Lazy Engineers and Viable Excuses
william at elan.net
william at elan.net
Thu Aug 28 10:31:45 UTC 2003
> --On Tuesday, August 26, 2003 9:35 AM -0400 Leo Bicknell <bicknell at ufp.org>
> wrote:
>
> > Almost everyone filters customers. The large ISP's all have the
> > same opinion, if small to medium sized players abuse the system
I wish this was true but it is not!!!
In particular I call your attention to Qwest. Their customer in LA with
AS29809 was announcing ip block 138.252.0.0/16, which is hijacked ip block,
see details at http://www.completewhois.com/hijacked/files/138.252.0.0.txt
It took us a little time to find out who to report it to because amount
of abuse was small and all traceroutes were faked, here is part of it
as it was several days ago:
8 204.255.169.138 (204.255.169.138) 33.299 ms 28.885 ms 30.188 ms
9 bur-core-01.inet.qwest.net (205.171.13.9) 35.992 ms 28.280 ms
10 bux-edge-01.inet.qwest.net (205.171.13.174) 32.468 ms 30.766 ms
11 tbr1-p012201.la2ca.ip.att.net (12.123.28.130) 40.104 ms <-- Faked here
12 gbr4-p20.sffca.ip.att.net (12.122.2.69) 51.680 ms 52.195 ms 50.259
13 gbr6-p70.sffca.ip.att.net (12.122.5.153) 62.751 ms 61.256 ms
14 ar2-p3110.sfcca.ip.att.net (12.123.195.81) 71.827 ms 71.376 ms
15 12.119.200.38 (12.119.200.38) 83.024 ms 82.612 ms 82.004 ms
16 203.148.164.170 (203.148.164.170) 89.747 ms 92.942 ms 87.614 ms
17 203.148.164.228 (203.148.164.228) 103.087 ms 99.536 ms 99.910 ms
18 svoa-bkk.a-net.net.th (203.148.200.145) 1104.594 ms 1098.491 ms
19 138.252.0.1 (138.252.0.1) 33.634 ms 33.220 ms 32.514 ms"
And that is when "sh ip bgp" was showing:
8001 7911 209 29809
6395 1239 209 29809
5650 1239 209 29809
>From above everything starting with 11 was faked and once this was realized
Qwest security was notified and they even said the ip block will be filtered
and indeed it was for 1 day!!! But appearently they just started advertising
smaller 138.252.0.0/21 ip block from exactly same Qwest POP in Burbank, CA
but with new faked traceroute:
traceroute to 138.252.0.10 (138.252.0.10), 30 hops max, 38 byte packets
...
5 qwest.sjc03.atlas.psi.net (154.54.10.154) 1.988 ms 1.264 ms 1.243 ms
6 svl-core-01.inet.qwest.net (20r.171.214.41) 2.526 ms 2.229 ms 2.383 ms
7 sbur-core-02.inet.qwest.net (205.171.5.217) 9.491 ms 9.519 ms 9.494 ms
8 bux-edge-01.inet.qwest.net (205.171.13.178) 9.514 ms 9.860 ms 9.467 ms
9 * * *
10 obl-rou-1003.NL.eurorings.net (134.222.229.238) 22.436 ms 18.489 ms
11 ffm-s1-rou-1002.DE.eurorings.net (134.222.230.30) 40.087 ms 47.130
12 ksrh-s1-rou-1071.DE.eurorings.net (134.222.227.86) 39.634 ms 38.361
13 ksrh-s1-rou-1072.DE.eurorings.net (134.222.227.74) 40.083 ms 42.067
14 r1-ka.strato.cust.eurorings.net (134.222.102.18) 39.853 ms 39.022 ms
15 81.169.144.22 (81.169.144.22) 39.770 ms 43.874 ms 39.956 ms
16 81.169.144.38 (81.169.144.38) 60.088 ms 59.179 ms 60.091 ms
17 lb1.webmailer.de (192.67.198.246) 70.123 ms 76.9934ms 69.991 ms
router#sh ip bgp 138.252.0.1
BGP routing table entry for 138.252.0.0/21, version 10503636
Paths: (2 available, best #1, not advertised outside local AS)
16631 174 209 29809
216.151.223.17 (metric 65) from 216.151.223.17
Origin IGP, metric 1000000, localpref 100, weight 500, valid, internal, best
Community: 16631:1000 local-AS
6347 701 209 29809
209.144.160.89 from 209.144.160.89 (209.83.159.23)
Origin IGP, localpref 100, weight 10, valid, external
Community: 6347:1023 6347:5000 6347:5001 local-AS
I'm pretty sure Qwest is doing something wrong by allowing such an open
BGP annoncements from their customers without checking what they would be
announcing. Instead of putting filters as "allow all" and then adding
filtering only 138.252.0.0/16 when they were contacted, they instead
should have filtered all announcement except for specific ones customer
asked and was authorized. And I do hope there is somebody from Qwest here
who can deal with this issue and educate on proper filtering whoever is
responsible for their bgp router in Burbank.
Also as for this particular case, I'll strongly advise to just filter
AS29809 entirely, I have serious doubts about whoever controls this asn
and have done the research on it (see above referenced file) and it
appears the addresses at ARIN are all wrong (I have some doubts about
Trimeda being located on the grounds of Mormon Temple for example...)
and has been recently changed from completely different set of addresses
and besides it would have been enough that AS29809 only advertises this
particular hijacked ip block (and nothing else!) and they on purpose
fake traceroute to their AS to move blame away from themselve.
> Just a shame that not everyone filters their customers. And although it
> has been a while, I know I've seen a route-leak from 6461 at AMS-IX.
> (Probably last year sometime)
Indeed it really is a shame, especially when its large players like Qwest
who do not filter their customers, how can you expect it from smaller
European networks where peering seems is a lot easier to setup...
--
William Leibzon
Elan Networks
william at elan.net
More information about the NANOG
mailing list