Prefix hijack by INDOSAT AS4795 / AS4761

Andree Toonk andree+nanog at toonk.nl
Thu Mar 26 15:53:37 UTC 2015


Hi List,

this morning our BGPmon system picked up many new more specific
announcements by a variety of Origin ASns, the interesting part is that
the majority of them were classified as BGP Man In The middle attacks
(MITM).

A typical alert would look like:

====================================================================
Possible BGP MITM attack (Code: 21)
====================================================================
Your prefix:          23.20.0.0/15:
Prefix Description:   acxiom-online.com --- Amazon EC2 IAD prefix
Update time:          2015-03-26 11:27 (UTC)
Detected by #peers:   24
Detected prefix:      23.21.112.0/20
Announced by:         AS14618 (AMAZON-AES - Amazon.com, Inc.,US)
Upstream AS:          AS3257 (TINET-BACKBONE Tinet SpA,DE)
ASpath:               4608 24130 7545 6939 40633 18978 3257 14618

All alerts have the following part of the AS Path is common:
40633 1897

We're still looking into the details of this particular cases, but
based on past experience it's likely that it is not in fact 14618 AWS,
that originated this more specific (in this example), but most likely
18978 (or 40633), which leaked it to AS40633 Los Angeles Internet
exchange, where others picked it up and propagated it to their customers.

In the past we've seen similar issues caused by BGP traffic optimizers.
These devices introduce new more specifics (try to keep the ASpath in
tact) for Traffic engineering purposes, and then folks leak those. A
good write up of a previous example can be found here:
http://www.bgpmon.net/accidentally-stealing-the-internet/

A quick scan show that this affected over 5000 prefixes and about 145
Autonomous systems. All of these appear to be more specific prefixes
(which is the scary part).

Cheers,
 Andree

PS. It appears this is not related to INDOSAT, they just happen to be
one of the peers that picked this up.


.-- My secret spy satellite informs me that at 2015-03-26 7:43 AM  Peter
Rocca wrote:
> We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
> 
> 108.168.64.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> 108.168.80.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> 108.168.96.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
> 
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Randy
> Sent: March-26-15 10:08 AM
> To: nanog at nanog.org
> Subject: Prefix hijack by INDOSAT AS4795 / AS4761
> 
> On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing 
> more specifics on one of our prefixes.   Anyone else seeing similar or 
> is it just us?
> 
> 198.98.180.0/23	4795 4795 4761 9304 40633 18978 4436 29889
> 198.98.182.0/23	4795 4795 4761 9304 40633 18978 4436 29889
> 


More information about the NANOG mailing list