Re: Validating possible BGP MITM attack

[Steve Feldman <feldman () twincreeks net>]

Interesting.  We also got similar BGPMon alerts about disaggregated portions of couple of our prefixes. I didn't see 
any of the bad prefixes in route-views, though.

The AS paths in the alerts started with "131477 38478 ..." and looked valid after that.  Job's suggestion would explain 
that.

     Steve

> On Aug 31, 2017, at 10:01 AM, Job Snijders <job () instituut net> wrote:
>
> Hi Andy,
>
> It smells like someone in 38478 or 131477 is using Noction or some other
> BGP "optimizer" that injects hijacks for the purpose of traffic
> engineering. :-(
>
> Kind regards,
>
> Job
>
> On Thu, 31 Aug 2017 at 19:38, Andy Litzinger <andy.litzinger.lists () gmail com>
> wrote:
>
> > Hello,
> > we use BGPMon.net to monitor our BGP announcements.  This morning we
> > received two possible BGP MITM alerts for two of our prefixes detected by a
> > single BGPMon probe located in China.  I've reached out to BGPMon to see
> > how much credence I should give to an alert from a single probe location,
> > but I'm interested in community feedback as well.
> >
> > The alert detailed that one of our /23 prefixes has been broken into /24
> > specifics and the AS Path shows a peering relationship with us that does
> > not exist:
> > 131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) 14042
> > (me)
> >
> > We do not peer directly with PCCW Global.  I'm going to reach out to them
> > directly to see if they may have done anything by accident, but presuming
> > they haven't and the path is spoofed, can I prove that?  How can I detect
> > if traffic is indeed swinging through that hijacked path? How worried
> > should I be and what are my options for resolving the situation?
> >
> > thanks!
> > -andy