Lazy Engineers and Viable Excuses

• Previous message (by thread): Lazy Engineers and Viable Excuses
• Next message (by thread): Lazy Engineers and Viable Excuses
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> --On Tuesday, August 26, 2003 9:35 AM -0400 Leo Bicknell <bicknell at ufp.org> 
> wrote:
> 
> > Almost everyone filters customers.  The large ISP's all have the
> > same opinion, if small to medium sized players abuse the system
I wish this was true but it is not!!!

In particular I call your attention to Qwest. Their customer in LA with
AS29809 was announcing ip block 138.252.0.0/16, which is hijacked ip block,
see details at http://www.completewhois.com/hijacked/files/138.252.0.0.txt
It took us a little time to find out who to report it to because amount
of abuse was small and all traceroutes were faked, here is part of it 
as it was several days ago:
  8  204.255.169.138 (204.255.169.138)  33.299 ms  28.885 ms  30.188 ms
  9  bur-core-01.inet.qwest.net (205.171.13.9)  35.992 ms  28.280 ms  
 10  bux-edge-01.inet.qwest.net (205.171.13.174)  32.468 ms  30.766 ms  
 11  tbr1-p012201.la2ca.ip.att.net (12.123.28.130)  40.104 ms  <-- Faked here
 12  gbr4-p20.sffca.ip.att.net (12.122.2.69)  51.680 ms  52.195 ms  50.259 
 13  gbr6-p70.sffca.ip.att.net (12.122.5.153)  62.751 ms  61.256 ms  
 14  ar2-p3110.sfcca.ip.att.net (12.123.195.81)  71.827 ms  71.376 ms  
 15  12.119.200.38 (12.119.200.38)  83.024 ms  82.612 ms  82.004 ms
 16  203.148.164.170 (203.148.164.170)  89.747 ms  92.942 ms  87.614 ms
 17  203.148.164.228 (203.148.164.228)  103.087 ms  99.536 ms  99.910 ms
 18  svoa-bkk.a-net.net.th (203.148.200.145)  1104.594 ms  1098.491 ms  
 19  138.252.0.1 (138.252.0.1)  33.634 ms  33.220 ms  32.514 ms"
And that is when "sh ip bgp" was showing:
  8001 7911 209 29809
  6395 1239 209 29809
  5650 1239 209 29809
>From above everything starting with 11 was faked and once this was realized
Qwest security was notified and they even said the ip block will be filtered
and indeed it was for 1 day!!! But appearently they just started advertising
smaller 138.252.0.0/21 ip block from exactly same Qwest POP in Burbank, CA
but with new faked traceroute:
 traceroute to 138.252.0.10 (138.252.0.10), 30 hops max, 38 byte packets
  ...
  5  qwest.sjc03.atlas.psi.net (154.54.10.154)  1.988 ms  1.264 ms  1.243 ms
  6  svl-core-01.inet.qwest.net (20r.171.214.41)  2.526 ms  2.229 ms  2.383 ms
  7  sbur-core-02.inet.qwest.net (205.171.5.217)  9.491 ms  9.519 ms  9.494 ms
  8  bux-edge-01.inet.qwest.net (205.171.13.178)  9.514 ms  9.860 ms  9.467 ms
  9  * * *
 10  obl-rou-1003.NL.eurorings.net (134.222.229.238)  22.436 ms  18.489 ms
 11  ffm-s1-rou-1002.DE.eurorings.net (134.222.230.30)  40.087 ms  47.130
 12  ksrh-s1-rou-1071.DE.eurorings.net (134.222.227.86)  39.634 ms  38.361
 13  ksrh-s1-rou-1072.DE.eurorings.net (134.222.227.74)  40.083 ms  42.067
 14  r1-ka.strato.cust.eurorings.net (134.222.102.18)  39.853 ms  39.022 ms
 15  81.169.144.22 (81.169.144.22)  39.770 ms  43.874 ms  39.956 ms
 16  81.169.144.38 (81.169.144.38)  60.088 ms  59.179 ms  60.091 ms
 17  lb1.webmailer.de (192.67.198.246)  70.123 ms  76.9934ms  69.991 ms

router#sh ip bgp 138.252.0.1
BGP routing table entry for 138.252.0.0/21, version 10503636
Paths: (2 available, best #1, not advertised outside local AS)
  16631 174 209 29809
    216.151.223.17 (metric 65) from 216.151.223.17
      Origin IGP, metric 1000000, localpref 100, weight 500, valid, internal, best
      Community: 16631:1000 local-AS
  6347 701 209 29809
    209.144.160.89 from 209.144.160.89 (209.83.159.23)
      Origin IGP, localpref 100, weight 10, valid, external
      Community: 6347:1023 6347:5000 6347:5001 local-AS

I'm pretty sure Qwest is doing something wrong by allowing such an open 
BGP annoncements from their customers without checking what they would be
announcing. Instead of putting filters as "allow all" and then adding
filtering only 138.252.0.0/16 when they were contacted, they instead 
should have filtered all announcement except for specific ones customer
asked and was authorized. And I do hope there is somebody from Qwest here 
who can deal with this issue and educate on proper filtering whoever is
responsible for their bgp router in Burbank.

Also as for this particular case, I'll strongly advise to just filter
AS29809 entirely, I have serious doubts about whoever controls this asn
and have done the research on it (see above referenced file) and it 
appears the addresses at ARIN are all wrong (I have some doubts about
Trimeda being located on the grounds of Mormon Temple for example...)
and has been recently changed from completely different set of addresses
and besides it would have been enough that AS29809 only advertises this
particular hijacked ip block (and nothing else!) and they on purpose
fake traceroute to their AS to move blame away from themselve.

> Just a shame that not everyone filters their customers. And although it 
> has been a while, I know I've seen a route-leak from 6461 at AMS-IX.
> (Probably last year sometime)

Indeed it really is a shame, especially when its large players like Qwest
who do not filter their customers, how can you expect it from smaller 
European networks where peering seems is a lot easier to setup...

-- 
William Leibzon
Elan Networks
william at elan.net

• Previous message (by thread): Lazy Engineers and Viable Excuses
• Next message (by thread): Lazy Engineers and Viable Excuses
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]