Kenyan Route Hijack

• Previous message (by thread): Routing Loop
• Next message (by thread): Kenyan Route Hijack
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[more accurate subject line]

On Mar 14, 2008, at 1:33 PM, Felix Bako wrote:

>
> Hello,
> There is a routing loop while accesing my network 194.9.82.0/24 from  
> some networks on the Internet.
>
> | This is a test done from  lg.above.net looking glass.
>
> 1 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0  
> msec
> 2 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label 78  
> Exp 0] 0 msec 0 msec 0 msec
> 3 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 8 msec 8 msec 0 msec
> 4 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label 80  
> Exp 0] 0 msec 4 msec 0 msec
> 5 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0  
> msec
> 6 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label 78  
> Exp 0] 0 msec 0 msec 4 msec
> 7 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 64 msec 0 msec 4 msec
> 8 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label 80  
> Exp 0] 0 msec 4 msec 0 msec
> 9 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0  
> msec
> 10 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label  
> 78 Exp 0] 0 msec 4 msec 0 msec
> 11 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 4 msec 0 msec 4  
> msec|

According to RIPE BGP play data looks to me like AS 6461
(Abovenet) began announcing 194.9.82.0/24 about 10 hours
ago, pulling traffic away from AS 39615 and triggering your
reachability problems (Note times are UTC):

# 1/361  2008-03-15 03:05:27   Path Change  from  29636 6461 2914 8513  
25228 36915
   rrc01  195.66.224.132                       to  29636 2914 6461
# 2/361  2008-03-15 03:05:27   Route Announcement   20485 2914 6461
   rrc01  195.66.224.212
....

About 17 minutes later AS 6461 they withdrew the route announcement:

# 41/361  2008-03-15 03:22:56   Route Withdrawal ( 4777 2497 2914 6461 )
    rrc06  202.249.2.20
....

And another 12 minutes or so later they began announcing it
again:

# 42/361  2008-03-15 03:35:26   Path Change  from  29636 6461 2914  
8513 25228 36915
    rrc01  195.66.224.132                       to  29636 2914 6461
...

Seemed to be a bunch more instability with this prefix around 5:53:

# 66/361  2008-03-15 05:53:40   Route Announcement   25462 6461
    rrc07  194.68.123.157
...

And then some withdraws around 7:43:

# 183/361  2008-03-15 07:43:48   Path Change  from  8468 6453 6461
     rrc01  195.66.224.151                       to  8468 3491 25228  
25228 25228 25228 25228 36915
...

With considerable oscillation for around 40 minutes between the legit
path via AS 36915 and the path via AS 6461.

And the latest was this transition from AS 6461 back to the 36915 path
about 2 hours ago, but only by a few ASNs, I suspect because those ASNs
explicitly modified policy (either preference or filtering) to  
de_prefer the
AS 6461 path.  This is illustrated pretty nicely with BGP play:

# 335/361  2008-03-15 14:59:43   Route Withdrawal ( 1916 3549 6461 )
     rrc15  200.219.130.4
# 361/361  2008-03-15 15:00:27   Path Change  from  13645 3356 6461
     rrc11  198.32.160.150                       to  13645 3491 25228  
25228 25228 25228 25228 36915

BGP Play applet here:

http://www.ris.ripe.net/bgplay/applet.html?

Although most folks are definitely still preferring the AS 6461
path.

An interesting bit is that the current announcement on routeviews
directly from AS 6461 has Community 6461:5999 attached:
...
   6461
     64.125.0.137 from 64.125.0.137 (64.125.0.137)
       Origin IGP, metric 0, localpref 100, valid, external, best
       Community: 6461:5999
...

According to this, that community is used for "internal prefixes":

http://onesc.net/communities/as6461/

"6461:5999 internal prefix"

A "sh ip bgp community 6461:5999" currently yields 130 prefixes
with Origin AS of 6461 and that community.  Nothing more specific
than a /24, although many many adjacent prefixes that would
presumably be aggregated normally are announced as well.

The closest adjacent prefix to 194.9.82/24 they're announcing
is 194.9.40/24, which is one of their prefixes:

*> 194.9.40.0       64.125.0.137             0             0 6461 i
*> 194.9.82.0       64.125.0.137             0             0 6461 i

Unfortunately, the AS6461 forwarding loops still exists, and most
ASNs still appear to be preferring their path over yours per BGP
AS path route selection rules:

---
danny at pork% date
Sat Mar 15 11:55:27 MDT 2008
...
14  ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74)  188.278 ms   
172.714 ms  174.984 ms
15  ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73)  176.234 ms   
174.013 ms  174.109 ms
16  ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70)  173.230 ms   
172.892 ms  174.765 ms
17  ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69)  174.721 ms   
175.256 ms  174.738 ms
18  ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74)  174.437 ms   
220.815 ms  180.961 ms
19  ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73)  177.564 ms   
181.966 ms  174.771 ms
20  ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70)  176.028 ms   
174.269 ms  174.365 ms
21  ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69)  175.626 ms   
175.381 ms  175.831 ms
22  ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74)  174.046 ms   
174.841 ms  174.388 ms
23  ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73)  174.861 ms   
174.857 ms  175.475 ms
...

My recommendation, stay on the phone with Abovenet (via your
upstream, and their upstream if necessary) until you see a withdraw
for the route on routeviews from AS 6461:

telnet route-views.routeviews.org
sh ip bgp 194.9.82.0/24

-danny

• Previous message (by thread): Routing Loop
• Next message (by thread): Kenyan Route Hijack
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]