[161255] in North American Network Operators' Group
Re: Dreamhost/AS26347 unauthorized bgp announcement
daemon@ATHENA.MIT.EDU (Job Snijders)
Wed Mar 6 11:12:13 2013
From: Job Snijders <job.snijders@atrato.com>
In-Reply-To: <F3318834F1F89D46857972DD4B411D7005C23FED8D@exchange>
Date: Wed, 6 Mar 2013 17:11:32 +0100
To: Drew Weaver <drew.weaver@thenap.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi all,
I tried contacting Coresite/Any2 to have somebody login to the =
routeserver and doublecheck
which peer is actually announcing this NLRI. Because there is a remote =
possibility that the
route-server is being manipulated by a third party and dreamhost is a =
victim here.=20
After the usual hurdles like "What is your circuit ID?" "Without a =
workorder I cannot login to
the routeserver!" and "5580? that can't be an AS number" I unfortunately =
got nowhere so I
still don't know who exactly announced these prefixes to the =
route-server.=20
As of now the announcements for the more specifics seem to be gone.=20
Can anybody (preferably from Any2 or Dreamhost) shed more light on this =
matter?=20
Kind regards,
Job
On Mar 6, 2013, at 2:43 PM, Drew Weaver <drew.weaver@thenap.com> wrote:
> They're doing this to our routes in any2 in LA as well.
>=20
> ...
>=20
>=20
>=20
> -----Original Message-----
> From: Job Snijders [mailto:job.snijders@atrato.com]=20
> Sent: Wednesday, March 06, 2013 4:04 AM
> To: Matsuzaki Yoshinobu
> Cc: nanog@nanog.org
> Subject: Re: Dreamhost/AS26347 unauthorized bgp announcement
>=20
> Hi Mat,
>=20
> I see the same thing, we learn the prefix from the route-server in =
LAX:=20
>=20
> telnet@r1.lax1.us>show ip bgp routes detail 90.201.80.0/20 Number of =
BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST =
b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED
> E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH =
m:NOT-INSTALLED-MULTIPATH
> S:SUPPRESSED F:FILTERED s:STALE
> 1 Prefix: 90.201.80.0/20, Status: BE, Age: 0h22m15s
> NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer: =
206.223.143.253 (19996)
> LOCAL_PREF: 400, MED: none, ORIGIN: incomplete, Weight: 0
> AS_PATH: 26347
> COMMUNITIES: 5580:12431
> Adj_RIB_out count: 18, Admin distance 20
> Last update to IP routing table: 0h22m15s, 1 path(s) installed:
>=20
> Kind regards,
>=20
> Job
>=20
> On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz@iij.ad.jp> wrote:
>=20
>> According to RIPE RIS, AS26347 announced a bunch of prefixes again.
>> - http://www.ris.ripe.net/dashboard/26347
>>=20
>> First suspicious announcement was started 2013-03-06 07:52:40 UTC, =
and=20
>> last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
>>=20
>> It seems these unauthorized announcements have the same profile as=20
>> before - AS26347 shrinks the prefix lenght of their received prefix=20=
>> somehow upto /20, and re-originates the prefix with origin AS26347.
>>=20
>> Any known bugs?
>>=20
>> Regards,
>> -----
>> Matsuzaki Yoshinobu <maz@iij.ad.jp>
>> - IIJ/AS2497 INOC-DBA: 2497*629
>>=20
>=20
> --
> AS5580 - Atrato IP Networks
>=20
>=20
>=20
--=20
AS5580 - Atrato IP Networks
