[195653] in North American Network Operators' Group
Validating possible BGP MITM attack
daemon@ATHENA.MIT.EDU (Andy Litzinger)
Thu Aug 31 12:38:01 2017
X-Original-To: nanog@nanog.org
From: Andy Litzinger <andy.litzinger.lists@gmail.com>
Date: Thu, 31 Aug 2017 07:01:24 -0700
To: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Hello,
we use BGPMon.net to monitor our BGP announcements. This morning we
received two possible BGP MITM alerts for two of our prefixes detected by a
single BGPMon probe located in China. I've reached out to BGPMon to see
how much credence I should give to an alert from a single probe location,
but I'm interested in community feedback as well.
The alert detailed that one of our /23 prefixes has been broken into /24
specifics and the AS Path shows a peering relationship with us that does
not exist:
131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) 14042 (me)
We do not peer directly with PCCW Global. I'm going to reach out to them
directly to see if they may have done anything by accident, but presuming
they haven't and the path is spoofed, can I prove that? How can I detect
if traffic is indeed swinging through that hijacked path? How worried
should I be and what are my options for resolving the situation?
thanks!
-andy
