[lacnog] [NOG-CHILE] Secuestro prefijo

Ivan Chapero info en ivanchapero.com.ar
Jue Abr 3 10:32:52 BRT 2014


Gracias por la aclaración, mi consulta volátil viene por el lado de que un
RIR en definitiva cede un recurso y tal vez alguno podría aplicar
condiciones de "uso adecuado" por así decirlo del mismo. En este caso el
ASN por ej. Delirios personales :P

Slds!


2014-04-03 10:21 GMT-03:00 Carlos M. Martinez <
carlosmarcelomartinez en gmail.com>:

>  Hola,
>
> los RIRs no tenemos poder de policía ni rol de oversight. Somos
> facilitadores de muchas actividades debido a nuestro contacto cercano con
> la comunidad de operadores, pero no tenemos ningun instrumento de sanción
> que aplicar. Y personalmente, creo que está bien que eso sea así.
>
> Creo que la protección contra este tipo de ocurrencias pasa por otros
> lados.
>
> s2
>
> Carlos
>
>
> On 4/3/14, 10:01 AM, Ivan Chapero wrote:
>
>  Consulta ingenua, ¿no tiene autoridad el RIR asociado al ISP para
> penalizarlo por tremenda aberración repetida?. Su upstream también fue
> bastante lights al permitir como si nada 300k rutas de un peer que no
> estaba ni próximo a ese número en estado normal.
>
>  Tiene pinta de ser una redistribución a su IGP y luego inyección a BGP
> nuevamente no?
>
>  Slds.
>
>
> 2014-04-03 7:42 GMT-03:00 Alex Ojeda <alex en chilenetworks.com>:
>
>>  Mail recibido de bgpmon:
>>
>>
>>
>>
>>
>> De: Andree Toonk // BGPmon.net
>> Enviado el: jueves, 03 de abril de 2014 2:27
>> Para: Alex Ojeda
>> Asunto: Additional information - Hijack event today by Indosat
>>
>>
>>
>> Dear BGPmon.net user,
>>
>>
>>
>> Today we observed a large-scale 'hijack' event that amongst others
>> affected one or more of your prefixes. This email is to provide you with
>> some additional information.
>>
>>
>>
>> What happened?
>>
>> Indosat, AS4761, one of Indonesia's largest telecommunication networks
>> normally originates about 300 prefixes.  Starting at 18:26 UTC (April 2,
>> 2014) AS4761 began to originate 417,038 new prefixes normally announced by
>> other Autonomous Systems such as yours. The 'mis-origination' event by
>> Indosat lasted for several hours affecting different prefixes at different
>> times until approximately 21:15 UTC.
>>
>>
>>
>> What caused this?
>>
>> Given the large scale of this event we presume this is not malicious or
>> intentional but rather the result of an operational issue. Other sources
>> report this was the result of a maintenance window gone bad. Interestingly
>> we documented a similar event involving Indosat in 2011, more details
>> regarding that incident can be found here:
>> http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/
>>
>>
>>
>> Impact
>>
>> The impact of this event was different per network, many of the hijacked
>> routes were seen by several providers in Thailand.  This means that it's
>> likely that communication between these providers in Thailand (as well as
>> Indonesia) and your prefix may have been affected.
>>
>> One of the heuristics we look at to determine the global impact of an
>> event like this is the number of probes that detected the event. In this
>> case, out of the 400k affected prefixes, 8,182 were detected by more than
>> 10 different probes, which means that the scope and impact of this event
>> was larger for these prefixes.
>>
>> The link below is an example of a Syrian prefix that was hijacked by
>> Indosat where the 'hijacked' route was seen from Australia to the US and
>> Canada.
>>
>> http://portal.bgpmon.net/data/indosat-hijack.png
>>
>>
>>
>> What was the impact for my network?
>>
>> By clicking on the alert details link in the alert email or portal you
>> will see the number of probes that detected the hijacked route update. It
>> also shows you where in the world these updates were seen so you'll have an
>> idea of the geographical scope of the event.
>>
>> Users with a premium account also have access to all the individual BGP
>> updates as well as the full AS path. This will tell you in detail what
>> networks selected this bad route and the exact timestamps. Some of you also
>> received a phone call to inform you of the events immideatly after
>> detection (part of the Enterprise add-on).
>>
>>
>>
>> BGP probe and peering
>>
>> A BGP probe in this case means one of our peering partners. You too can
>> become a peering partner and get access to our PeerMon service, for more
>> details see:
>>
>> http://portal.bgpmon.net/peermon.php
>>
>>
>>
>> Questions and more information
>>
>> I hope this provides you with some useful additional information
>> regarding this event. Feel free to contact us should you have any follow up
>> questions or would like to have more information for the purpose of further
>> forensics.
>>
>>
>>
>> Kind regards,
>>
>> Andree Toonk
>>
>>
>>
>> --
>>
>> BGPmon.net
>>
>> info en bgpmon.net
>>
>> http://www.bgpmon.net/
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Alex Matias Ojeda Mercado
>>
>> NOG CHILE
>>
>> alex en nog.cl
>>
>> +56971922362
>>
>>
>>
>>
>>
>>
>>
>> *De:* NOG [mailto:nog-bounces en nog.cl] *En nombre de *nog en nog.cl
>> *Enviado el:* miércoles, 02 de abril de 2014 17:44
>>
>> *Para:* Latin America and Caribbean Region Network Operators Group;
>> nog en nog.cl; lacnog en lacnog.org
>> *Asunto:* Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>>
>>
>>
>> Hermoso :-)
>>   ------------------------------
>>
>> *From: *Alex Ojeda <alex en chilenetworks.com>
>> *Sent: *02/04/2014 18:18
>> *To: *nog en nog.cl; Latin America and Caribbean Region Network Operators
>> Group <lacnog en lacnic.net>; lacnog en lacnog.org
>> *Subject: *Re: [lacnog] [NOG-CHILE]    Secuestro prefijo
>>
>> Ya está más que confirmado que este evento a es a nivel Global afectando
>> a más de 320.000 prefijos del globo.
>>
>>
>> Saludos!
>>
>>
>>
>> Alex Matias Ojeda Mercado
>> NOG CHILE
>> alex en nog.cl
>> +56971922362
>>
>>
>> -----Mensaje original-----
>> De: NOG [mailto:nog-bounces en nog.cl <nog-bounces en nog.cl>] En nombre de
>> nog en nog.cl
>> Enviado el: miércoles, 02 de abril de 2014 16:02
>> Para: Latin America and Caribbean Region Network Operators Group;
>> nog en nog.cl; lacnog en lacnog.org
>> Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>>
>> Los espero a *todos* en el tutorial de BGP+RPKI en Cancún
>>
>> :-)
>>
>>
>>
>> On 4/2/14, 4:52 PM, Alex Ojeda wrote:
>> > Se me acaban de alertar 4 x /24 adicionales
>> >
>> >
>> >
>> >
>> >
>> > Alex Matias Ojeda Mercado
>> > NOG CHILE
>> > alex en nog.cl
>> > +56971922362
>> >
>> >
>> > -----Mensaje original-----
>> > De: NOG [mailto:nog-bounces en nog.cl <nog-bounces en nog.cl>] En nombre de
>> nog en nog.cl Enviado
>> > el: miércoles, 02 de abril de 2014 15:43
>> > Para: Latin America and Caribbean Region Network Operators Group;
>> > 'nog en nog.cl'; lacnog en lacnog.org
>> > Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>> >
>> > A nosotros también, y del mismo AS. De hecho a nosotros también nos
>> saltó como una alarma de RPKI.
>> >
>> >
>> > On 4/2/14, 4:32 PM, Alex Ojeda wrote:
>> >> Me acaba de llegar una alerta de un posible Prefix Hijack a uno de
>> >> mis prefijos desde Indonesia.
>> >>
>> >> Alguien màs con algo similar?
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ====================================================================
>> >>
>> >> Possible Prefix Hijack (Code: 10)
>> >>
>> >> ====================================================================
>> >>
>> >> Your prefix:          64.76.170.0/24:
>> >>
>> >> Update time:          2014-04-02 18:28 (UTC)
>> >>
>> >> Detected by #peers:   1
>> >>
>> >> Detected prefix:      64.76.170.0/24
>> >>
>> >> Announced by:         AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
>> >> Provider,ID)
>> >>
>> >> Upstream AS:          AS4651 (THAI-GATEWAY The Communications Authority
>> >> of Thailand(CAT),TH)
>> >>
>> >> ASpath:               18356 38794 4651 4761
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Alex Matias Ojeda Mercado
>> >>
>> >> NOG CHILE
>> >>
>> >> alex en nog.cl
>> >>
>> >> +56971922362
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> LACNOG mailing list
>> >> LACNOG en lacnic.net
>> >> https://mail.lacnic.net/mailman/listinfo/lacnog
>> >> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>> >>
>> >
>> > _______________________________________________
>> > NOG mailing list
>> > NOG en nog.cl
>> > http://nog.cl/mailman/listinfo/nog_nog.cl
>> > _______________________________________________
>> > LACNOG mailing list
>> > LACNOG en lacnic.net
>> > https://mail.lacnic.net/mailman/listinfo/lacnog
>> > Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>> >
>>
>> _______________________________________________
>> NOG mailing list
>> NOG en nog.cl
>> http://nog.cl/mailman/listinfo/nog_nog.cl
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>>
>>
>
>
> --
>
> *Ivan Chapero Área Técnica y Soporte*
> Fijo: 03464-470280 (interno 535) | Móvil:  03464-155-20282  | Skype ID:
> ivanchapero
> --
> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito
> - Santa Fe - Argentina
>
>
>
>
>
>
>
>
>
> _______________________________________________
> LACNOG mailing listLACNOG en lacnic.nethttps://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>
>


-- 

*Ivan ChaperoÁrea Técnica y Soporte*
Fijo: 03464-470280 (interno 535) | Móvil:  03464-155-20282  | Skype ID:
ivanchapero
--
GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito
- Santa Fe - Argentina
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20140403/62858783/attachment.html>


Más información sobre la lista de distribución LACNOG