nanog mailing list archives
Re: Validating possible BGP MITM attack
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 31 Aug 2017 13:47:09 -0400
On Thu, Aug 31, 2017 at 1:23 PM, Steve Feldman <feldman () twincreeks net> wrote:
Interesting. We also got similar BGPMon alerts about disaggregated portions of couple of our prefixes. I didn't see any of the bad prefixes in route-views, though. The AS paths in the alerts started with "131477 38478 ..." and looked valid after that. Job's suggestion would explain that.
Looking back at a bunch of historical route leak incidents... they often seem to be this sort of thing :( I think I normally term them; "internap box problems" I think internap doesn't even really sell that product anymore though :( so now I'll call them 'noction problems' instead I guess. lack of outbound route filtering can be painful yo!
SteveOn Aug 31, 2017, at 10:01 AM, Job Snijders <job () instituut net> wrote: Hi Andy, It smells like someone in 38478 or 131477 is using Noction or some other BGP "optimizer" that injects hijacks for the purpose of traffic engineering. :-( Kind regards, Job On Thu, 31 Aug 2017 at 19:38, Andy Litzinger <andy.litzinger.lists () gmail com>wrote:Hello, we use BGPMon.net to monitor our BGP announcements. This morning we received two possible BGP MITM alerts for two of our prefixes detectedby asingle BGPMon probe located in China. I've reached out to BGPMon to see how much credence I should give to an alert from a single probelocation,but I'm interested in community feedback as well. The alert detailed that one of our /23 prefixes has been broken into /24 specifics and the AS Path shows a peering relationship with us that does not exist: 131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) 14042 (me) We do not peer directly with PCCW Global. I'm going to reach out tothemdirectly to see if they may have done anything by accident, butpresumingthey haven't and the path is spoofed, can I prove that? How can Idetectif traffic is indeed swinging through that hijacked path? How worried should I be and what are my options for resolving the situation? thanks! -andy
Current thread:
- Validating possible BGP MITM attack Andy Litzinger (Aug 31)
- Re: Validating possible BGP MITM attack Job Snijders (Aug 31)
- Re: Validating possible BGP MITM attack Steve Feldman (Aug 31)
- Re: Validating possible BGP MITM attack Christopher Morrow (Aug 31)
- Re: Validating possible BGP MITM attack Andy Litzinger (Aug 31)
- Re: Validating possible BGP MITM attack Steve Feldman (Aug 31)
- Re: Validating possible BGP MITM attack Andy Litzinger (Aug 31)
- Re: Validating possible BGP MITM attack Job Snijders (Aug 31)