BGP Hijack/Sickness with AS4637

Thu May 31 14:31:26 UTC 2018

     Thanks for the ideas and the hint.  Good read.

     Will do.

     PS: Still curious how, beside some RIB/FIB failure, how our AS 
ended up there.

-----
Alain Hebert                                ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 05/31/18 10:15, Job Snijders wrote:
> On Thu, May 31, 2018 at 09:49:47AM -0400, Alain Hebert wrote:
>> Well bad news on the ColoAU front, they refused to cooperate.
>>
>> We'll pushback thru our GTT accounts...  But I'm running out of ideas.
>>
>> If anyone has any good ideas how to proceed at this point feel free to
>> share =D.
> This feels like a BGP "optimiser" at work inside AS 4637.
>
> >From the https://lg.coloau.com.au/ looking glass:
>
> BGP 'show route'
>      18.29.238.0/23  *[BGP/170] 1w0d 18:49:44, localpref 90, from 103.97.52.2
>                      AS path: 4637 3257 29909 16532 16532 16532 16532 I, validation-state: unverified
>
> However, a data-plane traceroute:
>
>      AS path: 4637 -> 174 ->  ...
>
>      traceroute to 18.29.238.1 (18.29.238.1), 30 hops max, 40 byte packets
>       1  103.52.116.49 (103.52.116.49)  114.573 ms  113.965 ms  117.141 ms
>           MPLS Label=691873 CoS=0 TTL=1 S=0
>           MPLS Label=17 CoS=0 TTL=1 S=1
>       2  202.127.69.34 (202.127.69.34)  113.768 ms  113.763 ms  113.731 ms
>       3  202.84.148.113 (202.84.148.113) [AS  4637]  114.759 ms  117.956 ms  115.796 ms
>       4  202.84.141.13 (202.84.141.13) [AS  4637]  181.873 ms 202.84.141.169 (202.84.141.169) [AS  4637]  181.618 ms  182.688 ms
>       5  202.84.253.82 (202.84.253.82) [AS  4637]  181.949 ms 202.40.149.226 (202.40.149.226) [AS  4637]  183.194 ms 202.84.253.82 (202.84.253.82) [AS  4637]  201.282 ms
>       6  154.54.10.133 (154.54.10.133) [AS  174]  181.055 ms  181.100 ms  181.065 ms
>       7  154.54.27.117 (154.54.27.117) [AS  174]  175.410 ms  182.956 ms 154.54.3.69 (154.54.3.69) [AS  174]  175.176 ms
>       8  154.54.45.161 (154.54.45.161) [AS  174]  212.531 ms 154.54.44.85 (154.54.44.85) [AS  174]  202.470 ms  187.361 ms
>       9  154.54.42.78 (154.54.42.78) [AS  174]  195.585 ms  195.812 ms 154.54.42.66 (154.54.42.66) [AS  174]  211.713 ms
>      10  154.54.30.161 (154.54.30.161) [AS  174]  235.896 ms  216.173 ms  211.246 ms
>      11  154.54.28.129 (154.54.28.129) [AS  174]  233.516 ms  225.413 ms  225.551 ms
>      12  154.54.24.221 (154.54.24.221) [AS  174]  236.432 ms  236.701 ms  236.595 ms
>      13  154.54.40.109 (154.54.40.109) [AS  174]  273.564 ms  279.452 ms  248.212 ms
>      14  154.54.46.33 (154.54.46.33) [AS  174]  248.098 ms  247.802 ms  248.084 ms
>      15  * * *
>
> Discongruity between RIB and FIB like this, and the hijack being a
> more-specific of a /16, is a typical sign of BGP 'optimisers'.
>
> I recommend you reach out to AUSNOG and APOPS and hope someone there
> knows someone at Telstra Hong Kong.
>
> More thoughts on BGP optimisers: http://seclists.org/nanog/2017/Aug/318
>
> Kind regards,
>
> Job
>