[161305] in North American Network Operators' Group
Re: Dreamhost/AS26347 unauthorized bgp announcement
daemon@ATHENA.MIT.EDU (Job Snijders)
Thu Mar 7 06:30:35 2013
From: Job Snijders <job.snijders@atrato.com>
In-Reply-To: <51378AED.7010309@toonk.nl>
Date: Thu, 7 Mar 2013 12:30:07 +0100
To: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi all,
Just a small update.=20
Off-list Andree and me have been working together with Kenneth from =
dreamhost
to try and figure out what exactly happened and which device or party =
orginated
these prefixes.=20
Unfortunately no hard conclusions can be drawn from the data available =
to us, especially
since we lack proper insight into this Any2 routeserver.=20
I also want to emphasize that Kenneth and Dreamhost have been very forth =
coming in
sharing data (configs, stats, networkplans) to find the root cause.=20
We have put additional monitoring in place to try and catch more data if =
this happens
a next time.
Thank you all for being on top of incidents like this!
Kind regards,
Job
On Mar 6, 2013, at 7:29 PM, Andree Toonk <andree+nanog@toonk.nl> wrote:
> .-- My secret spy satellite informs me that at 2013-03-06 12:59 AM
> Matsuzaki Yoshinobu wrote:
>> According to RIPE RIS, AS26347 announced a bunch of prefixes again.
>> - http://www.ris.ripe.net/dashboard/26347
>>=20
>> First suspicious announcement was started 2013-03-06 07:52:40 UTC, =
and
>> last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
>>=20
>> It seems these unauthorized announcements have the same profile as
>> before - AS26347 shrinks the prefix lenght of their received prefix
>> somehow upto /20, and re-originates the prefix with origin AS26347.
>>=20
>> Any known bugs?
>=20
>=20
> Sounds indeed like an exact copy of the incident on January 11:
> http://seclists.org/nanog/2013/Jan/243
>=20
> That time the prefixes seem to also have been learned via a =
route-server
> in LA.
>=20
> The strange thing is that the majority of the 'hijacked' prefixes =
(today
> and in January) are new more specifics (not seen before).
> (Using some kind of BGP route optimizer?).
>=20
> This time it affected 203 unique prefixes and 133 ASns.
> Below a list of some of the affected ASns
>=20
> 20115 Charter Telecom.
> 4837 China Unicom
> 8151 UNINET Mexico
> 11427 Roadrunner
> 42961 MTC GPRS Kuwait
> 7303 Telecom Argentina S.A.
> 25135 Vodafone
> 7018 AT&T
> 6389 BellSouth.net
> 8220 Colt
> 19262 Verizon
> 9143 ZIGGO
> 6830 UPC
> 5089 Virgin Media
>=20
>=20
> Cheers,
> Andree
>=20
>=20
>=20
>=20
--=20
AS5580 - Atrato IP Networks
