nanog mailing list archives
Re: Dreamhost/AS26347 unauthorized bgp announcement
From: Kenneth McRae <kenneth.mcrae () dreamhost com>
Date: Wed, 6 Mar 2013 09:19:46 -0800
Hi Guys,
Sorry to see this come up again. We are no announcing the prefix in
question. I am happy to work with you to investigate.
dh_admin@gar-bdr-01> show route advertising-protocol bgp 206.223.143.122
inet.0: 447113 destinations, 1801741 routes (447105 active, 8 holddown, 0
hidden)
Prefix Nexthop MED Lclpref AS path
* 64.111.96.0/19 Self I
* 66.33.192.0/19 Self I
* 66.33.197.0/24 Self 6 I
* 67.205.0.0/18 Self I
* 69.163.128.0/17 Self I
* 75.119.192.0/19 Self I
* 173.236.128.0/17 Self I
* 205.196.208.0/20 Self I
* 208.97.128.0/18 Self I
* 208.113.128.0/17 Self I
* 208.113.200.0/24 Self 6 I
Best,
Kenneth
{master}
dh_admin@gar-bdr-01>
On Wed, Mar 6, 2013 at 8:11 AM, Job Snijders <job.snijders () atrato com>wrote:
Hi all, I tried contacting Coresite/Any2 to have somebody login to the routeserver and doublecheck which peer is actually announcing this NLRI. Because there is a remote possibility that the route-server is being manipulated by a third party and dreamhost is a victim here. After the usual hurdles like "What is your circuit ID?" "Without a workorder I cannot login to the routeserver!" and "5580? that can't be an AS number" I unfortunately got nowhere so I still don't know who exactly announced these prefixes to the route-server. As of now the announcements for the more specifics seem to be gone. Can anybody (preferably from Any2 or Dreamhost) shed more light on this matter? Kind regards, Job On Mar 6, 2013, at 2:43 PM, Drew Weaver <drew.weaver () thenap com> wrote:They're doing this to our routes in any2 in LA as well. ... -----Original Message----- From: Job Snijders [mailto:job.snijders () atrato com] Sent: Wednesday, March 06, 2013 4:04 AM To: Matsuzaki Yoshinobu Cc: nanog () nanog org Subject: Re: Dreamhost/AS26347 unauthorized bgp announcement Hi Mat, I see the same thing, we learn the prefix from the route-server in LAX: telnet () r1 lax1 us>show ip bgp routes detail 90.201.80.0/20 Number ofBGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPEDE:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATHm:NOT-INSTALLED-MULTIPATHS:SUPPRESSED F:FILTERED s:STALE 1 Prefix: 90.201.80.0/20, Status: BE, Age: 0h22m15s NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer:206.223.143.253 (19996)LOCAL_PREF: 400, MED: none, ORIGIN: incomplete, Weight: 0 AS_PATH: 26347 COMMUNITIES: 5580:12431 Adj_RIB_out count: 18, Admin distance 20 Last update to IP routing table: 0h22m15s, 1 path(s) installed: Kind regards, Job On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz () iij ad jp> wrote:According to RIPE RIS, AS26347 announced a bunch of prefixes again. - http://www.ris.ripe.net/dashboard/26347 First suspicious announcement was started 2013-03-06 07:52:40 UTC, and last seen 2013-03-06 08:33:56 UTC. 195 prefixes total. It seems these unauthorized announcements have the same profile as before - AS26347 shrinks the prefix lenght of their received prefix somehow upto /20, and re-originates the prefix with origin AS26347. Any known bugs? Regards, ----- Matsuzaki Yoshinobu <maz () iij ad jp> - IIJ/AS2497 INOC-DBA: 2497*629-- AS5580 - Atrato IP Networks-- AS5580 - Atrato IP Networks
Current thread:
- Dreamhost/AS26347 unauthorized bgp announcement Matsuzaki Yoshinobu (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Job Snijders (Mar 06)
- RE: Dreamhost/AS26347 unauthorized bgp announcement Drew Weaver (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Job Snijders (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Kenneth McRae (Mar 06)
- RE: Dreamhost/AS26347 unauthorized bgp announcement Drew Weaver (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Job Snijders (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Andree Toonk (Mar 06)
- Re: Dreamhost/AS26347 unauthorized bgp announcement Job Snijders (Mar 07)