Kenyan Route Hijack

Jeff Aitken jaitken at aitken.com
Mon Mar 17 12:25:52 UTC 2008


On Sat, Mar 15, 2008 at 11:57:50AM -0600, Danny McPherson wrote:
> An interesting bit is that the current announcement on routeviews
> directly from AS 6461 has Community 6461:5999 attached:
> ...
>   6461
>     64.125.0.137 from 64.125.0.137 (64.125.0.137)
>       Origin IGP, metric 0, localpref 100, valid, external, best
>       Community: 6461:5999
> ...
> 
> According to this, that community is used for "internal prefixes":
> 
> http://onesc.net/communities/as6461/
> 
> "6461:5999 internal prefix"
> 
> A "sh ip bgp community 6461:5999" currently yields 130 prefixes
> with Origin AS of 6461 and that community.  


Hi Danny,

Unless things have changed since I left in '05, 6461:5999 is the outbound
community set on internally-originated prefixes.  You would expect to see
it on prefixes "owned" by AS6461 (such as 216.200/16) as well as address
space announced on behalf of customers (i.e., prefixes "belonging" to
customers who have no ASN and/or no desire to run BGP).  Prefixes learned
from another customer would have :5998 and those learned from a peer would
have :5997, IIRC.  These outbound translations are/were only performed on
customer BGP sessions, which makes sense in this case since the session to
route-views is/was configured like any other customer session.  All it
really tells you is that for whatever reason, that prefix was "manually"
injected into BGP, most likely as a redist'ed static.

Anyway, it's possible that this was intended due to an AUP issue but it's
unlikely that they'd intentionally propagate the /24 in that case.  At
least when I was there, AboveNet had a separate system for injecting routes
into BGP (for TE, abuse, etc) that automatically set no-export on those
routes.  In addition to making the process a lot less error-prone it helped
contain any mistakes due to the automatic no-export.  The only time you
added a static route was when you WANTED to announce it.

Beyond that, I have no idea why 6461 would have originated this route.  My
guess would be that someone who didn't understand the implications of their
action added it as a static route for whatever reason, but that's nothing
more than a guess.  Seems like I've heard Randy voice an opinion on the
local/global thing once before. :-)


--Jeff




More information about the NANOG mailing list