[lacnog] ¿¿ 8.8.8.0/24 secuestrado en Venezuela ??
Carlos M. Martinez
carlosmarcelomartinez en gmail.com
Mie Mar 19 18:21:54 BRT 2014
According to what I take from Doug's answer, the only two differences
between this case and that of Pakistan Telecom and YouTube are that (1)
the 'mistakenly leaked' (let's not call it hijacking :-) ) prefix was a
/32 instead of a /24, and (2) that BT Latam upstreams apparently do a
much better job at prefix filtering than what PCCW did for PakTel.
Other than that, it's the same old story all over again. So yes, RPKI
could have played a useful role here.
Cheers!
~Carlos
On 3/19/14, 6:03 PM, Roque Gagliano wrote:
> I guess the conclusion is that AS7908 did originated the 8.8.8.8/32
> <http://8.8.8.8/32> announcement and then the (small coverage) leakage
> could have been prevented by RPKI if configured at their upstreams.
> r.
>
>
> On Wed, Mar 19, 2014 at 9:48 PM, Carlos M. Martinez
> <carlosmarcelomartinez en gmail.com
> <mailto:carlosmarcelomartinez en gmail.com>> wrote:
>
> Doug,
>
> thanks for the good wishes and thank you very much for your very clear
> and complete answer, that is just what I was looking for.
>
> Kind regards,
>
> ~Carlos
>
> On 3/19/14, 5:44 PM, Doug Madory wrote:
> > Hola Carlos,
> >
> > Congrats on your new role at LACNIC!
> >
> > It is true that AS7908 announced 8.8.8.8/32 <http://8.8.8.8/32>
> for about 20 minutes on Saturday, although I'm skeptical of how
> significant this is.
> >
> > For one, because the route is a /32 it didn't travel very far.
> We had 4 of our 416 peers see it. I believe BGPmon had about the
> same number of peers see the route. The article you cite implies
> that there was global impact, however the actual number of users
> impacted is likely small. As far as what the "impact" was, there
> isn't any evidence that this wasn't just a leak of some internal
> route for proper handling of Google DNS queries. If there were
> queries that were blocked or returned with bogus information, then
> that would be concerning.
> >
> > Half of the routes that BT Latam (AS7908) transits (about 200)
> are from Argentina, 80 are from Brazil, 40 from Venezuela and the
> rest from other LATAM countries. I suspect this leaked route was
> probably there to make sure the queries were handled in a certain
> way like directed to the local Google DNS resolvers in Buenos
> Aires or Sao Paulo. I don't believe that we know that any Google
> DNS queries at all were actually redirected to Venezuela as the
> article suggests.
> >
> > What's more, AS7908 regularly announces 125.125.125.0/24
> <http://125.125.125.0/24>, which is Chinese address space that is
> currently in use by China Telecom. Given the repeating pattern of
> the octets, I believe this is another internal route they are
> inadvertently leaking - as opposed to hijacking the Chinese. :-) I
> encounter this kind of thing regularly. Also AS7908 leaked
> internal routes earlier that day. These things contribute to the
> appearance of sloppiness more than anything nefarious.
> >
> > Rogers of Canada also announced 8.8.8.8/30 <http://8.8.8.8/30>
> last year and it was discussed on the NANOG list:
> > http://mailman.nanog.org/pipermail/nanog/2013-July/059736.html
> > That ultimately appeared to be benign:
> > http://mailman.nanog.org/pipermail/nanog/2013-July/059743.html
> >
> > There are other examples. Such as AS39605 announcing 8.8.8.0/24
> <http://8.8.8.0/24> last month for almost 6 hours.
> >
> > Having said all that, BGP hijacking is a legitimate concern that
> ought to be addressed in a thoughtful way.
> >
> > Doug Madory
> > 603-643-9300 x115
> > Hanover, NH
> > "The Internet Intelligence Authority"
> >
> > On Mar 19, 2014, at 11:00 AM, lacnog-request en lacnic.net
> <mailto:lacnog-request en lacnic.net> wrote:
> >
> >> Date: Tue, 18 Mar 2014 17:34:55 -0300
> >> From: Carlos Martinez-Cagnazzo <carlosm3011 en gmail.com
> <mailto:carlosm3011 en gmail.com>>
> >> To: Latin America and Caribbean Region Network Operators Group
> >> <lacnog en lacnic.net <mailto:lacnog en lacnic.net>>
> >> Subject: [lacnog] ¿¿ 8.8.8.0/24 <http://8.8.8.0/24> secuestrado
> en Venezuela ??
> >> Message-ID:
> >>
> <CA+z-_EXMyjqZ5EgqApjM97WMif1CEj_-B1z3--N9=-o13Qa25A en mail.gmail.com
> <mailto:o13Qa25A en mail.gmail.com>>
> >> Content-Type: text/plain; charset="iso-8859-1"
> >>
> >> Recién estaba leyendo esto:
> >>
> >>
> http://thehackernews.com/2014/03/google-public-dns-server-traffic.html
> >>
> >> Quisiera entender si realmente fue un 'hijacking' de BGP, que
> es lo que
> >> parecería a juzgar por el screenshot de BGPMon que se publica en el
> >> artículo o si fué algún otro tipo de problema.
> >>
> >> En particular, quiero entenderlo para saber si RPKI en este
> escenario
> >> hubiera sido útil para mitigar el evento.**
> >>
> >> s2
> >>
> >> ~Carlos
> >>
> >> **Así de paso lo agrego a mi powerpoint de RPKI :-)
> > _______________________________________________
> > LACNOG mailing list
> > LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
> > https://mail.lacnic.net/mailman/listinfo/lacnog
> > Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
> <mailto:lacnog-unsubscribe en lacnic.net>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
> <mailto:lacnog-unsubscribe en lacnic.net>
>
>
>
>
> --
>
>
> At least I did something
> Don Draper - Mad Men
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20140319/c2b5b56f/attachment.html>
Más información sobre la lista de distribución LACNOG