[lacnog] [NOG-CHILE] Secuestro prefijo
Carlos M. Martinez
carlosmarcelomartinez en gmail.com
Jue Abr 3 10:21:39 BRT 2014
Hola,
los RIRs no tenemos poder de policía ni rol de oversight. Somos
facilitadores de muchas actividades debido a nuestro contacto cercano
con la comunidad de operadores, pero no tenemos ningun instrumento de
sanción que aplicar. Y personalmente, creo que está bien que eso sea así.
Creo que la protección contra este tipo de ocurrencias pasa por otros lados.
s2
Carlos
On 4/3/14, 10:01 AM, Ivan Chapero wrote:
> Consulta ingenua, ¿no tiene autoridad el RIR asociado al ISP para
> penalizarlo por tremenda aberración repetida?. Su upstream también fue
> bastante lights al permitir como si nada 300k rutas de un peer que no
> estaba ni próximo a ese número en estado normal.
>
> Tiene pinta de ser una redistribución a su IGP y luego inyección a BGP
> nuevamente no?
>
> Slds.
>
>
> 2014-04-03 7:42 GMT-03:00 Alex Ojeda <alex en chilenetworks.com
> <mailto:alex en chilenetworks.com>>:
>
> Mail recibido de bgpmon:
>
>
>
>
>
> De: Andree Toonk // BGPmon.net
> Enviado el: jueves, 03 de abril de 2014 2:27
> Para: Alex Ojeda
> Asunto: Additional information - Hijack event today by Indosat
>
>
>
> Dear BGPmon.net user,
>
>
>
> Today we observed a large-scale 'hijack' event that amongst others
> affected one or more of your prefixes. This email is to provide
> you with some additional information.
>
>
>
> What happened?
>
> Indosat, AS4761, one of Indonesia's largest telecommunication
> networks normally originates about 300 prefixes. Starting at
> 18:26 UTC (April 2, 2014) AS4761 began to originate 417,038 new
> prefixes normally announced by other Autonomous Systems such as
> yours. The 'mis-origination' event by Indosat lasted for several
> hours affecting different prefixes at different times until
> approximately 21:15 UTC.
>
>
>
> What caused this?
>
> Given the large scale of this event we presume this is not
> malicious or intentional but rather the result of an operational
> issue. Other sources report this was the result of a maintenance
> window gone bad. Interestingly we documented a similar event
> involving Indosat in 2011, more details regarding that incident
> can be found here:
> http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/
>
>
>
> Impact
>
> The impact of this event was different per network, many of the
> hijacked routes were seen by several providers in Thailand. This
> means that it's likely that communication between these providers
> in Thailand (as well as Indonesia) and your prefix may have been
> affected.
>
> One of the heuristics we look at to determine the global impact of
> an event like this is the number of probes that detected the
> event. In this case, out of the 400k affected prefixes, 8,182 were
> detected by more than 10 different probes, which means that the
> scope and impact of this event was larger for these prefixes.
>
> The link below is an example of a Syrian prefix that was hijacked
> by Indosat where the 'hijacked' route was seen from Australia to
> the US and Canada.
>
> http://portal.bgpmon.net/data/indosat-hijack.png
>
>
>
> What was the impact for my network?
>
> By clicking on the alert details link in the alert email or portal
> you will see the number of probes that detected the hijacked route
> update. It also shows you where in the world these updates were
> seen so you'll have an idea of the geographical scope of the event.
>
> Users with a premium account also have access to all the
> individual BGP updates as well as the full AS path. This will tell
> you in detail what networks selected this bad route and the exact
> timestamps. Some of you also received a phone call to inform you
> of the events immideatly after detection (part of the Enterprise
> add-on).
>
>
>
> BGP probe and peering
>
> A BGP probe in this case means one of our peering partners. You
> too can become a peering partner and get access to our PeerMon
> service, for more details see:
>
> http://portal.bgpmon.net/peermon.php
>
>
>
> Questions and more information
>
> I hope this provides you with some useful additional information
> regarding this event. Feel free to contact us should you have any
> follow up questions or would like to have more information for the
> purpose of further forensics.
>
>
>
> Kind regards,
>
> Andree Toonk
>
>
>
> --
>
> BGPmon.net
>
> info en bgpmon.net <mailto:info en bgpmon.net>
>
> http://www.bgpmon.net/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Alex Matias Ojeda Mercado
>
> NOG CHILE
>
> alex en nog.cl <mailto:alex en nog.cl>
>
> +56971922362
>
>
>
>
>
>
>
> *De:*NOG [mailto:nog-bounces en nog.cl <mailto:nog-bounces en nog.cl>]
> *En nombre de *nog en nog.cl <mailto:nog en nog.cl>
> *Enviado el:* miércoles, 02 de abril de 2014 17:44
>
>
> *Para:* Latin America and Caribbean Region Network Operators
> Group; nog en nog.cl <mailto:nog en nog.cl>; lacnog en lacnog.org
> <mailto:lacnog en lacnog.org>
> *Asunto:* Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>
>
>
> Hermoso :-)
>
> ------------------------------------------------------------------------
>
> *From: *Alex Ojeda <mailto:alex en chilenetworks.com>
> *Sent: *02/04/2014 18:18
> *To: *nog en nog.cl <mailto:nog en nog.cl>; Latin America and Caribbean
> Region Network Operators Group <mailto:lacnog en lacnic.net>;
> lacnog en lacnog.org <mailto:lacnog en lacnog.org>
> *Subject: *Re: [lacnog] [NOG-CHILE] Secuestro prefijo
>
> Ya está más que confirmado que este evento a es a nivel Global
> afectando a más de 320.000 prefijos del globo.
>
>
> Saludos!
>
>
>
> Alex Matias Ojeda Mercado
> NOG CHILE
> alex en nog.cl <mailto:alex en nog.cl>
> +56971922362
>
>
> -----Mensaje original-----
> De: NOG [mailto:nog-bounces en nog.cl] En nombre de nog en nog.cl
> <mailto:nog en nog.cl>
> Enviado el: miércoles, 02 de abril de 2014 16:02
> Para: Latin America and Caribbean Region Network Operators Group;
> nog en nog.cl <mailto:nog en nog.cl>; lacnog en lacnog.org
> <mailto:lacnog en lacnog.org>
> Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>
> Los espero a *todos* en el tutorial de BGP+RPKI en Cancún
>
> :-)
>
>
>
> On 4/2/14, 4:52 PM, Alex Ojeda wrote:
> > Se me acaban de alertar 4 x /24 adicionales
> >
> >
> >
> >
> >
> > Alex Matias Ojeda Mercado
> > NOG CHILE
> > alex en nog.cl <mailto:alex en nog.cl>
> > +56971922362
> >
> >
> > -----Mensaje original-----
> > De: NOG [mailto:nog-bounces en nog.cl] En nombre de nog en nog.cl
> <mailto:nog en nog.cl> Enviado
> > el: miércoles, 02 de abril de 2014 15:43
> > Para: Latin America and Caribbean Region Network Operators Group;
> > 'nog en nog.cl <mailto:nog en nog.cl>'; lacnog en lacnog.org
> <mailto:lacnog en lacnog.org>
> > Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo
> >
> > A nosotros también, y del mismo AS. De hecho a nosotros también
> nos saltó como una alarma de RPKI.
> >
> >
> > On 4/2/14, 4:32 PM, Alex Ojeda wrote:
> >> Me acaba de llegar una alerta de un posible Prefix Hijack a uno de
> >> mis prefijos desde Indonesia.
> >>
> >> Alguien màs con algo similar?
> >>
> >>
> >>
> >>
> >>
> >>
> ====================================================================
> >>
> >> Possible Prefix Hijack (Code: 10)
> >>
> >>
> ====================================================================
> >>
> >> Your prefix: 64.76.170.0/24 <http://64.76.170.0/24>:
> >>
> >> Update time: 2014-04-02 18:28 (UTC)
> >>
> >> Detected by #peers: 1
> >>
> >> Detected prefix: 64.76.170.0/24 <http://64.76.170.0/24>
> >>
> >> Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet
> Network
> >> Provider,ID)
> >>
> >> Upstream AS: AS4651 (THAI-GATEWAY The Communications
> Authority
> >> of Thailand(CAT),TH)
> >>
> >> ASpath: 18356 38794 4651 4761
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Alex Matias Ojeda Mercado
> >>
> >> NOG CHILE
> >>
> >> alex en nog.cl <mailto:alex en nog.cl>
> >>
> >> +56971922362
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> LACNOG mailing list
> >> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
> >> https://mail.lacnic.net/mailman/listinfo/lacnog
> >> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
> <mailto:lacnog-unsubscribe en lacnic.net>
> >>
> >
> > _______________________________________________
> > NOG mailing list
> > NOG en nog.cl <mailto:NOG en nog.cl>
> > http://nog.cl/mailman/listinfo/nog_nog.cl
> > _______________________________________________
> > LACNOG mailing list
> > LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
> > https://mail.lacnic.net/mailman/listinfo/lacnog
> > Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
> <mailto:lacnog-unsubscribe en lacnic.net>
> >
>
> _______________________________________________
> NOG mailing list
> NOG en nog.cl <mailto:NOG en nog.cl>
> http://nog.cl/mailman/listinfo/nog_nog.cl
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
> <mailto:lacnog-unsubscribe en lacnic.net>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
> <mailto:lacnog-unsubscribe en lacnic.net>
>
>
>
>
> --
> *Ivan Chapero
> Área Técnica y Soporte*
> Fijo: 03464-470280 (interno 535) | Móvil: 03464-155-20282 | Skype
> ID: ivanchapero
> --
> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 -
> Arequito - Santa Fe - Argentina
>
>
>
>
>
>
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20140403/68fd7fbe/attachment.html>
Más información sobre la lista de distribución LACNOG