Indonesian ISP Moratel announces Google's prefixes

Wed Nov 7 05:54:45 UTC 2012

It looks like nLayer have routes learned through Moratel which have 
local-pref set to anywhere up to 250 (learned from private peers), while 
the routes learned from direct peering relationships to Google on public 
peering have a local-pref of 200. This explains why the routes from 
Moratel would have been preferred during the period when they were being 
leaked, despite the shorter as-path (but doesn't explain why they 
weren't being filtered).

On 07.11.2012 16:33, Hank Nussbacher wrote:
> At 21:21 06/11/2012 -0800, Jian Gu wrote:
>
> If Google announces 8.8.8.0/24 to you and you in turn start
> announcing to the Internet 8.8.8.0/24 as originating from you, then a
> certain section of the Internet will believe your announcement over
> Google's.    This has happened many times before due to improper
> filters, but this is the first time I have seen the victim being
> blamed.  Interesting concept.
>
> -Hank
>
>>I don't know what Google and Moratel's peering agreement, but "leak"?
>>educate me, Google is announcing /24 for all of their 4 NS prefix and
>>8.8.8.0/24 for their public DNS server, how did Moratel leak those 
>> routes
>>to Internet?
>>
>>On Tue, Nov 6, 2012 at 9:13 PM, Patrick W. Gilmore 
>> <patrick at ianai.net>wrote:
>>
>> > On Nov 07, 2012, at 00:07 , Jian Gu <guxiaojian at gmail.com> wrote:
>> >
>> > > Where did you get the idea that a Moratel customer announced a
>> > google-owned
>> > > prefix to Moratel and Moratel did not have the proper filters in 
>> place?
>> > > according to the blog, all google's 4 authoritative DNS server 
>> networks
>> > and
>> > > 8.8.8.0/24 were wrongly routed to Moratel, what's the possiblity 
>> for a
>> > > Moratel customers announce all those prefixes?
>> >
>> > Ah, right, they just leaked Google's prefix.  I thought a customer
>> > originated the prefix.
>> >
>> > Original question still stands.  Which attribute do you expect 
>> Google to
>> > set to stop this?
>> >
>> > Hint: Don't say No-Advertise, unless you want peers to only talk 
>> to the
>> > adjacent AS, not their customers or their customers' customers, 
>> etc.
>> >
>> > Looking forward to your answer.
>> >
>> > --
>> > TTFN,
>> > patrick
>> >
>> >
>> > > On Tue, Nov 6, 2012 at 9:02 PM, Patrick W. Gilmore 
>> <patrick at ianai.net
>> > >wrote:
>> > >
>> > >> On Nov 06, 2012, at 23:48 , Jian Gu <guxiaojian at gmail.com> 
>> wrote:
>> > >>
>> > >>> What do you mean hijack? Google is peering with Moratel, if 
>> Google does
>> > >> not
>> > >>> want Moratel to advertise its routes to Moratel's 
>> peers/upstreams, then
>> > >>> Google should've set the correct BGP attributes in the first 
>> place.
>> > >>
>> > >> That doesn't make the slightest bit of sense.
>> > >>
>> > >> If a Moratel customer announced a Google-owned prefix to 
>> Moratel, and
>> > >> Moratel did not have the proper filters in place, there is 
>> nothing
>> > Google
>> > >> could do to stop the hijack from happening.
>> > >>
>> > >> Exactly what attribute do you think would stop this?
>> > >>
>> > >> --
>> > >> TTFN,
>> > >> patrick
>> > >>
>> > >>
>> > >>> On Tue, Nov 6, 2012 at 3:35 AM, Anurag Bhatia 
>> <me at anuragbhatia.com>
>> > >> wrote:
>> > >>>
>> > >>>> Another case of route hijack -
>> > >>>>
>> > >>
>> > 
>> http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> I am curious if big networks have any pre-defined filters for 
>> big
>> > >> content
>> > >>>> providers like Google to avoid these? I am sure internet 
>> community
>> > >> would be
>> > >>>> working in direction to somehow prevent these issues. Curious 
>> to know
>> > >>>> developments so far.
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>>
>> > >>>> Thanks.
>> > >>>>
>> > >>>>
>> > >>>> --
>> > >>>>
>> > >>>> Anurag Bhatia
>> > >>>> anuragbhatia.com
>> > >>>>
>> > >>>> Linkedin <http://in.linkedin.com/in/anuragbhatia21> |
>> > >>>> Twitter<https://twitter.com/anurag_bhatia>|
>> > >>>> Google+ <https://plus.google.com/118280168625121532854>
>> > >>>>
>> > >>>
>> > >>
>> > >>
>> > >>
>> >
>> >
>> >