Dreamhost/AS26347 unauthorized bgp announcement

Kenneth McRae kenneth.mcrae at dreamhost.com
Wed Mar 6 17:19:46 UTC 2013


Hi Guys,

Sorry to see this come up again.  We are no announcing the prefix in
question.  I am happy to work with you to investigate.

dh_admin at gar-bdr-01> show route advertising-protocol bgp 206.223.143.122

inet.0: 447113 destinations, 1801741 routes (447105 active, 8 holddown, 0
hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 64.111.96.0/19          Self                                    I
* 66.33.192.0/19          Self                                    I
* 66.33.197.0/24          Self                 6                  I
* 67.205.0.0/18           Self                                    I
* 69.163.128.0/17         Self                                    I
* 75.119.192.0/19         Self                                    I
* 173.236.128.0/17        Self                                    I
* 205.196.208.0/20        Self                                    I
* 208.97.128.0/18         Self                                    I
* 208.113.128.0/17        Self                                    I
* 208.113.200.0/24        Self                 6                  I

Best,


Kenneth

{master}
dh_admin at gar-bdr-01>

On Wed, Mar 6, 2013 at 8:11 AM, Job Snijders <job.snijders at atrato.com>wrote:

> Hi all,
>
> I tried contacting Coresite/Any2 to have somebody login to the routeserver
> and doublecheck
> which peer is actually announcing this NLRI. Because there is a remote
> possibility that the
> route-server is being manipulated by a third party and dreamhost is a
> victim here.
>
> After the usual hurdles like "What is your circuit ID?" "Without a
> workorder I cannot login to
> the routeserver!" and "5580? that can't be an AS number" I unfortunately
> got nowhere so I
> still don't know who exactly announced these prefixes to the route-server.
>
> As of now the announcements for the more specifics seem to be gone.
>
> Can anybody (preferably from Any2 or Dreamhost) shed more light on this
> matter?
>
> Kind regards,
>
> Job
>
> On Mar 6, 2013, at 2:43 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
>
> > They're doing this to our routes in any2 in LA as well.
> >
> > ...
> >
> >
> >
> > -----Original Message-----
> > From: Job Snijders [mailto:job.snijders at atrato.com]
> > Sent: Wednesday, March 06, 2013 4:04 AM
> > To: Matsuzaki Yoshinobu
> > Cc: nanog at nanog.org
> > Subject: Re: Dreamhost/AS26347 unauthorized bgp announcement
> >
> > Hi Mat,
> >
> > I see the same thing, we learn the prefix from the route-server in LAX:
> >
> > telnet at r1.lax1.us>show ip bgp routes detail 90.201.80.0/20 Number of
> BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST
> b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED
> >       E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH
> m:NOT-INSTALLED-MULTIPATH
> >       S:SUPPRESSED F:FILTERED s:STALE
> > 1       Prefix: 90.201.80.0/20,  Status: BE,  Age: 0h22m15s
> >         NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer:
> 206.223.143.253 (19996)
> >          LOCAL_PREF: 400,  MED: none,  ORIGIN: incomplete,  Weight: 0
> >         AS_PATH: 26347
> >            COMMUNITIES: 5580:12431
> >            Adj_RIB_out count: 18,  Admin distance 20
> >       Last update to IP routing table: 0h22m15s, 1 path(s) installed:
> >
> > Kind regards,
> >
> > Job
> >
> > On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz at iij.ad.jp> wrote:
> >
> >> According to RIPE RIS, AS26347 announced a bunch of prefixes again.
> >> - http://www.ris.ripe.net/dashboard/26347
> >>
> >> First suspicious announcement was started 2013-03-06 07:52:40 UTC, and
> >> last seen 2013-03-06 08:33:56 UTC.  195 prefixes total.
> >>
> >> It seems these unauthorized announcements have the same profile as
> >> before - AS26347 shrinks the prefix lenght of their received prefix
> >> somehow upto /20, and re-originates the prefix with origin AS26347.
> >>
> >> Any known bugs?
> >>
> >> Regards,
> >> -----
> >> Matsuzaki Yoshinobu <maz at iij.ad.jp>
> >> - IIJ/AS2497  INOC-DBA: 2497*629
> >>
> >
> > --
> > AS5580 - Atrato IP Networks
> >
> >
> >
>
> --
> AS5580 - Atrato IP Networks
>
>
>
>



More information about the NANOG mailing list