Level 3 Outage

Debottym Mukherjee debottym.misc at gmail.com
Fri Mar 27 15:14:27 UTC 2015


Did anyone else experience a Level 3 outage in the last couple of days?
Seems like we've been affected with quite a few VPNV4 outages (one that
lasted for upto 9 hrs) and didn't get resolved until they rebuilt their
vpnv4 address family on their PE router(s)?

On Thu, Mar 26, 2015 at 8:00 AM, <nanog-request at nanog.org> wrote:

> Send NANOG mailing list submissions to
>         nanog at nanog.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.nanog.org/mailman/listinfo/nanog
> or, via email, send a message with subject or body 'help' to
>         nanog-request at nanog.org
>
> You can reach the person managing the list at
>         nanog-owner at nanog.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of NANOG digest..."
>
>
> Today's Topics:
>
>    1. godaddy contact (Tim)
>    2. Frontier: Blocking port 22 because of illegal files?
>       (Aaron C. de Bruyn)
>    3. Re: Frontier: Blocking port 22 because of illegal files?
>       (Eygene Ryabinkin)
>    4. Re: Frontier: Blocking port 22 because of illegal files?
>       (Jon Lewis)
>    5. Re: Frontier: Blocking port 22 because of illegal files?
>       (Stephen Satchell)
>    6. Re: Frontier: Blocking port 22 because of illegal files?
>       (Seth Mos)
>    7. booster to gain distance above 60km (Rodrigo Augusto)
>    8. Re: Frontier: Blocking port 22 because of illegal files?
>       (Jens Link)
>    9. Prefix hijack by INDOSAT AS4795 / AS4761 (Randy)
>   10. Re: Frontier: Blocking port 22 because of illegal files?
>       (Livingood, Jason)
>   11. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow)
>   12. Re: Frontier: Blocking port 22 because of illegal files?
>       (Jeff Richmond)
>   13. Re: Frontier: Blocking port 22 because of illegal files?
>       (Daniel Corbe)
>   14. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Randy)
>   15. RE: Prefix hijack by INDOSAT AS4795 / AS4761 (Peter Rocca)
>   16. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow)
>   17. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow)
>   18. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Randy)
>   19. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Pierre Emeriaud)
>   20. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Paul S.)
>   21. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Chuck Anderson)
>   22. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christian Teuschel)
>   23. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Andree Toonk)
>   24. RE: Prefix hijack by INDOSAT AS4795 / AS4761 (Peter Rocca)
>   25. Charter Engineer (Shawn L)
>   26. RE: More specifics from AS18978 [was: Prefix hijack by
>       INDOSAT AS4795 / AS4761] (Randy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 25 Mar 2015 16:41:50 -0600
> From: Tim <timphp at progressivemarketingnetwork.com>
> To: nanog at nanog.org
> Subject: godaddy contact
> Message-ID: <551339AE.8010203 at progressivemarketingnetwork.com>
> Content-Type: text/plain; charset=utf-8
>
> Anyone from godaddy on here or have contact details for them? We are
> having a routing issue to them.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 25 Mar 2015 19:31:35 -0700
> From: "Aaron C. de Bruyn" <aaron at heyaaron.com>
> To: NANOG mailing list <nanog at nanog.org>
> Subject: Frontier: Blocking port 22 because of illegal files?
> Message-ID:
>         <CAEE+rGqimJYAfgmzm9AJ72+gcmJxfZLM7n4Rf03vynxKN=
> Qfeg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> I've had a handful of clients contact me over the last week with
> trouble using SCP (usually WinSCP) to manage their website content on
> my servers.  Either they get timeout messages from WinSCP or a message
> saying they should switch to SFTP.
>
> After getting a few helpful users on the phone to run some quick
> tests, we found port 22 was blocked.
>
> When my customers contacted Frontier, they were told that port 22 was
> blocked because it is used to transfer illegal files.
>
> I called them, and got the same ridiculous excuse.
>
> Just a friendly heads-up to anyone from Frontier who might be
> listening, I have a few additional ports you may wish to block:
>
> 80 - Allows users to use Google to search for illegal files
> 443 - Allows users to use Google to search for illegal files in a secure
> manner
> 69 - Allows users to trivially transfer illegal files
> 3389 - Allows users to connect to unlicensed Windows machines
> 179 - Allows users to exchange routes to illegal file shares
> 53 - Allows people to look up illegal names
>
> -A
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 26 Mar 2015 07:21:45 +0300
> From: Eygene Ryabinkin <rea+nanog at grid.kiae.ru>
> To: "Aaron C. de Bruyn" <aaron at heyaaron.com>
> Cc: NANOG mailing list <nanog at nanog.org>
> Subject: Re: Frontier: Blocking port 22 because of illegal files?
> Message-ID: <nwCOvNPJTWOEp6pB7jt97dzYZ/0 at xD7c2HZfPDzIruDUr3Qm9QhN1kk>
> Content-Type: text/plain; charset=us-ascii
>
> Wed, Mar 25, 2015 at 07:31:35PM -0700, Aaron C. de Bruyn wrote:
> > Just a friendly heads-up to anyone from Frontier who might be
> > listening, I have a few additional ports you may wish to block:
> >
> > 80 - Allows users to use Google to search for illegal files
> > 443 - Allows users to use Google to search for illegal files in a secure
> manner
> > 69 - Allows users to trivially transfer illegal files
> > 3389 - Allows users to connect to unlicensed Windows machines
> > 179 - Allows users to exchange routes to illegal file shares
> > 53 - Allows people to look up illegal names
>
> Can't help to add that there are
>
>  - port 21 that allow users to give commands to examine
>    the existence and initiate transfers of illegal files;
>
>  - ports 1025 - 65535 that allow users to create data streams
>    to actually transfer illegal files in an (oh my) passive mode.
>
> ;)
> --
> Eygene Ryabinkin, National Research Centre "Kurchatov Institute"
>
> Always code as if the guy who ends up maintaining your code will be
> a violent psychopath who knows where you live.
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 26 Mar 2015 00:56:21 -0400 (EDT)
> From: Jon Lewis <jlewis at lewis.org>
> To: "Aaron C. de Bruyn" <aaron at heyaaron.com>
> Cc: NANOG mailing list <nanog at nanog.org>
> Subject: Re: Frontier: Blocking port 22 because of illegal files?
> Message-ID: <Pine.LNX.4.61.1503260052100.10544 at soloth.lewis.org>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> On Wed, 25 Mar 2015, Aaron C. de Bruyn wrote:
>
> > I've had a handful of clients contact me over the last week with
> > trouble using SCP (usually WinSCP) to manage their website content on
> > my servers.  Either they get timeout messages from WinSCP or a message
> > saying they should switch to SFTP.
> >
> > After getting a few helpful users on the phone to run some quick
> > tests, we found port 22 was blocked.
> >
> > When my customers contacted Frontier, they were told that port 22 was
> > blocked because it is used to transfer illegal files.
> >
> > I called them, and got the same ridiculous excuse.
> >
> > Just a friendly heads-up to anyone from Frontier who might be
> > listening, I have a few additional ports you may wish to block:
>
> I wonder if their support is just confused, and Frontier is really
> blocking outbound tcp/22 to stop complaints generated by infected
> customers with sshd scanners.  After all, most of their customers probably
> don't know what SSH is.
>
> ----------------------------------------------------------------------
>   Jon Lewis, MCP :)           |  I route
>                               |  therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 26 Mar 2015 04:24:38 -0700
> From: Stephen Satchell <list at satchell.net>
> To: nanog at nanog.org
> Subject: Re: Frontier: Blocking port 22 because of illegal files?
> Message-ID: <5513EC76.5060306 at satchell.net>
> Content-Type: text/plain; charset=UTF-8
>
> On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:
> > After getting a few helpful users on the phone to run some quick
> > tests, we found port 22 was blocked.
>
> It's been a while since I did this, but you can select an additional
> port to accept SSH connections.  A Google search indicates you can
> specify multiple ports in OpenSSH.  Picking the right port to use is an
> exercise, though, that will depend on what other services you are
> running on your server.
>
> People with sane ISPs can use the standard port.  People on Frontier can
> use the alternate port, which shouldn't be firewalled by the provider.
> If Frontier is running a mostly-closed firewall configuration, then you
> have to be damn careful about the port you select.
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 26 Mar 2015 12:56:31 +0100
> From: Seth Mos <seth.mos at dds.nl>
> To: nanog at nanog.org
> Subject: Re: Frontier: Blocking port 22 because of illegal files?
> Message-ID: <5513F3EF.2080805 at dds.nl>
> Content-Type: text/plain; charset=utf-8
>
> Stephen Satchell schreef op 26-3-2015 om 12:24:
> > On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:
> >> After getting a few helpful users on the phone to run some quick
> >> tests, we found port 22 was blocked.
> >
> > It's been a while since I did this, but you can select an additional
> > port to accept SSH connections.  A Google search indicates you can
> > specify multiple ports in OpenSSH.  Picking the right port to use is an
> > exercise, though, that will depend on what other services you are
> > running on your server.
> >
> > People with sane ISPs can use the standard port.  People on Frontier can
> > use the alternate port, which shouldn't be firewalled by the provider.
> > If Frontier is running a mostly-closed firewall configuration, then you
> > have to be damn careful about the port you select.
>
> Ahem, just to clarify, he is not talking about inbound on the Frontier
> connection, but outbound *from* the Frontier network.
>
> Akin to the "Let's block outbound port 25 (smtp)".
>
> This is just a really really bad idea m'kay.
>
> Cheers
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Thu, 26 Mar 2015 09:07:39 -0300
> From: Rodrigo Augusto <rodrigo at 1telecom.com.br>
> To: nanog <nanog at nanog.org>
> Subject: booster to gain distance above 60km
> Message-ID: <D1397CDB.35C0B%rodrigo at 1telecom.com.br>
> Content-Type: text/plain;       charset="ISO-8859-1"
>
> Hi folksŠ we have a point and have a 63km between point A to point BŠ. We
> have a sigle fiber ( only one fiber) and use a fiberstore sfp+ 10GB dibi
> 1270/1330 module to connect these sites. All attenuation are okŠI don¹t
> have
> any trouble on fiber Š.
> I have received this signal on my sfp+:
>
> Receiver signal average optical power     :  0.0026 mW / -25.85 dBm
>
>
> Does anyone know if have some possible to amplifier this scenario to get
> more 7db ? Is it possible to put any booster or any way to solve this?
> I think to use a optical PreAmlifierŠbut I don¹t know if is possible
> because
> my scenario have just one fiberŠor, use a ROPA- remote optical pumping
> amplifier) because I have 63kmŠ
> Does anyone have some idea?
>
> Rodrigo Augusto
> Gestor de T.I. Grupo Connectoway
> http://www.connectoway.com.br <http://www.connectoway.com.br/>
> http://www.1telecom.com.br <http://www.1telecom.com.br/>
> * rodrigo at connectoway.com.br <mailto:rodrigo at connectoway.com.br>
> ( (81) 3497-6060
> ( (81) 8184-3646
> ( INOC-DBA 52965*100
>
>
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 26 Mar 2015 13:10:35 +0100
> From: Jens Link <lists at quux.de>
> To: nanog at nanog.org
> Subject: Re: Frontier: Blocking port 22 because of illegal files?
> Message-ID: <87mw30hscj.fsf at pc8.berlin.quux.de>
> Content-Type: text/plain
>
> Stephen Satchell <list at satchell.net> writes:
>
> > It's been a while since I did this, but you can select an additional
> > port to accept SSH connections.
>
> That's easy:
>
> jens at screen:~$ grep Port /etc/ssh/sshd_config
> Port 22
> Port 443
>
> > Picking the right port to use is an exercise, though, that will depend
> > on what other services you are running on your server.
>
> I always have at least one sshd listening on port 443. For all the
> hotel, coffee house, customer networks blocking ssh.
>
> You can even multiplex and run ssh and ssl on the same port:
>
> http://www.rutschle.net/tech/sslh.shtml
>
> Jens
> --
>
> ----------------------------------------------------------------------------
> | Foelderichstr. 40   | 13595 Berlin, Germany           | +49-151-18721264
> |
> | http://blog.quux.de | jabber: jenslink at jabber.quux.de |
> ---------------  |
>
> ----------------------------------------------------------------------------
>
>
> ------------------------------
>
> Message: 9
> Date: Thu, 26 Mar 2015 07:08:20 -0700
> From: Randy <amps at djlab.com>
> To: nanog at nanog.org
> Subject: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID: <b8636bc52cdc7f7f595ff96c7b078445 at mailbox.fastserv.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
> more specifics on one of our prefixes.   Anyone else seeing similar or
> is it just us?
>
> 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
> 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
>
> --
> Randy
>
>
> ------------------------------
>
> Message: 10
> Date: Thu, 26 Mar 2015 14:09:52 +0000
> From: "Livingood, Jason" <Jason_Livingood at cable.comcast.com>
> To: "Aaron C. de Bruyn" <aaron at heyaaron.com>, NANOG mailing list
>         <nanog at nanog.org>
> Subject: Re: Frontier: Blocking port 22 because of illegal files?
> Message-ID: <D1398B6B.FDE9E%jason_livingood at cable.comcast.com>
> Content-Type: text/plain; charset="Windows-1252"
>
> ISPs are generally expected to disclose any port blocking. A quick Google
> search shows this is Frontier’s list:
> http://www.frontierhelp.com/faq.cfm?qstid=277
>
> On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron at heyaaron.com<mailto:
> aaron at heyaaron.com>> wrote:
>
> I've had a handful of clients contact me over the last week with
> trouble using SCP (usually WinSCP) to manage their website content on
> my servers.  Either they get timeout messages from WinSCP or a message
> saying they should switch to SFTP.
>
> After getting a few helpful users on the phone to run some quick
> tests, we found port 22 was blocked.
>
> When my customers contacted Frontier, they were told that port 22 was
> blocked because it is used to transfer illegal files.
>
> I called them, and got the same ridiculous excuse.
>
> Just a friendly heads-up to anyone from Frontier who might be
> listening, I have a few additional ports you may wish to block:
>
> 80 - Allows users to use Google to search for illegal files
> 443 - Allows users to use Google to search for illegal files in a secure
> manner
> 69 - Allows users to trivially transfer illegal files
> 3389 - Allows users to connect to unlicensed Windows machines
> 179 - Allows users to exchange routes to illegal file shares
> 53 - Allows people to look up illegal names
>
> -A
>
>
>
> ------------------------------
>
> Message: 11
> Date: Thu, 26 Mar 2015 10:27:21 -0400
> From: Christopher Morrow <morrowc.lists at gmail.com>
> To: amps at djlab.com
> Cc: nanog list <nanog at nanog.org>
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID:
>         <CAL9jLaY17-8nVwXDDs1dncU=
> 252pBSEFpdi1QaGXq5ZEJ-AyvA at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Thu, Mar 26, 2015 at 10:08 AM, Randy <amps at djlab.com> wrote:
> > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
> more
> > specifics on one of our prefixes.   Anyone else seeing similar or is it
> just
> > us?
>
> is your AS in the path below? (what is your AS so folk can check for
> your prefixes/customer-prefixes and attempt to help?)
>
> >
> > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
> > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
> >
> > --
> > Randy
>
>
> ------------------------------
>
> Message: 12
> Date: Thu, 26 Mar 2015 07:28:57 -0700
> From: Jeff Richmond <jeff.richmond at gmail.com>
> To: "Livingood, Jason" <Jason_Livingood at cable.comcast.com>
> Cc: "Aaron C. de Bruyn" <aaron at heyaaron.com>, NANOG mailing list
>         <nanog at nanog.org>
> Subject: Re: Frontier: Blocking port 22 because of illegal files?
> Message-ID: <006E35AD-00E6-4B61-890F-29E580CE91C9 at gmail.com>
> Content-Type: text/plain; charset=windows-1252
>
> All, I have reached out to Aaron privately for details, but we do not
> block port 22 traffic unless it is in direct response to an attack or
> related item. Please let me know directly if you have any specific
> questions.
>
> Thanks,
> -Jeff
>
> > On Mar 26, 2015, at 7:09 AM, Livingood, Jason <
> Jason_Livingood at cable.comcast.com> wrote:
> >
> > ISPs are generally expected to disclose any port blocking. A quick
> Google search shows this is Frontier’s list:
> > http://www.frontierhelp.com/faq.cfm?qstid=277
> >
> > On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron at heyaaron.com<mailto:
> aaron at heyaaron.com>> wrote:
> >
> > I've had a handful of clients contact me over the last week with
> > trouble using SCP (usually WinSCP) to manage their website content on
> > my servers.  Either they get timeout messages from WinSCP or a message
> > saying they should switch to SFTP.
> >
> > After getting a few helpful users on the phone to run some quick
> > tests, we found port 22 was blocked.
> >
> > When my customers contacted Frontier, they were told that port 22 was
> > blocked because it is used to transfer illegal files.
> >
> > I called them, and got the same ridiculous excuse.
> >
> > Just a friendly heads-up to anyone from Frontier who might be
> > listening, I have a few additional ports you may wish to block:
> >
> > 80 - Allows users to use Google to search for illegal files
> > 443 - Allows users to use Google to search for illegal files in a secure
> manner
> > 69 - Allows users to trivially transfer illegal files
> > 3389 - Allows users to connect to unlicensed Windows machines
> > 179 - Allows users to exchange routes to illegal file shares
> > 53 - Allows people to look up illegal names
> >
> > -A
> >
>
>
>
> ------------------------------
>
> Message: 13
> Date: Thu, 26 Mar 2015 10:32:31 -0400
> From: Daniel Corbe <corbe at corbe.net>
> To: "Livingood\, Jason" <Jason_Livingood at cable.comcast.com>
> Cc: "Aaron C. de Bruyn" <aaron at heyaaron.com>, NANOG mailing list
>         <nanog at nanog.org>
> Subject: Re: Frontier: Blocking port 22 because of illegal files?
> Message-ID: <874mp7hls0.fsf at corbe.net>
> Content-Type: text/plain; charset=utf-8
>
>
> Nothing helps promote a free and open Internet more than micromanaging
> your users' download activity.
>
> Not really sure how someone comes to the conclusion that nobody really
> *needs* ssh for anything.
>
> "Livingood, Jason" <Jason_Livingood at cable.comcast.com> writes:
>
> > ISPs are generally expected to disclose any port blocking. A quick
> Google search shows this is Frontier’s list:
> > http://www.frontierhelp.com/faq.cfm?qstid=277
> >
> > On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron at heyaaron.com<mailto:
> aaron at heyaaron.com>> wrote:
> >
> > I've had a handful of clients contact me over the last week with
> > trouble using SCP (usually WinSCP) to manage their website content on
> > my servers.  Either they get timeout messages from WinSCP or a message
> > saying they should switch to SFTP.
> >
> > After getting a few helpful users on the phone to run some quick
> > tests, we found port 22 was blocked.
> >
> > When my customers contacted Frontier, they were told that port 22 was
> > blocked because it is used to transfer illegal files.
> >
> > I called them, and got the same ridiculous excuse.
> >
> > Just a friendly heads-up to anyone from Frontier who might be
> > listening, I have a few additional ports you may wish to block:
> >
> > 80 - Allows users to use Google to search for illegal files
> > 443 - Allows users to use Google to search for illegal files in a secure
> manner
> > 69 - Allows users to trivially transfer illegal files
> > 3389 - Allows users to connect to unlicensed Windows machines
> > 179 - Allows users to exchange routes to illegal file shares
> > 53 - Allows people to look up illegal names
> >
> > -A
>
>
> ------------------------------
>
> Message: 14
> Date: Thu, 26 Mar 2015 07:38:08 -0700
> From: Randy <amps at djlab.com>
> To: Christopher Morrow <morrowc.lists at gmail.com>
> Cc: christopher.morrow at gmail.com, nanog list <nanog at nanog.org>
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID: <d9f578bfd7e75bf125e26a2911c670bb at mailbox.fastserv.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On 03/26/2015 7:27 am, Christopher Morrow wrote:
> > is your AS in the path below? (what is your AS so folk can check for
> > your prefixes/customer-prefixes and attempt to help?)
>
> Sorry, we're 29889.
>
>
>
> ------------------------------
>
> Message: 15
> Date: Thu, 26 Mar 2015 14:43:20 +0000
> From: Peter Rocca <rocca at start.ca>
> To: "nanog at nanog.org" <nanog at nanog.org>
> Subject: RE: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID: <44c3b7398b0c46b8a842c44da3f379be at APP02.start.local>
> Content-Type: text/plain; charset="us-ascii"
>
> We just received a similar alert from bgpmon - part of 108.168.0.0/17 is
> being advertised as /20's - although we're still listed as the origin. We
> are 40788.
>
> 108.168.64.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> 108.168.80.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> 108.168.96.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Randy
> Sent: March-26-15 10:08 AM
> To: nanog at nanog.org
> Subject: Prefix hijack by INDOSAT AS4795 / AS4761
>
> On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
> more specifics on one of our prefixes.   Anyone else seeing similar or
> is it just us?
>
> 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
> 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
>
> --
> Randy
>
>
> ------------------------------
>
> Message: 16
> Date: Thu, 26 Mar 2015 10:44:28 -0400
> From: Christopher Morrow <morrowc.lists at gmail.com>
> To: amps at djlab.com
> Cc: nanog list <nanog at nanog.org>
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID:
>         <CAL9jLaYvGYc6s4uhAqfKG+qikWSa4U3Mp=
> Xo6UUVfAz_4gGR9w at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Thu, Mar 26, 2015 at 10:38 AM, Randy <amps at djlab.com> wrote:
> > On 03/26/2015 7:27 am, Christopher Morrow wrote:
> >>
> >> is your AS in the path below? (what is your AS so folk can check for
> >> your prefixes/customer-prefixes and attempt to help?)
> >
> >
> > Sorry, we're 29889.
> >
>
> ok, and it looks like the path you clipped is:
> 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
>
> possibly LAIX is passing along your /24 you didn't mean them to pass on?
>
>
> ------------------------------
>
> Message: 17
> Date: Thu, 26 Mar 2015 10:45:09 -0400
> From: Christopher Morrow <morrowc.lists at gmail.com>
> To: Peter Rocca <rocca at start.ca>
> Cc: "nanog at nanog.org" <nanog at nanog.org>
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID:
>         <
> CAL9jLaaLxcncc4uyTKz7SuDUks4B+VjzA56NO6n_tdHRmhJsZA at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <rocca at start.ca> wrote:
> > We just received a similar alert from bgpmon - part of 108.168.0.0/17
> is being advertised as /20's - although we're still listed as the origin.
> We are 40788.
> >
> > 108.168.64.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.80.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.96.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
> >
>
> common point looks like LAIX ? their routeserver go crazy perhaps? or
> did they change in/out prefix management information?
>
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Randy
> > Sent: March-26-15 10:08 AM
> > To: nanog at nanog.org
> > Subject: Prefix hijack by INDOSAT AS4795 / AS4761
> >
> > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
> > more specifics on one of our prefixes.   Anyone else seeing similar or
> > is it just us?
> >
> > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
> > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
> >
> > --
> > Randy
>
>
> ------------------------------
>
> Message: 18
> Date: Thu, 26 Mar 2015 07:46:31 -0700
> From: Randy <amps at djlab.com>
> To: Christopher Morrow <morrowc.lists at gmail.com>
> Cc: christopher.morrow at gmail.com, nanog list <nanog at nanog.org>
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID: <78c55aee9b1853c827c78adb8527fafb at mailbox.fastserv.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> All,
>
> Info gathered off-list indicates this may be a couple of issues in our
> case - possible routing leak by 18978 (check your tables!) and more
> specifics on our prefixes from 4795 that we couldn't see before the leak
> hence the apparent hijack.
>
> --
> ~Randy
>
>
> ------------------------------
>
> Message: 19
> Date: Thu, 26 Mar 2015 15:46:51 +0100
> From: Pierre Emeriaud <petrus.lt at gmail.com>
> To: amps at djlab.com
> Cc: nanog at nanog.org
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID:
>         <
> CA+PSOpyoEOAsWgQ1mzG+mLs0zrMOw35o7YTRE_R5YsSM8uCAxA at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hi,
>
>
> 2015-03-26 15:08 GMT+01:00 Randy <amps at djlab.com>:
> > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
> more
> > specifics on one of our prefixes.   Anyone else seeing similar or is it
> just
> > us?
> >
> > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
> > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
>
> We (as3215) are seeing almost the same path with 40633 18978 3257
> 3215, for some quite a lot of prefixes.
>
> Some alerts from bgpmon:
> 193.251.32.0/20 271 6939 40633 18978 3257 3215
> 193.251.32.0/20 271 6939 40633 18978 3257 3215
>
> We are not directly connected to 3257. Looks like 18978 deaggregated
> to /20 and reannounced to 40633 (LAIX).
>
>
> Rgds,
> pierre
>
>
> ------------------------------
>
> Message: 20
> Date: Thu, 26 Mar 2015 23:48:12 +0900
> From: "Paul S." <contact at winterei.se>
> To: nanog at nanog.org
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID: <55141C2C.40706 at winterei.se>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Same here. These Indosat guys can't seem to catch a break =/
>
> On 3/26/2015 午後 11:43, Peter Rocca wrote:
> > We just received a similar alert from bgpmon - part of 108.168.0.0/17
> is being advertised as /20's - although we're still listed as the origin.
> We are 40788.
> >
> > 108.168.64.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.80.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.96.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
> >
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Randy
> > Sent: March-26-15 10:08 AM
> > To: nanog at nanog.org
> > Subject: Prefix hijack by INDOSAT AS4795 / AS4761
> >
> > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
> > more specifics on one of our prefixes.   Anyone else seeing similar or
> > is it just us?
> >
> > 198.98.180.0/23       4795 4795 4761 9304 40633 18978 4436 29889
> > 198.98.182.0/23       4795 4795 4761 9304 40633 18978 4436 29889
> >
>
>
>
> ------------------------------
>
> Message: 21
> Date: Thu, 26 Mar 2015 11:00:31 -0400
> From: Chuck Anderson <cra at WPI.EDU>
> To: nanog at nanog.org
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID: <20150326150030.GO9776 at angus.ind.WPI.EDU>
> Content-Type: text/plain; charset=us-ascii
>
> We are AS 10326 130.215.0.0/16 and I just received a BGPmon alert as
> well:
>
> 130.215.160.0/20 4795 4795 4761 9304 40633 18978 4436 10326
> 130.215.176.0/20 4795 4795 4761 9304 40633 18978 4436 10326
>
> On Thu, Mar 26, 2015 at 10:45:09AM -0400, Christopher Morrow wrote:
> > On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <rocca at start.ca> wrote:
> > > We just received a similar alert from bgpmon - part of 108.168.0.0/17
> is being advertised as /20's - although we're still listed as the origin.
> We are 40788.
> > >
> > > 108.168.64.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > > 108.168.80.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > > 108.168.96.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
> > >
> >
> > common point looks like LAIX ? their routeserver go crazy perhaps? or
> > did they change in/out prefix management information?
> >
> > > -----Original Message-----
> > > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Randy
> > > Sent: March-26-15 10:08 AM
> > > To: nanog at nanog.org
> > > Subject: Prefix hijack by INDOSAT AS4795 / AS4761
> > >
> > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
> > > more specifics on one of our prefixes.   Anyone else seeing similar or
> > > is it just us?
> > >
> > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889
> > > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
> > >
> > > --
> > > Randy
>
>
> ------------------------------
>
> Message: 22
> Date: Thu, 26 Mar 2015 16:02:00 +0100
> From: Christian Teuschel <christian.teuschel at ripe.net>
> To: nanog at nanog.org
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID: <55141F68.9060900 at ripe.net>
> Content-Type: text/plain; charset="windows-1252"
>
> Hi Randy,
>
> Assuming that your prefix is 198.98.180.0/22 (AS29889 - FSNET-1 - Fast
> Serv Networks, LLC) none of the mentioned more specifics are currently
> seen from the RIPE NCC's RIS network, see the Looking Glass widget:
>
> https://stat.ripe.net/198.98.180.0/23#tabId=routing
> https://stat.ripe.net/198.98.182.0/23#tabId=at-a-glance
>
> though there has been some BGP activity going on since 11:49:42, see the
> BGPlay and BGP Update Activity widget. In both cases the originating ASN
> was AS29889.
>
> Cheers,
> Christian
>
> On 26/03/15 15:46, Randy wrote:
> > All,
> >
> > Info gathered off-list indicates this may be a couple of issues in our
> > case - possible routing leak by 18978 (check your tables!) and more
> > specifics on our prefixes from 4795 that we couldn't see before the leak
> > hence the apparent hijack.
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: christian_teuschel.vcf
> Type: text/x-vcard
> Size: 342 bytes
> Desc: not available
> URL: <
> http://mailman.nanog.org/pipermail/nanog/attachments/20150326/9de6eabc/attachment-0001.vcf
> >
>
> ------------------------------
>
> Message: 23
> Date: Thu, 26 Mar 2015 08:53:37 -0700
> From: Andree Toonk <andree+nanog at toonk.nl>
> To: Peter Rocca <rocca at start.ca>
> Cc: "nanog at nanog.org" <nanog at nanog.org>
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID: <55142B81.9000305 at toonk.nl>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi List,
>
> this morning our BGPmon system picked up many new more specific
> announcements by a variety of Origin ASns, the interesting part is that
> the majority of them were classified as BGP Man In The middle attacks
> (MITM).
>
> A typical alert would look like:
>
> ====================================================================
> Possible BGP MITM attack (Code: 21)
> ====================================================================
> Your prefix:          23.20.0.0/15:
> Prefix Description:   acxiom-online.com --- Amazon EC2 IAD prefix
> Update time:          2015-03-26 11:27 (UTC)
> Detected by #peers:   24
> Detected prefix:      23.21.112.0/20
> Announced by:         AS14618 (AMAZON-AES - Amazon.com, Inc.,US)
> Upstream AS:          AS3257 (TINET-BACKBONE Tinet SpA,DE)
> ASpath:               4608 24130 7545 6939 40633 18978 3257 14618
>
> All alerts have the following part of the AS Path is common:
> 40633 1897
>
> We're still looking into the details of this particular cases, but
> based on past experience it's likely that it is not in fact 14618 AWS,
> that originated this more specific (in this example), but most likely
> 18978 (or 40633), which leaked it to AS40633 Los Angeles Internet
> exchange, where others picked it up and propagated it to their customers.
>
> In the past we've seen similar issues caused by BGP traffic optimizers.
> These devices introduce new more specifics (try to keep the ASpath in
> tact) for Traffic engineering purposes, and then folks leak those. A
> good write up of a previous example can be found here:
> http://www.bgpmon.net/accidentally-stealing-the-internet/
>
> A quick scan show that this affected over 5000 prefixes and about 145
> Autonomous systems. All of these appear to be more specific prefixes
> (which is the scary part).
>
> Cheers,
>  Andree
>
> PS. It appears this is not related to INDOSAT, they just happen to be
> one of the peers that picked this up.
>
>
> .-- My secret spy satellite informs me that at 2015-03-26 7:43 AM  Peter
> Rocca wrote:
> > We just received a similar alert from bgpmon - part of 108.168.0.0/17
> is being advertised as /20's - although we're still listed as the origin.
> We are 40788.
> >
> > 108.168.64.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.80.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.96.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
> >
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Randy
> > Sent: March-26-15 10:08 AM
> > To: nanog at nanog.org
> > Subject: Prefix hijack by INDOSAT AS4795 / AS4761
> >
> > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
> > more specifics on one of our prefixes.   Anyone else seeing similar or
> > is it just us?
> >
> > 198.98.180.0/23       4795 4795 4761 9304 40633 18978 4436 29889
> > 198.98.182.0/23       4795 4795 4761 9304 40633 18978 4436 29889
> >
>
>
> ------------------------------
>
> Message: 24
> Date: Thu, 26 Mar 2015 16:00:13 +0000
> From: Peter Rocca <rocca at start.ca>
> To: Andree Toonk <andree+nanog at toonk.nl>
> Cc: "nanog at nanog.org" <nanog at nanog.org>
> Subject: RE: Prefix hijack by INDOSAT AS4795 / AS4761
> Message-ID: <df223256e7294e619cf09b8697de7f28 at APP02.start.local>
> Content-Type: text/plain; charset="us-ascii"
>
> +1
>
> The summary below aligns with our analysis as well.
>
> We've reached out to AS18978 to determine the status of the leak but at
> this time we're not seeing any operational impact.
>
> -----Original Message-----
> From: Andree Toonk [mailto:andree+nanog at toonk.nl]
> Sent: March-26-15 11:54 AM
> To: Peter Rocca
> Cc: nanog at nanog.org
> Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761
>
> Hi List,
>
> this morning our BGPmon system picked up many new more specific
> announcements by a variety of Origin ASns, the interesting part is that the
> majority of them were classified as BGP Man In The middle attacks (MITM).
>
> A typical alert would look like:
>
> ====================================================================
> Possible BGP MITM attack (Code: 21)
> ====================================================================
> Your prefix:          23.20.0.0/15:
> Prefix Description:   acxiom-online.com --- Amazon EC2 IAD prefix
> Update time:          2015-03-26 11:27 (UTC)
> Detected by #peers:   24
> Detected prefix:      23.21.112.0/20
> Announced by:         AS14618 (AMAZON-AES - Amazon.com, Inc.,US)
> Upstream AS:          AS3257 (TINET-BACKBONE Tinet SpA,DE)
> ASpath:               4608 24130 7545 6939 40633 18978 3257 14618
>
> All alerts have the following part of the AS Path is common:
> 40633 1897
>
> We're still looking into the details of this particular cases, but based
> on past experience it's likely that it is not in fact 14618 AWS, that
> originated this more specific (in this example), but most likely
> 18978 (or 40633), which leaked it to AS40633 Los Angeles Internet
> exchange, where others picked it up and propagated it to their customers.
>
> In the past we've seen similar issues caused by BGP traffic optimizers.
> These devices introduce new more specifics (try to keep the ASpath in
> tact) for Traffic engineering purposes, and then folks leak those. A good
> write up of a previous example can be found here:
> http://www.bgpmon.net/accidentally-stealing-the-internet/
>
> A quick scan show that this affected over 5000 prefixes and about 145
> Autonomous systems. All of these appear to be more specific prefixes (which
> is the scary part).
>
> Cheers,
>  Andree
>
> PS. It appears this is not related to INDOSAT, they just happen to be one
> of the peers that picked this up.
>
>
> .-- My secret spy satellite informs me that at 2015-03-26 7:43 AM  Peter
> Rocca wrote:
> > We just received a similar alert from bgpmon - part of 108.168.0.0/17
> is being advertised as /20's - although we're still listed as the origin.
> We are 40788.
> >
> > 108.168.64.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.80.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.96.0/20  4795 4795 4761 9304 40633 18978 6939 40788
> > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
> >
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Randy
> > Sent: March-26-15 10:08 AM
> > To: nanog at nanog.org
> > Subject: Prefix hijack by INDOSAT AS4795 / AS4761
> >
> > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing
> > more specifics on one of our prefixes.   Anyone else seeing similar or
> > is it just us?
> >
> > 198.98.180.0/23       4795 4795 4761 9304 40633 18978 4436 29889
> > 198.98.182.0/23       4795 4795 4761 9304 40633 18978 4436 29889
> >
>
>
> ------------------------------
>
> Message: 25
> Date: Thu, 26 Mar 2015 12:09:10 -0400
> From: Shawn L <shawnl at up.net>
> To: nanog <nanog at nanog.org>
> Subject: Charter Engineer
> Message-ID:
>         <CACTmXQVgzXydseLNrAcCZtt+sXS1_LSrGqJca=+
> ep9GS2Kc+AA at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Could a Charter engineer with familiarity with Michigan contact me
> off-list?  We have a mutual client who's having issues communicating
> between sites.
>
> Thanks
>
>
> ------------------------------
>
> Message: 26
> Date: Thu, 26 Mar 2015 09:14:25 -0700
> From: Randy <amps at djlab.com>
> To: Peter Rocca <rocca at start.ca>
> Cc: nanog at nanog.org
> Subject: RE: More specifics from AS18978 [was: Prefix hijack by
>         INDOSAT AS4795 / AS4761]
> Message-ID: <fd455d84899cd5dfe3a4ff9169addcf3 at mailbox.fastserv.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> On 03/26/2015 9:00 am, Peter Rocca wrote:
> > +1
> >
> > The summary below aligns with our analysis as well.
> >
> > We've reached out to AS18978 to determine the status of the leak but
> > at this time we're not seeing any operational impact.
>
> +2, after the morning coffee sunk in and helpful off list replies I can
> finally see it's probably not INDOSAT involved at all.
>
> FYI, the more specifics are still active:
>
> 2015-03-26 13:56:11     Update  AS4795  ID      198.98.180.0/23 4795 4795
> 4761
> 9304 40633 18978 6939 29889     Active
> 2015-03-26 13:56:11     Update  AS4795  ID      198.98.182.0/23 4795 4795
> 4761
> 9304 40633 18978 6939 29889     Active
>
> --
> ~Randy
>
>
> End of NANOG Digest, Vol 86, Issue 27
> *************************************
>


More information about the NANOG mailing list