nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [renesys] The New Threat: Targeted Internet Traffic Misdirection

From: Stephane Bortzmeyer <bortzmeyer () nic fr>
Date: Tue, 26 Nov 2013 22:09:24 +0100
On Wed, Nov 20, 2013 at 01:54:00PM -0500,
 Christopher Morrow <morrowc.lists () gmail com> wrote 
 a message of 11 lines which said:


someone has already parsed out all route announcements from
ris/routeviews for the 2 specific incidents in question in the
article? and posted the contents somewhere for review? I didn't see
Renesys do that :(


Indeed. But the data is public. Let's use RouteViews. Renesys gave us
the exact time (0736 UTC) and the origin AS. From the time, let's find
the relevant RouteViews file, whose URL is made of date and time:

ftp://archive.routeviews.org/route-views.linx/bgpdata/2013.07/UPDATES/updates.20130731.0730.bz2

Download, bunzip2, bgpdump to translate the MRT to text, then
Control-S in emacs to find announces by AS 48685. And here it is:

TIME: 07/31/13 07:36:46
TYPE: BGP4MP/MESSAGE/Update
FROM: 195.66.236.35 AS6067
TO: 195.66.237.222 AS6447
ORIGIN: IGP
ASPATH: 6067 6677 48685
NEXT_HOP: 195.66.236.35
ANNOUNCE
  64.81.96.0/24
  64.81.97.0/24
  64.81.101.0/24
  64.81.103.0/24
  64.81.110.0/24
  64.81.112.0/24
  64.81.113.0/24
  64.81.115.0/24
  64.81.116.0/24
  64.81.122.0/24
  64.81.125.0/24
  64.81.127.0/24
  64.81.161.0/24
  64.81.162.0/24
  64.81.163.0/24
  64.81.164.0/24
  64.81.166.0/24
  64.81.167.0/24
  64.81.169.0/24
  64.81.170.0/24
  64.81.171.0/24
  64.81.172.0/24
  64.81.177.0/24
  64.81.192.0/19
  64.81.199.0/24
  64.81.203.0/24
  64.81.204.0/24
  64.81.205.0/24
  64.81.208.0/24
  64.81.209.0/24
  64.81.212.0/24
  64.81.214.0/24
  64.105.6.0/23
  64.105.14.0/23
  64.105.20.0/23
  64.105.24.0/21
  64.105.32.0/21
  64.105.52.0/23
  64.105.54.0/23
  64.105.56.0/23
  64.105.58.0/23
  64.105.60.0/23
  64.105.62.0/23
  64.105.66.0/23
  64.105.70.0/23
  64.105.72.0/21
  64.105.82.0/23
  64.105.88.0/21
  64.105.114.0/23
  64.105.128.0/21
  64.105.144.0/21
  64.105.160.0/23
  64.105.162.0/23
  64.105.176.0/23
  64.105.180.0/22
  64.105.192.0/23
  64.105.194.0/23
  64.105.202.0/23
  64.105.210.0/23
  64.105.212.0/23
  64.105.218.0/23
  64.105.220.0/23
  64.105.226.0/23
  64.105.230.0/23
  64.105.240.0/23
  64.105.242.0/23
  64.105.244.0/22
  64.105.252.0/23
  66.92.20.0/24
  66.92.22.0/24
  66.92.46.0/24
  66.92.52.0/22
  66.92.64.0/19
  66.92.99.0/24
  66.92.100.0/24
  66.92.106.0/24
  66.92.144.0/24
  66.92.145.0/24
  66.92.147.0/24
  66.92.149.0/24
  66.92.152.0/24
  66.92.159.0/24
  66.92.160.0/24
  66.92.161.0/24
  66.92.162.0/24
  66.92.176.0/23
  66.92.213.0/24
  66.92.215.0/24
  66.92.224.0/20
  66.92.240.0/23
  66.92.241.0/24
  66.93.24.0/24
  66.93.25.0/24
  66.93.38.0/24
  66.93.39.0/24
  66.93.40.0/24
  66.93.49.0/24
  66.93.56.0/24
  66.93.59.0/24
  66.93.62.0/24
  66.93.74.0/24
  66.93.81.0/24
  66.93.82.0/24
  66.93.83.0/24
  66.93.84.0/23
  66.93.88.0/22
  66.93.99.0/24
  66.93.100.0/24
  66.93.103.0/24
  66.93.106.0/24
  66.93.107.0/24
  66.93.115.0/24
  66.93.168.0/23
  66.93.174.0/24
  66.93.176.0/23
  66.93.214.0/24
  66.93.216.0/24
  66.93.216.0/21
  66.93.224.0/24
  66.93.224.0/22
  66.93.228.0/24
  66.93.232.0/22
  66.93.240.0/24
  66.93.241.0/24
  66.93.242.0/24
  66.93.243.0/24
  66.93.244.0/24
  66.93.246.0/24
  66.93.248.0/24
  66.93.251.0/24
  66.93.252.0/23
  66.134.2.0/23
  66.134.18.0/23
  66.134.36.0/23
  66.134.38.0/23
  66.134.40.0/21
  66.134.48.0/21
  66.134.58.0/23
  66.134.60.0/23
  66.134.64.0/21
  66.134.76.0/23
  66.134.78.0/23
  66.134.98.0/23
  66.134.106.0/23
  66.134.116.0/23
  66.134.118.0/23
  66.134.136.0/21
  66.134.150.0/23
  66.134.152.0/21
  66.134.168.0/21
  66.134.176.0/23
  66.134.178.0/23
  66.134.182.0/23
  66.134.184.0/21
  66.134.208.0/21
  66.134.216.0/23
  66.134.220.0/23
  66.134.224.0/21
  66.134.232.0/21
  66.134.240.0/21
  66.166.10.0/23
  66.166.46.0/23
  66.166.64.0/21
  66.166.94.0/23
  66.166.112.0/23
  66.166.114.0/23
  66.166.136.0/23
  66.166.138.0/23
  66.166.144.0/21
  66.166.160.0/23
  66.166.162.0/23
  66.166.176.0/23
  66.166.180.0/23
  66.166.184.0/23
  66.166.200.0/21
  66.166.216.0/21
  66.166.244.0/23
  66.166.246.0/23
  66.166.248.0/23
  66.166.254.0/23
  66.167.0.0/21
  66.167.10.0/23
  66.167.26.0/23
  66.167.32.0/21
  66.167.50.0/23
  66.167.60.0/23
  66.167.62.0/23
  66.167.64.0/21
  66.167.72.0/21
  66.167.80.0/21
  66.167.96.0/21
  66.167.104.0/21
  66.167.118.0/23
  66.167.136.0/22
  66.167.152.0/21
  66.167.170.0/23
  66.167.176.0/21
  66.167.196.0/23
  66.167.208.0/23
  66.167.216.0/21
  66.167.224.0/21
  66.167.252.0/23
  66.167.254.0/23
  66.253.10.0/24
  66.253.20.0/24
  66.253.21.0/24
  66.253.22.0/24
  66.253.28.0/22
  66.253.40.0/22
  66.253.44.0/24
  66.253.45.0/24
  66.253.46.0/24
  66.253.47.0/24
  66.253.52.0/22
  66.253.56.0/24
  66.253.81.0/24
  66.253.82.0/24
  66.253.83.0/24
  66.253.84.0/24
  66.253.92.0/24
  66.253.93.0/24
  66.253.118.0/24
  67.100.0.0/23
  67.100.4.0/23
  67.100.48.0/21
  67.100.56.0/21
  67.100.72.0/21
  67.100.80.0/21
  67.100.96.0/21
  67.100.104.0/21
  67.100.112.0/21
  67.100.124.0/22
  67.100.128.0/23
  67.100.136.0/23
  67.100.138.0/23
  67.100.144.0/21
  67.100.168.0/21
  67.100.184.0/21
  67.100.192.0/21
  67.100.220.0/23
  67.101.14.0/23
  67.101.16.0/21
  67.101.72.0/21
  67.101.92.0/23
  67.101.94.0/23
  67.101.124.0/22
  67.101.128.0/21
  67.101.140.0/23
  67.101.142.0/23
  67.101.152.0/21
  67.101.176.0/21
  67.101.192.0/21
  67.101.200.0/21
  67.101.224.0/23
  67.101.230.0/23
  67.101.240.0/21
  67.101.248.0/21
  67.102.0.0/21
  67.102.8.0/23
  67.102.32.0/21
  67.102.40.0/21
  67.102.48.0/21
  67.102.60.0/23
  67.102.96.0/21
  67.102.112.0/21
  67.102.120.0/23
  67.102.124.0/23
  67.102.144.0/21
  67.102.152.0/21
  67.102.166.0/23
  67.102.168.0/21
  67.102.176.0/21
  67.102.200.0/21
  67.102.234.0/23
  67.102.240.0/21
  67.102.248.0/21
  67.103.0.0/21
  67.103.8.0/21
  67.103.24.0/21
  67.103.64.0/21
  67.103.102.0/23
  67.103.110.0/23
  67.103.112.0/21
  67.103.160.0/23
  67.103.162.0/23
  67.103.192.0/21
  67.103.200.0/23
  67.103.202.0/23
  67.103.226.0/23
  67.103.250.0/23
  67.103.252.0/23
  67.103.254.0/23
  68.164.24.0/21
  68.164.32.0/21
  68.164.44.0/23
  68.164.78.0/23
  68.164.80.0/20
  68.164.96.0/21
  68.164.126.0/23
  68.164.160.0/21
  68.164.192.0/21
  68.164.208.0/23

These addresses have no relationship with Iceland so we can say it's a
hijacking. But do note there is no AS prepending in the announce (the
trick described by Kapela & PIlosov to create a clean return path).

Finding the other announces in RouteViews is left as an exercice
(hint: use a RouteViews collector close from the announce, here in
England, because the hijacking announce did not propagate everywhere).
Previous By Date Next
Previous By Thread Next

Current thread: