Validating possible BGP MITM attack
Christopher Morrow
morrowc.lists at gmail.com
Thu Aug 31 17:47:09 UTC 2017
On Thu, Aug 31, 2017 at 1:23 PM, Steve Feldman <feldman at twincreeks.net>
wrote:
> Interesting. We also got similar BGPMon alerts about disaggregated
> portions of couple of our prefixes. I didn't see any of the bad prefixes in
> route-views, though.
>
> The AS paths in the alerts started with "131477 38478 ..." and looked
> valid after that. Job's suggestion would explain that.
>
>
Looking back at a bunch of historical route leak incidents... they often
seem to be this sort of thing :( I think I normally term them; "internap
box problems"
I think internap doesn't even really sell that product anymore though :( so
now I'll call them 'noction problems' instead I guess.
lack of outbound route filtering can be painful yo!
> Steve
>
> > On Aug 31, 2017, at 10:01 AM, Job Snijders <job at instituut.net> wrote:
> >
> > Hi Andy,
> >
> > It smells like someone in 38478 or 131477 is using Noction or some other
> > BGP "optimizer" that injects hijacks for the purpose of traffic
> > engineering. :-(
> >
> > Kind regards,
> >
> > Job
> >
> > On Thu, 31 Aug 2017 at 19:38, Andy Litzinger <
> andy.litzinger.lists at gmail.com>
> > wrote:
> >
> >> Hello,
> >> we use BGPMon.net to monitor our BGP announcements. This morning we
> >> received two possible BGP MITM alerts for two of our prefixes detected
> by a
> >> single BGPMon probe located in China. I've reached out to BGPMon to see
> >> how much credence I should give to an alert from a single probe
> location,
> >> but I'm interested in community feedback as well.
> >>
> >> The alert detailed that one of our /23 prefixes has been broken into /24
> >> specifics and the AS Path shows a peering relationship with us that does
> >> not exist:
> >> 131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) 14042
> >> (me)
> >>
> >> We do not peer directly with PCCW Global. I'm going to reach out to
> them
> >> directly to see if they may have done anything by accident, but
> presuming
> >> they haven't and the path is spoofed, can I prove that? How can I
> detect
> >> if traffic is indeed swinging through that hijacked path? How worried
> >> should I be and what are my options for resolving the situation?
> >>
> >> thanks!
> >> -andy
> >>
> >
>
>
More information about the NANOG
mailing list