BGP Hijack/Sickness with AS4637

Job Snijders job at ntt.net
Thu May 31 14:15:41 UTC 2018


On Thu, May 31, 2018 at 09:49:47AM -0400, Alain Hebert wrote:
> Well bad news on the ColoAU front, they refused to cooperate.
> 
> We'll pushback thru our GTT accounts...  But I'm running out of ideas.
> 
> If anyone has any good ideas how to proceed at this point feel free to
> share =D.

This feels like a BGP "optimiser" at work inside AS 4637.

>From the https://lg.coloau.com.au/ looking glass:

BGP 'show route'
    18.29.238.0/23  *[BGP/170] 1w0d 18:49:44, localpref 90, from 103.97.52.2
                    AS path: 4637 3257 29909 16532 16532 16532 16532 I, validation-state: unverified

However, a data-plane traceroute:

    AS path: 4637 -> 174 ->  ...

    traceroute to 18.29.238.1 (18.29.238.1), 30 hops max, 40 byte packets
     1  103.52.116.49 (103.52.116.49)  114.573 ms  113.965 ms  117.141 ms
         MPLS Label=691873 CoS=0 TTL=1 S=0
         MPLS Label=17 CoS=0 TTL=1 S=1
     2  202.127.69.34 (202.127.69.34)  113.768 ms  113.763 ms  113.731 ms
     3  202.84.148.113 (202.84.148.113) [AS  4637]  114.759 ms  117.956 ms  115.796 ms
     4  202.84.141.13 (202.84.141.13) [AS  4637]  181.873 ms 202.84.141.169 (202.84.141.169) [AS  4637]  181.618 ms  182.688 ms
     5  202.84.253.82 (202.84.253.82) [AS  4637]  181.949 ms 202.40.149.226 (202.40.149.226) [AS  4637]  183.194 ms 202.84.253.82 (202.84.253.82) [AS  4637]  201.282 ms
     6  154.54.10.133 (154.54.10.133) [AS  174]  181.055 ms  181.100 ms  181.065 ms
     7  154.54.27.117 (154.54.27.117) [AS  174]  175.410 ms  182.956 ms 154.54.3.69 (154.54.3.69) [AS  174]  175.176 ms
     8  154.54.45.161 (154.54.45.161) [AS  174]  212.531 ms 154.54.44.85 (154.54.44.85) [AS  174]  202.470 ms  187.361 ms
     9  154.54.42.78 (154.54.42.78) [AS  174]  195.585 ms  195.812 ms 154.54.42.66 (154.54.42.66) [AS  174]  211.713 ms
    10  154.54.30.161 (154.54.30.161) [AS  174]  235.896 ms  216.173 ms  211.246 ms
    11  154.54.28.129 (154.54.28.129) [AS  174]  233.516 ms  225.413 ms  225.551 ms
    12  154.54.24.221 (154.54.24.221) [AS  174]  236.432 ms  236.701 ms  236.595 ms
    13  154.54.40.109 (154.54.40.109) [AS  174]  273.564 ms  279.452 ms  248.212 ms
    14  154.54.46.33 (154.54.46.33) [AS  174]  248.098 ms  247.802 ms  248.084 ms
    15  * * *

Discongruity between RIB and FIB like this, and the hijack being a
more-specific of a /16, is a typical sign of BGP 'optimisers'.

I recommend you reach out to AUSNOG and APOPS and hope someone there
knows someone at Telstra Hong Kong.

More thoughts on BGP optimisers: http://seclists.org/nanog/2017/Aug/318

Kind regards,

Job



More information about the NANOG mailing list