BGP hijack?

• Previous message (by thread): BGP hijack?
• Next message (by thread): BGP hijack?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey everybody, I run bgp.tools, (And had a extremely busy alerting
engine for a few minutes)

>From what bgp.tools can see it seems like they had a private asn in
the path like so

```
2027 4220270000 6696 6939 42615 212232
```

This can be valid for a number of reasons, (  they might have been
doing some homemade BGP confederation for example ),  and I assume
then that they had enabled some kind of private asn filter that had
not quite done what they expected.  I think what they are expecting
was the part to look like this:

```
2027 6696 6939 42615 212232
```

However instead the private AS stripping function instead did this,
and sent it to their customers/collector feeds:

```
2027
```

This then obviously made everything look like a BGP origin hijack to
all of the route collectors and alerting systems.

It's worth noting that bgp.tools saw this from more than MilkyWan
directly, but also from what I can assume are their customers. But I
don't see any indication this faulty routing information propagated
anywhere else than that. ( To sort of backup the response that Vincent
has already provided us)

Hope this provides some interesting insight, and maybe some future heads up :)

On Sun, Oct 22, 2023 at 10:04 PM Christopher Morrow
<morrowc.lists at gmail.com> wrote:
>
> Hank, all exact match for prefix length? Or longer subnets covering the whole?
> (Is this leakage of a optimizer or possibly censorship leakage?)
>
> On Sun, Oct 22, 2023, 1:03 PM Olivier Benghozi <olivier.benghozi at wifirst.fr> wrote:
>>
>> Same stuff (with our ASN and our prefixes) detected here, coming from AS2027 (Milkywan), for a short time...
>>
>> Le dim. 22 oct. 2023 à 17:18, Hank Nussbacher <hank at efes.iucc.ac.il> a écrit :
>>>
>>> We just had every single prefix in AS378 start being announced by AS2027.
>>>
>>> Every announcement by AS2027 is failing RPKI yet being propagated a bit.
>>> Is this yet another misbehaving device or an actual attack?
>>
>>
>> Ce message et toutes les pièces jointes (ci-après le "message") sont établis à l’intention exclusive des destinataires désignés. Il contient des informations confidentielles et pouvant être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de détruire le message. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse de l'émetteur

• Previous message (by thread): BGP hijack?
• Next message (by thread): BGP hijack?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]