Re: Validating possible BGP MITM attack

[Job Snijders <job () instituut net>]

Hi Andy,

It smells like someone in 38478 or 131477 is using Noction or some other
BGP "optimizer" that injects hijacks for the purpose of traffic
engineering. :-(

Kind regards,

Job

On Thu, 31 Aug 2017 at 19:38, Andy Litzinger <andy.litzinger.lists () gmail com>
wrote:

> Hello,
>  we use BGPMon.net to monitor our BGP announcements.  This morning we
> received two possible BGP MITM alerts for two of our prefixes detected by a
> single BGPMon probe located in China.  I've reached out to BGPMon to see
> how much credence I should give to an alert from a single probe location,
> but I'm interested in community feedback as well.
>
> The alert detailed that one of our /23 prefixes has been broken into /24
> specifics and the AS Path shows a peering relationship with us that does
> not exist:
> 131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) 14042
> (me)
>
> We do not peer directly with PCCW Global.  I'm going to reach out to them
> directly to see if they may have done anything by accident, but presuming
> they haven't and the path is spoofed, can I prove that?  How can I detect
> if traffic is indeed swinging through that hijacked path? How worried
> should I be and what are my options for resolving the situation?
>
> thanks!
>  -andy