BGP more specific prefixes
srgqwerty at gmail.com
Sat Aug 30 04:24:26 CDT 2008
Thanks a lot for your comments, but... nobody can be sure that their complete
prefix is routed OK to him (the "owner" AS).
Do you see this as a normal behavior?
What do you think that is the best way to protect about this?
Do you think that our upstreams can help us?
On Saturday 30 August 2008 10:32:08 Raymond Dijkxhoorn wrote:
> > Some days ago, a BGP issue was announced about "IP hijacking".
> > OK, we understand that this is some "new" because the traffic is also
> > sent back to the "real owner" of the block.
> Traffic will walk the shotest path, so you can never tell its the 'real'
> owner that will receive this traffic.
> > What kind of security can we have (and all internet providers) about that
> > there is nobody announcing a subset of their prefix or a subset of their
> > customer prefixes (i.e. x.y.0.0/24) disturbing the "normal" traffic flow?
> > Of course, we know about prefix monitoring tools (from RIPE and others)
> > but... it is the best solution?
> > Or simply anyone can announce the /24 prefix that he want "capturing"
> > that /24 prefix (of course if the "normal" prefix is smaller than that
> > (i.e. /16))?
> > In other words... can anybody "capture" the /24 prefix that he want?
> If i start announing your /24, and my upstreams dont do proper filtering,
> i steal your prefix, easy as that. As little this may be, my most direct
> peerings will accept the routes and off you go.
> And prefix filtering is within some providers not even per customer, we
> personally had for example issues with a big carrier, somethhing with a 3
> inside their name, who only had a large prefix filter with *ALL* their
> customers, so if another customer of that same 3 would announce our
> prefixes, it would be ok for them, and that happened. So we were
> blackholed, since that other customer had many peerings with '3' on
> various locations.
> So even with 'some' filtering in place bad things can and will happen.
> > The question is very simply, It is very very difficult for me to believe
> > that anybody can "shutdown" the /24 network that he wants in the world.
> > I am right?
> No? Its dead simple in fact. Totally shut down, no, since you most likely
> have direct peers who have a shorter path.
> > Or may be that simply internet works like this and the providers are very
> > careful about what accepts from their customers and what announces to
> > other providers?
> Ghe ... you think route leaking and stealing dont happen on a daily base?
> Go look and see where a major part of your spam is comming from, yes,
> stolen prefixes.
> > In other words... There is anybody in internet that can be sure that
> > their traffic (traffic destined to their prefix) is not going to be
> > "stoled"? If yes... how?
> > Keep in mind that announcing the same prefixes than the attacker will not
> > solve totally the problem because it is only a partial solution.
> > If announcing a more specific /24 network is so easy... why does this not
> > happen every day (for example for shutting down competitors sites)?
> It does happen daily, wake up!
More information about the NANOG