Validating possible BGP MITM attack
morrowc.lists at gmail.com
Thu Aug 31 17:47:09 UTC 2017
On Thu, Aug 31, 2017 at 1:23 PM, Steve Feldman <feldman at twincreeks.net>
> Interesting. We also got similar BGPMon alerts about disaggregated
> portions of couple of our prefixes. I didn't see any of the bad prefixes in
> route-views, though.
> The AS paths in the alerts started with "131477 38478 ..." and looked
> valid after that. Job's suggestion would explain that.
Looking back at a bunch of historical route leak incidents... they often
seem to be this sort of thing :( I think I normally term them; "internap
I think internap doesn't even really sell that product anymore though :( so
now I'll call them 'noction problems' instead I guess.
lack of outbound route filtering can be painful yo!
> > On Aug 31, 2017, at 10:01 AM, Job Snijders <job at instituut.net> wrote:
> > Hi Andy,
> > It smells like someone in 38478 or 131477 is using Noction or some other
> > BGP "optimizer" that injects hijacks for the purpose of traffic
> > engineering. :-(
> > Kind regards,
> > Job
> > On Thu, 31 Aug 2017 at 19:38, Andy Litzinger <
> andy.litzinger.lists at gmail.com>
> > wrote:
> >> Hello,
> >> we use BGPMon.net to monitor our BGP announcements. This morning we
> >> received two possible BGP MITM alerts for two of our prefixes detected
> by a
> >> single BGPMon probe located in China. I've reached out to BGPMon to see
> >> how much credence I should give to an alert from a single probe
> >> but I'm interested in community feedback as well.
> >> The alert detailed that one of our /23 prefixes has been broken into /24
> >> specifics and the AS Path shows a peering relationship with us that does
> >> not exist:
> >> 131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) 14042
> >> (me)
> >> We do not peer directly with PCCW Global. I'm going to reach out to
> >> directly to see if they may have done anything by accident, but
> >> they haven't and the path is spoofed, can I prove that? How can I
> >> if traffic is indeed swinging through that hijacked path? How worried
> >> should I be and what are my options for resolving the situation?
> >> thanks!
> >> -andy
More information about the NANOG