Dreamhost/AS26347 unauthorized bgp announcement

Job Snijders job.snijders at atrato.com
Wed Mar 6 16:11:32 UTC 2013


Hi all,

I tried contacting Coresite/Any2 to have somebody login to the routeserver and doublecheck
which peer is actually announcing this NLRI. Because there is a remote possibility that the
route-server is being manipulated by a third party and dreamhost is a victim here. 

After the usual hurdles like "What is your circuit ID?" "Without a workorder I cannot login to
the routeserver!" and "5580? that can't be an AS number" I unfortunately got nowhere so I
still don't know who exactly announced these prefixes to the route-server. 

As of now the announcements for the more specifics seem to be gone. 

Can anybody (preferably from Any2 or Dreamhost) shed more light on this matter? 

Kind regards,

Job

On Mar 6, 2013, at 2:43 PM, Drew Weaver <drew.weaver at thenap.com> wrote:

> They're doing this to our routes in any2 in LA as well.
> 
> ...
> 
> 
> 
> -----Original Message-----
> From: Job Snijders [mailto:job.snijders at atrato.com] 
> Sent: Wednesday, March 06, 2013 4:04 AM
> To: Matsuzaki Yoshinobu
> Cc: nanog at nanog.org
> Subject: Re: Dreamhost/AS26347 unauthorized bgp announcement
> 
> Hi Mat,
> 
> I see the same thing, we learn the prefix from the route-server in LAX: 
> 
> telnet at r1.lax1.us>show ip bgp routes detail 90.201.80.0/20 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED
>       E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH
>       S:SUPPRESSED F:FILTERED s:STALE
> 1       Prefix: 90.201.80.0/20,  Status: BE,  Age: 0h22m15s
>         NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer: 206.223.143.253 (19996)
>          LOCAL_PREF: 400,  MED: none,  ORIGIN: incomplete,  Weight: 0
>         AS_PATH: 26347
>            COMMUNITIES: 5580:12431
>            Adj_RIB_out count: 18,  Admin distance 20
>       Last update to IP routing table: 0h22m15s, 1 path(s) installed:
> 
> Kind regards,
> 
> Job
> 
> On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz at iij.ad.jp> wrote:
> 
>> According to RIPE RIS, AS26347 announced a bunch of prefixes again.
>> - http://www.ris.ripe.net/dashboard/26347
>> 
>> First suspicious announcement was started 2013-03-06 07:52:40 UTC, and 
>> last seen 2013-03-06 08:33:56 UTC.  195 prefixes total.
>> 
>> It seems these unauthorized announcements have the same profile as 
>> before - AS26347 shrinks the prefix lenght of their received prefix 
>> somehow upto /20, and re-originates the prefix with origin AS26347.
>> 
>> Any known bugs?
>> 
>> Regards,
>> -----
>> Matsuzaki Yoshinobu <maz at iij.ad.jp>
>> - IIJ/AS2497  INOC-DBA: 2497*629
>> 
> 
> --
> AS5580 - Atrato IP Networks
> 
> 
> 

-- 
AS5580 - Atrato IP Networks






More information about the NANOG mailing list