nanog mailing list archives

Re: Rogue objects in routing databases

From: Job Snijders <job () ntt net>
Date: Sat, 25 Jan 2020 00:56:45 +0000

Hi!

This came up on our radar somewhere in the last 24 hours too. It indeed
does look very curious. Thank you for your analysis and report.

NTT is taking steps to figure out what is behind this. Our current
working theories are that perhaps the IRR maintainer account was
compromised, or some kind of automation script gone rogue, or perhaps
there is adverserial intent and this is stage setting.

I'm not sure we will be able to report our findings back to this group,
but we are actively investigating.

Kind regards,

Job

On Sat, Jan 25, 2020 at 12:06:51AM +0100, Florian Brandstetter wrote:

It appears that there is currently an influx of rogue route
objects created within the NTTCOM and RaDB IRR databases, in
connection to Quadranet (AS8100) and China Mobile
International (CMI).

Examples of affected networks are:

193.30.32.0/23
45.129.92.0/23
45.129.94.0/24

Networks, which have seemingly no affiliation with
Quadranet, nor China Mobile International (CMI), which
merely appears to be an upstream of Quadranet and hence
creates the route objects in an automated manner.

Another person has already reached out to Quadranet to find
out the root cause of the creation of these objects. Their
support gave an ETA of 24-72 hours.

The route objects are all identical:

route:      193.30.32.0/23
descr:      CMI  (Customer Route)
origin:     AS8100
mnt-by:     MAINT-AS58453
changed:    qas_support () cmi chinamobile com 20200117
source:     RADB

There appears to be a correlation with the affected
networks, a fair share of them is part of AS-SBAG, which in
turn is part of AS-VMHAUS, which in turn is part of AS-
QUADRANET and could yield the importing of these prefixes.
AS-VMHAUS appears to be a customer of Quadranet, listed
within AS-QUADRANET-CUSTOMER-ASSET.

These networks do however have no direct connection to
Quadranet, and are not affiliated with Quadranet, nor are
currently connected to Quadranet, which, entirely ignoring
that the `origin` points to Quadranet, makes the route
object illicit.

Basically this has given AS8100, whether that be
legitimately Quadranet, or somebody impersonating/spinning
up a rogue AS8100, theoretical control over a massive amount
of prefixes, as these can be advertised without restrictions
and very likely reach a fairly high percentage of global
visibility.

--
Florian Brandstetter
President & Founder
SquareFlow Network LTD.

Current thread:

Rogue objects in routing databases Florian Brandstetter (Jan 24)
- Re: Rogue objects in routing databases Job Snijders (Jan 24)
- Re: Rogue objects in routing databases Martijn Schmidt via NANOG (Jan 24)
  - Re: Rogue objects in routing databases Florian Brandstetter (Jan 25)
- Re: Rogue objects in routing databases Stephane Bortzmeyer (Jan 27)
  - Re: Rogue objects in routing databases Florian Brandstetter (Jan 27)