BGP Hijack/Sickness with AS4637
Job Snijders
job at ntt.net
Thu May 31 14:15:41 UTC 2018
On Thu, May 31, 2018 at 09:49:47AM -0400, Alain Hebert wrote:
> Well bad news on the ColoAU front, they refused to cooperate.
>
> We'll pushback thru our GTT accounts... But I'm running out of ideas.
>
> If anyone has any good ideas how to proceed at this point feel free to
> share =D.
This feels like a BGP "optimiser" at work inside AS 4637.
>From the https://lg.coloau.com.au/ looking glass:
BGP 'show route'
18.29.238.0/23 *[BGP/170] 1w0d 18:49:44, localpref 90, from 103.97.52.2
AS path: 4637 3257 29909 16532 16532 16532 16532 I, validation-state: unverified
However, a data-plane traceroute:
AS path: 4637 -> 174 -> ...
traceroute to 18.29.238.1 (18.29.238.1), 30 hops max, 40 byte packets
1 103.52.116.49 (103.52.116.49) 114.573 ms 113.965 ms 117.141 ms
MPLS Label=691873 CoS=0 TTL=1 S=0
MPLS Label=17 CoS=0 TTL=1 S=1
2 202.127.69.34 (202.127.69.34) 113.768 ms 113.763 ms 113.731 ms
3 202.84.148.113 (202.84.148.113) [AS 4637] 114.759 ms 117.956 ms 115.796 ms
4 202.84.141.13 (202.84.141.13) [AS 4637] 181.873 ms 202.84.141.169 (202.84.141.169) [AS 4637] 181.618 ms 182.688 ms
5 202.84.253.82 (202.84.253.82) [AS 4637] 181.949 ms 202.40.149.226 (202.40.149.226) [AS 4637] 183.194 ms 202.84.253.82 (202.84.253.82) [AS 4637] 201.282 ms
6 154.54.10.133 (154.54.10.133) [AS 174] 181.055 ms 181.100 ms 181.065 ms
7 154.54.27.117 (154.54.27.117) [AS 174] 175.410 ms 182.956 ms 154.54.3.69 (154.54.3.69) [AS 174] 175.176 ms
8 154.54.45.161 (154.54.45.161) [AS 174] 212.531 ms 154.54.44.85 (154.54.44.85) [AS 174] 202.470 ms 187.361 ms
9 154.54.42.78 (154.54.42.78) [AS 174] 195.585 ms 195.812 ms 154.54.42.66 (154.54.42.66) [AS 174] 211.713 ms
10 154.54.30.161 (154.54.30.161) [AS 174] 235.896 ms 216.173 ms 211.246 ms
11 154.54.28.129 (154.54.28.129) [AS 174] 233.516 ms 225.413 ms 225.551 ms
12 154.54.24.221 (154.54.24.221) [AS 174] 236.432 ms 236.701 ms 236.595 ms
13 154.54.40.109 (154.54.40.109) [AS 174] 273.564 ms 279.452 ms 248.212 ms
14 154.54.46.33 (154.54.46.33) [AS 174] 248.098 ms 247.802 ms 248.084 ms
15 * * *
Discongruity between RIB and FIB like this, and the hijack being a
more-specific of a /16, is a typical sign of BGP 'optimisers'.
I recommend you reach out to AUSNOG and APOPS and hope someone there
knows someone at Telstra Hong Kong.
More thoughts on BGP optimisers: http://seclists.org/nanog/2017/Aug/318
Kind regards,
Job
More information about the NANOG
mailing list