BGP more specific prefixes

Sergio srgqwerty at gmail.com
Sat Aug 30 04:24:26 CDT 2008


Raymond:

Thanks a lot for your comments, but... nobody can be sure that their complete 
prefix is routed OK to him (the "owner" AS).
Right?

Do you see this as a normal behavior?

What do you think that is the best way to protect about this?
Do you think that our upstreams can help us?

Best regards

On Saturday 30 August 2008 10:32:08 Raymond Dijkxhoorn wrote:
> Hi!
>
> > Some days ago, a BGP issue was announced about "IP hijacking".
> > OK, we understand that this is some "new" because the traffic is also
> > sent back to the "real owner" of the block.
>
> Traffic will walk the shotest path, so you can never tell its the 'real'
> owner that will receive this traffic.
>
> > What kind of security can we have (and all internet providers) about that
> > there is nobody announcing a subset of their prefix or a subset of their
> > customer prefixes (i.e. x.y.0.0/24) disturbing the "normal" traffic flow?
> > Of course, we know about prefix monitoring tools (from RIPE and others)
> > but... it is the best solution?
> >
> > Or simply anyone can announce the /24 prefix that he want "capturing"
> > that /24 prefix (of course if the "normal" prefix is smaller than that
> > (i.e. /16))?
> > In other words... can anybody "capture" the /24 prefix that he want?
>
> If i start announing your /24, and my upstreams dont do proper filtering,
> i steal your prefix, easy as that. As little this may be, my most direct
> peerings will accept the routes and off you go.
>
> And prefix filtering is within some providers not even per customer, we
> personally had for example issues with a big carrier, somethhing with a 3
> inside their name, who only had a large prefix filter with *ALL* their
> customers, so if another customer of that same 3 would announce our
> prefixes, it would be ok for them, and that happened. So we were
> blackholed, since that other customer had many peerings with '3' on
> various locations.
>
> So even with 'some' filtering in place bad things can and will happen.
>
> > The question is very simply, It is very very difficult for me to believe
> > that anybody can "shutdown" the /24 network that he wants in the world.
> > I am right?
>
> No? Its dead simple in fact. Totally shut down, no, since you most likely
> have direct peers who have a shorter path.
>
> > Or may be that simply internet works like this and the providers are very
> > careful about what accepts from their customers and what announces to
> > other providers?
>
> Ghe ... you think route leaking and stealing dont happen on a daily base?
> Go look and see where a major part of your spam is comming from, yes,
> stolen prefixes.
>
> > In other words... There is anybody in internet that can be sure that
> > their traffic (traffic destined to their prefix)  is not going to be
> > "stoled"? If yes... how?
> >
> > Keep in mind that announcing the same prefixes than the attacker will not
> > solve totally the problem because it is only a partial solution.
> >
> > If announcing a more specific /24 network is so easy... why does this not
> > happen every day (for example for shutting down competitors sites)?
>
> It does happen daily, wake up!
>
> Bye,
> Raymond.





More information about the NANOG mailing list