[195659] in North American Network Operators' Group
Re: Validating possible BGP MITM attack
daemon@ATHENA.MIT.EDU (Steve Feldman)
Thu Aug 31 15:22:34 2017
X-Original-To: nanog@nanog.org
From: Steve Feldman <feldman@twincreeks.net>
Date: Thu, 31 Aug 2017 10:23:04 -0700
In-Reply-To: <CACWOCC9b2jOW0MTEGukQXKfw5=1gFqWWAUc=PKuFewBFpx2ZdQ@mail.gmail.com>
To: Job Snijders <job@instituut.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Interesting. We also got similar BGPMon alerts about disaggregated =
portions of couple of our prefixes. I didn't see any of the bad prefixes =
in route-views, though.
The AS paths in the alerts started with "131477 38478 ..." and looked =
valid after that. Job's suggestion would explain that.
Steve
> On Aug 31, 2017, at 10:01 AM, Job Snijders <job@instituut.net> wrote:
>=20
> Hi Andy,
>=20
> It smells like someone in 38478 or 131477 is using Noction or some =
other
> BGP "optimizer" that injects hijacks for the purpose of traffic
> engineering. :-(
>=20
> Kind regards,
>=20
> Job
>=20
> On Thu, 31 Aug 2017 at 19:38, Andy Litzinger =
<andy.litzinger.lists@gmail.com>
> wrote:
>=20
>> Hello,
>> we use BGPMon.net to monitor our BGP announcements. This morning we
>> received two possible BGP MITM alerts for two of our prefixes =
detected by a
>> single BGPMon probe located in China. I've reached out to BGPMon to =
see
>> how much credence I should give to an alert from a single probe =
location,
>> but I'm interested in community feedback as well.
>>=20
>> The alert detailed that one of our /23 prefixes has been broken into =
/24
>> specifics and the AS Path shows a peering relationship with us that =
does
>> not exist:
>> 131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) =
14042
>> (me)
>>=20
>> We do not peer directly with PCCW Global. I'm going to reach out to =
them
>> directly to see if they may have done anything by accident, but =
presuming
>> they haven't and the path is spoofed, can I prove that? How can I =
detect
>> if traffic is indeed swinging through that hijacked path? How worried
>> should I be and what are my options for resolving the situation?
>>=20
>> thanks!
>> -andy
>>=20
>=20
