Re: Validating possible BGP MITM attack

[Andy Litzinger <andy.litzinger.lists () gmail com>]

FYI - I did get a response back from BGPMon- they concur with Job:

"Hi Andy,

unfortunately we had a peer sending us a polluted BGP views. Most likely
using a BGP optimizer that is making up new paths.
We've reached out to 131477 and dropped the session with them.

This was most likely 131477 making up the paths. And not seen wider on the
Internet.

We'll work on making sure that cases like this will not cause bgpmon alerts
going forward, by detecting these false alerts better."

-andy

On Thu, Aug 31, 2017 at 7:01 AM, Andy Litzinger <
andy.litzinger.lists () gmail com> wrote:

> Hello,
>  we use BGPMon.net to monitor our BGP announcements.  This morning we
> received two possible BGP MITM alerts for two of our prefixes detected by a
> single BGPMon probe located in China.  I've reached out to BGPMon to see
> how much credence I should give to an alert from a single probe location,
> but I'm interested in community feedback as well.
>
> The alert detailed that one of our /23 prefixes has been broken into /24
> specifics and the AS Path shows a peering relationship with us that does
> not exist:
> 131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) 14042
> (me)
>
> We do not peer directly with PCCW Global.  I'm going to reach out to them
> directly to see if they may have done anything by accident, but presuming
> they haven't and the path is spoofed, can I prove that?  How can I detect
> if traffic is indeed swinging through that hijacked path? How worried
> should I be and what are my options for resolving the situation?
>
> thanks!
>  -andy