Prefix hijack by INDOSAT AS4795 / AS4761
rocca at start.ca
Thu Mar 26 16:00:13 UTC 2015
The summary below aligns with our analysis as well.
We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact.
From: Andree Toonk [mailto:andree+nanog at toonk.nl]
Sent: March-26-15 11:54 AM
To: Peter Rocca
Cc: nanog at nanog.org
Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
this morning our BGPmon system picked up many new more specific announcements by a variety of Origin ASns, the interesting part is that the majority of them were classified as BGP Man In The middle attacks (MITM).
A typical alert would look like:
Possible BGP MITM attack (Code: 21)
Your prefix: 220.127.116.11/15:
Prefix Description: acxiom-online.com --- Amazon EC2 IAD prefix
Update time: 2015-03-26 11:27 (UTC)
Detected by #peers: 24
Detected prefix: 18.104.22.168/20
Announced by: AS14618 (AMAZON-AES - Amazon.com, Inc.,US)
Upstream AS: AS3257 (TINET-BACKBONE Tinet SpA,DE)
ASpath: 4608 24130 7545 6939 40633 18978 3257 14618
All alerts have the following part of the AS Path is common:
We're still looking into the details of this particular cases, but based on past experience it's likely that it is not in fact 14618 AWS, that originated this more specific (in this example), but most likely
18978 (or 40633), which leaked it to AS40633 Los Angeles Internet exchange, where others picked it up and propagated it to their customers.
In the past we've seen similar issues caused by BGP traffic optimizers.
These devices introduce new more specifics (try to keep the ASpath in
tact) for Traffic engineering purposes, and then folks leak those. A good write up of a previous example can be found here:
A quick scan show that this affected over 5000 prefixes and about 145 Autonomous systems. All of these appear to be more specific prefixes (which is the scary part).
PS. It appears this is not related to INDOSAT, they just happen to be one of the peers that picked this up.
.-- My secret spy satellite informs me that at 2015-03-26 7:43 AM Peter Rocca wrote:
> We just received a similar alert from bgpmon - part of 22.214.171.124/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
> 126.96.36.199/20 4795 4795 4761 9304 40633 18978 6939 40788
> 188.8.131.52/20 4795 4795 4761 9304 40633 18978 6939 40788
> 184.108.40.206/20 4795 4795 4761 9304 40633 18978 6939 40788
> 220.127.116.11/20 4795 4795 4761 9304 40633 18978 6939 40788
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Randy
> Sent: March-26-15 10:08 AM
> To: nanog at nanog.org
> Subject: Prefix hijack by INDOSAT AS4795 / AS4761
> On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
> more specifics on one of our prefixes. Anyone else seeing similar or
> is it just us?
> 18.104.22.168/23 4795 4795 4761 9304 40633 18978 4436 29889
> 22.214.171.124/23 4795 4795 4761 9304 40633 18978 4436 29889
More information about the NANOG