[195654] in North American Network Operators' Group
Re: Validating possible BGP MITM attack
daemon@ATHENA.MIT.EDU (Job Snijders)
Thu Aug 31 13:12:34 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <CAEs0EmLrKXYfQZUuA7HOZDwsv3Mo8_MLiMZk4ooMSWTzaJLxqw@mail.gmail.com>
From: Job Snijders <job@instituut.net>
Date: Thu, 31 Aug 2017 17:01:36 +0000
To: Andy Litzinger <andy.litzinger.lists@gmail.com>, nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Hi Andy,
It smells like someone in 38478 or 131477 is using Noction or some other
BGP "optimizer" that injects hijacks for the purpose of traffic
engineering. :-(
Kind regards,
Job
On Thu, 31 Aug 2017 at 19:38, Andy Litzinger <andy.litzinger.lists@gmail.com>
wrote:
> Hello,
> we use BGPMon.net to monitor our BGP announcements. This morning we
> received two possible BGP MITM alerts for two of our prefixes detected by a
> single BGPMon probe located in China. I've reached out to BGPMon to see
> how much credence I should give to an alert from a single probe location,
> but I'm interested in community feedback as well.
>
> The alert detailed that one of our /23 prefixes has been broken into /24
> specifics and the AS Path shows a peering relationship with us that does
> not exist:
> 131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) 14042
> (me)
>
> We do not peer directly with PCCW Global. I'm going to reach out to them
> directly to see if they may have done anything by accident, but presuming
> they haven't and the path is spoofed, can I prove that? How can I detect
> if traffic is indeed swinging through that hijacked path? How worried
> should I be and what are my options for resolving the situation?
>
> thanks!
> -andy
>
