teuschel () ripe net> To: nanog () nanog org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <55141F68.9060900 () ripe net> Content-Type: text/plain; charset="windows-1252" Hi Randy, Assuming that your prefix is 198.98.180.0/22 (AS29889 - FSNET-1 - Fast Serv Networks, LLC) none of the mentioned more specifics are currently seen from the RIPE NCC's RIS network, see the Looking Glass widget: https://stat.ripe.net/198.98.180.0/23#tabId=routing https://stat.ripe.net/198.98.182.0/23#tabId=at-a-glance though there has been some BGP activity going on since 11:49:42, see the BGPlay and BGP Update Activity widget. In both cases the originating ASN was AS29889. Cheers, Christian On 26/03/15 15:46, Randy wrote:All, Info gathered off-list indicates this may be a couple of issues in our case - possible routing leak by 18978 (check your tables!) and more specifics on our prefixes from 4795 that we couldn't see before the leak hence the apparent hijack.-------------- next part -------------- A non-text attachment was scrubbed... Name: christian_teuschel.vcf Type: text/x-vcard Size: 342 bytes Desc: not available URL: < http://mailman.nanog.org/pipermail/nanog/attachments/20150326/9de6eabc/attachment-0001.vcf------------------------------ Message: 23 Date: Thu, 26 Mar 2015 08:53:37 -0700 From: Andree Toonk <andree+nanog () toonk nl> To: Peter Rocca <rocca () start ca> Cc: "nanog () nanog org" <nanog () nanog org> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <55142B81.9000305 () toonk nl> Content-Type: text/plain; charset=ISO-8859-1 Hi List, this morning our BGPmon system picked up many new more specific announcements by a variety of Origin ASns, the interesting part is that the majority of them were classified as BGP Man In The middle attacks (MITM). A typical alert would look like: ==================================================================== Possible BGP MITM attack (Code: 21) ==================================================================== Your prefix: 23.20.0.0/15: Prefix Description: acxiom-online.com --- Amazon EC2 IAD prefix Update time: 2015-03-26 11:27 (UTC) Detected by #peers: 24 Detected prefix: 23.21.112.0/20 Announced by: AS14618 (AMAZON-AES - Amazon.com, Inc.,US) Upstream AS: AS3257 (TINET-BACKBONE Tinet SpA,DE) ASpath: 4608 24130 7545 6939 40633 18978 3257 14618 All alerts have the following part of the AS Path is common: 40633 1897 We're still looking into the details of this particular cases, but based on past experience it's likely that it is not in fact 14618 AWS, that originated this more specific (in this example), but most likely 18978 (or 40633), which leaked it to AS40633 Los Angeles Internet exchange, where others picked it up and propagated it to their customers. In the past we've seen similar issues caused by BGP traffic optimizers. These devices introduce new more specifics (try to keep the ASpath in tact) for Traffic engineering purposes, and then folks leak those. A good write up of a previous example can be found here: http://www.bgpmon.net/accidentally-stealing-the-internet/ A quick scan show that this affected over 5000 prefixes and about 145 Autonomous systems. All of these appear to be more specific prefixes (which is the scary part). Cheers, Andree PS. It appears this is not related to INDOSAT, they just happen to be one of the peers that picked this up. .-- My secret spy satellite informs me that at 2015-03-26 7:43 AM Peter Rocca wrote:We just received a similar alert from bgpmon - part of 108.168.0.0/17is being advertised as /20's - although we're still listed as the origin. We are 40788.108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 -----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog () nanog org Subject: Prefix hijack by INDOSAT AS4795 / AS4761 On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us? 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889------------------------------ Message: 24 Date: Thu, 26 Mar 2015 16:00:13 +0000 From: Peter Rocca <rocca () start ca> To: Andree Toonk <andree+nanog () toonk nl> Cc: "nanog () nanog org" <nanog () nanog org> Subject: RE: Prefix hijack by INDOSAT AS4795 / AS4761 Message-ID: <df223256e7294e619cf09b8697de7f28@APP02.start.local> Content-Type: text/plain; charset="us-ascii" +1 The summary below aligns with our analysis as well. We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact. -----Original Message----- From: Andree Toonk [mailto:andree+nanog () toonk nl] Sent: March-26-15 11:54 AM To: Peter Rocca Cc: nanog () nanog org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Hi List, this morning our BGPmon system picked up many new more specific announcements by a variety of Origin ASns, the interesting part is that the majority of them were classified as BGP Man In The middle attacks (MITM). A typical alert would look like: ==================================================================== Possible BGP MITM attack (Code: 21) ==================================================================== Your prefix: 23.20.0.0/15: Prefix Description: acxiom-online.com --- Amazon EC2 IAD prefix Update time: 2015-03-26 11:27 (UTC) Detected by #peers: 24 Detected prefix: 23.21.112.0/20 Announced by: AS14618 (AMAZON-AES - Amazon.com, Inc.,US) Upstream AS: AS3257 (TINET-BACKBONE Tinet SpA,DE) ASpath: 4608 24130 7545 6939 40633 18978 3257 14618 All alerts have the following part of the AS Path is common: 40633 1897 We're still looking into the details of this particular cases, but based on past experience it's likely that it is not in fact 14618 AWS, that originated this more specific (in this example), but most likely 18978 (or 40633), which leaked it to AS40633 Los Angeles Internet exchange, where others picked it up and propagated it to their customers. In the past we've seen similar issues caused by BGP traffic optimizers. These devices introduce new more specifics (try to keep the ASpath in tact) for Traffic engineering purposes, and then folks leak those. A good write up of a previous example can be found here: http://www.bgpmon.net/accidentally-stealing-the-internet/ A quick scan show that this affected over 5000 prefixes and about 145 Autonomous systems. All of these appear to be more specific prefixes (which is the scary part). Cheers, Andree PS. It appears this is not related to INDOSAT, they just happen to be one of the peers that picked this up. .-- My secret spy satellite informs me that at 2015-03-26 7:43 AM Peter Rocca wrote:We just received a similar alert from bgpmon - part of 108.168.0.0/17is being advertised as /20's - although we're still listed as the origin. We are 40788.108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 -----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog () nanog org Subject: Prefix hijack by INDOSAT AS4795 / AS4761 On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us? 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889------------------------------ Message: 25 Date: Thu, 26 Mar 2015 12:09:10 -0400 From: Shawn L <shawnl () up net> To: nanog <nanog () nanog org> Subject: Charter Engineer Message-ID: <CACTmXQVgzXydseLNrAcCZtt+sXS1_LSrGqJca=+ ep9GS2Kc+AA () mail gmail com> Content-Type: text/plain; charset=UTF-8 Could a Charter engineer with familiarity with Michigan contact me off-list? We have a mutual client who's having issues communicating between sites. Thanks ------------------------------ Message: 26 Date: Thu, 26 Mar 2015 09:14:25 -0700 From: Randy <amps () djlab com> To: Peter Rocca <rocca () start ca> Cc: nanog () nanog org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] Message-ID: <fd455d84899cd5dfe3a4ff9169addcf3 () mailbox fastserv com> Content-Type: text/plain; charset=US-ASCII; format=flowed On 03/26/2015 9:00 am, Peter Rocca wrote:+1 The summary below aligns with our analysis as well. We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact.+2, after the morning coffee sunk in and helpful off list replies I can finally see it's probably not INDOSAT involved at all. FYI, the more specifics are still active: 2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active -- ~Randy End of NANOG Digest, Vol 86, Issue 27 *************************************
Current thread:
- Level 3 Outage Debottym Mukherjee (Mar 27)
- RE: Level 3 Outage Frank Bulk (Mar 27)