[lacnog] [NOG-CHILE] Secuestro prefijo
Carlos M. Martinez
carlosmarcelomartinez en gmail.com
Jue Abr 3 10:41:51 BRT 2014
Es un tema interesante de governanza, pero creo que no deberia ser el
rol de los RIRs.
Ojo, en un ejemplo como el tuyo Nico, la Internet no vive en una
burbuja. El culpable de ese secuestro de prefijos sigue siendo 'liable'
en juicio.
s2
C.
On 4/3/14, 10:38 AM, Nicolas Antoniello wrote:
> Ivan,
>
> El hecho de que nadie tenga la potestad de penalizar no implica que
> nadie nunca deba ser penalizado por ello... por suerte (como técnico
> digo) por ahora no se penaliza en Internet este tipo de errores
> operativos... ahora bien, que sucede si estas utilizando una
> aplicación de telemedicina y te secuestran el prefijo que soporta el
> flujo de datos?? Quien sería responsable en ese caso?? ... todo un
> tema (sin animo de generar polémica). :)
>
> Saludos,
> Nico
>
>
>
> On Thu, Apr 3, 2014 at 5:32 PM, Ivan Chapero <info en ivanchapero.com.ar
> <mailto:info en ivanchapero.com.ar>> wrote:
>
> Gracias por la aclaración, mi consulta volátil viene por el lado
> de que un RIR en definitiva cede un recurso y tal vez alguno
> podría aplicar condiciones de "uso adecuado" por así decirlo del
> mismo. En este caso el ASN por ej. Delirios personales :P
>
> Slds!
>
>
> 2014-04-03 10:21 GMT-03:00 Carlos M. Martinez
> <carlosmarcelomartinez en gmail.com
> <mailto:carlosmarcelomartinez en gmail.com>>:
>
> Hola,
>
> los RIRs no tenemos poder de policía ni rol de oversight.
> Somos facilitadores de muchas actividades debido a nuestro
> contacto cercano con la comunidad de operadores, pero no
> tenemos ningun instrumento de sanción que aplicar. Y
> personalmente, creo que está bien que eso sea así.
>
> Creo que la protección contra este tipo de ocurrencias pasa
> por otros lados.
>
> s2
>
> Carlos
>
>
> On 4/3/14, 10:01 AM, Ivan Chapero wrote:
>> Consulta ingenua, ¿no tiene autoridad el RIR asociado al ISP
>> para penalizarlo por tremenda aberración repetida?. Su
>> upstream también fue bastante lights al permitir como si nada
>> 300k rutas de un peer que no estaba ni próximo a ese número
>> en estado normal.
>>
>> Tiene pinta de ser una redistribución a su IGP y luego
>> inyección a BGP nuevamente no?
>>
>> Slds.
>>
>>
>> 2014-04-03 7:42 GMT-03:00 Alex Ojeda <alex en chilenetworks.com
>> <mailto:alex en chilenetworks.com>>:
>>
>> Mail recibido de bgpmon:
>>
>>
>>
>>
>>
>> De: Andree Toonk // BGPmon.net
>> Enviado el: jueves, 03 de abril de 2014 2:27
>> Para: Alex Ojeda
>> Asunto: Additional information - Hijack event today by
>> Indosat
>>
>>
>>
>> Dear BGPmon.net user,
>>
>>
>>
>> Today we observed a large-scale 'hijack' event that
>> amongst others affected one or more of your prefixes.
>> This email is to provide you with some additional
>> information.
>>
>>
>>
>> What happened?
>>
>> Indosat, AS4761, one of Indonesia's largest
>> telecommunication networks normally originates about 300
>> prefixes. Starting at 18:26 UTC (April 2, 2014) AS4761
>> began to originate 417,038 new prefixes normally
>> announced by other Autonomous Systems such as yours. The
>> 'mis-origination' event by Indosat lasted for several
>> hours affecting different prefixes at different times
>> until approximately 21:15 UTC.
>>
>>
>>
>> What caused this?
>>
>> Given the large scale of this event we presume this is
>> not malicious or intentional but rather the result of an
>> operational issue. Other sources report this was the
>> result of a maintenance window gone bad. Interestingly we
>> documented a similar event involving Indosat in 2011,
>> more details regarding that incident can be found here:
>> http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/
>>
>>
>>
>> Impact
>>
>> The impact of this event was different per network, many
>> of the hijacked routes were seen by several providers in
>> Thailand. This means that it's likely that communication
>> between these providers in Thailand (as well as
>> Indonesia) and your prefix may have been affected.
>>
>> One of the heuristics we look at to determine the global
>> impact of an event like this is the number of probes that
>> detected the event. In this case, out of the 400k
>> affected prefixes, 8,182 were detected by more than 10
>> different probes, which means that the scope and impact
>> of this event was larger for these prefixes.
>>
>> The link below is an example of a Syrian prefix that was
>> hijacked by Indosat where the 'hijacked' route was seen
>> from Australia to the US and Canada.
>>
>> http://portal.bgpmon.net/data/indosat-hijack.png
>>
>>
>>
>> What was the impact for my network?
>>
>> By clicking on the alert details link in the alert email
>> or portal you will see the number of probes that detected
>> the hijacked route update. It also shows you where in the
>> world these updates were seen so you'll have an idea of
>> the geographical scope of the event.
>>
>> Users with a premium account also have access to all the
>> individual BGP updates as well as the full AS path. This
>> will tell you in detail what networks selected this bad
>> route and the exact timestamps. Some of you also received
>> a phone call to inform you of the events immideatly after
>> detection (part of the Enterprise add-on).
>>
>>
>>
>> BGP probe and peering
>>
>> A BGP probe in this case means one of our peering
>> partners. You too can become a peering partner and get
>> access to our PeerMon service, for more details see:
>>
>> http://portal.bgpmon.net/peermon.php
>>
>>
>>
>> Questions and more information
>>
>> I hope this provides you with some useful additional
>> information regarding this event. Feel free to contact us
>> should you have any follow up questions or would like to
>> have more information for the purpose of further forensics.
>>
>>
>>
>> Kind regards,
>>
>> Andree Toonk
>>
>>
>>
>> --
>>
>> BGPmon.net
>>
>> info en bgpmon.net <mailto:info en bgpmon.net>
>>
>> http://www.bgpmon.net/
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Alex Matias Ojeda Mercado
>>
>> NOG CHILE
>>
>> alex en nog.cl <mailto:alex en nog.cl>
>>
>> +56971922362 <tel:%2B56971922362>
>>
>>
>>
>>
>>
>>
>>
>> *De:*NOG [mailto:nog-bounces en nog.cl
>> <mailto:nog-bounces en nog.cl>] *En nombre de *nog en nog.cl
>> <mailto:nog en nog.cl>
>> *Enviado el:* miércoles, 02 de abril de 2014 17:44
>>
>>
>> *Para:* Latin America and Caribbean Region Network
>> Operators Group; nog en nog.cl <mailto:nog en nog.cl>;
>> lacnog en lacnog.org <mailto:lacnog en lacnog.org>
>> *Asunto:* Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>>
>>
>>
>> Hermoso :-)
>>
>> ------------------------------------------------------------------------
>>
>> *From: *Alex Ojeda <mailto:alex en chilenetworks.com>
>> *Sent: *02/04/2014 18:18
>> *To: *nog en nog.cl <mailto:nog en nog.cl>; Latin America and
>> Caribbean Region Network Operators Group
>> <mailto:lacnog en lacnic.net>; lacnog en lacnog.org
>> <mailto:lacnog en lacnog.org>
>> *Subject: *Re: [lacnog] [NOG-CHILE] Secuestro prefijo
>>
>> Ya está más que confirmado que este evento a es a nivel
>> Global afectando a más de 320.000 prefijos del globo.
>>
>>
>> Saludos!
>>
>>
>>
>> Alex Matias Ojeda Mercado
>> NOG CHILE
>> alex en nog.cl <mailto:alex en nog.cl>
>> +56971922362 <tel:%2B56971922362>
>>
>>
>> -----Mensaje original-----
>> De: NOG [mailto:nog-bounces en nog.cl] En nombre de
>> nog en nog.cl <mailto:nog en nog.cl>
>> Enviado el: miércoles, 02 de abril de 2014 16:02
>> Para: Latin America and Caribbean Region Network
>> Operators Group; nog en nog.cl <mailto:nog en nog.cl>;
>> lacnog en lacnog.org <mailto:lacnog en lacnog.org>
>> Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>>
>> Los espero a *todos* en el tutorial de BGP+RPKI en Cancún
>>
>> :-)
>>
>>
>>
>> On 4/2/14, 4:52 PM, Alex Ojeda wrote:
>> > Se me acaban de alertar 4 x /24 adicionales
>> >
>> >
>> >
>> >
>> >
>> > Alex Matias Ojeda Mercado
>> > NOG CHILE
>> > alex en nog.cl <mailto:alex en nog.cl>
>> > +56971922362 <tel:%2B56971922362>
>> >
>> >
>> > -----Mensaje original-----
>> > De: NOG [mailto:nog-bounces en nog.cl] En nombre de
>> nog en nog.cl <mailto:nog en nog.cl> Enviado
>> > el: miércoles, 02 de abril de 2014 15:43
>> > Para: Latin America and Caribbean Region Network
>> Operators Group;
>> > 'nog en nog.cl <mailto:nog en nog.cl>'; lacnog en lacnog.org
>> <mailto:lacnog en lacnog.org>
>> > Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>> >
>> > A nosotros también, y del mismo AS. De hecho a nosotros
>> también nos saltó como una alarma de RPKI.
>> >
>> >
>> > On 4/2/14, 4:32 PM, Alex Ojeda wrote:
>> >> Me acaba de llegar una alerta de un posible Prefix
>> Hijack a uno de
>> >> mis prefijos desde Indonesia.
>> >>
>> >> Alguien màs con algo similar?
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> ====================================================================
>> >>
>> >> Possible Prefix Hijack (Code: 10)
>> >>
>> >>
>> ====================================================================
>> >>
>> >> Your prefix: 64.76.170.0/24
>> <http://64.76.170.0/24>:
>> >>
>> >> Update time: 2014-04-02 18:28 (UTC)
>> >>
>> >> Detected by #peers: 1
>> >>
>> >> Detected prefix: 64.76.170.0/24
>> <http://64.76.170.0/24>
>> >>
>> >> Announced by: AS4761 (INDOSAT-INP-AP INDOSAT
>> Internet Network
>> >> Provider,ID)
>> >>
>> >> Upstream AS: AS4651 (THAI-GATEWAY The
>> Communications Authority
>> >> of Thailand(CAT),TH)
>> >>
>> >> ASpath: 18356 38794 4651 4761
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Alex Matias Ojeda Mercado
>> >>
>> >> NOG CHILE
>> >>
>> >> alex en nog.cl <mailto:alex en nog.cl>
>> >>
>> >> +56971922362 <tel:%2B56971922362>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> LACNOG mailing list
>> >> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
>> >> https://mail.lacnic.net/mailman/listinfo/lacnog
>> >> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>> <mailto:lacnog-unsubscribe en lacnic.net>
>> >>
>> >
>> > _______________________________________________
>> > NOG mailing list
>> > NOG en nog.cl <mailto:NOG en nog.cl>
>> > http://nog.cl/mailman/listinfo/nog_nog.cl
>> > _______________________________________________
>> > LACNOG mailing list
>> > LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
>> > https://mail.lacnic.net/mailman/listinfo/lacnog
>> > Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>> <mailto:lacnog-unsubscribe en lacnic.net>
>> >
>>
>> _______________________________________________
>> NOG mailing list
>> NOG en nog.cl <mailto:NOG en nog.cl>
>> http://nog.cl/mailman/listinfo/nog_nog.cl
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>> <mailto:lacnog-unsubscribe en lacnic.net>
>>
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>> <mailto:lacnog-unsubscribe en lacnic.net>
>>
>>
>>
>>
>> --
>> *Ivan Chapero
>> Área Técnica y Soporte*
>> Fijo: 03464-470280 (interno 535) | Móvil: 03464-155-20282
>> | Skype ID: ivanchapero
>> --
>> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 -
>> 2183 - Arequito - Santa Fe - Argentina
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net <mailto:lacnog-unsubscribe en lacnic.net>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
> <mailto:lacnog-unsubscribe en lacnic.net>
>
>
>
>
> --
> *Ivan Chapero
> Área Técnica y Soporte*
> Fijo: 03464-470280 (interno 535) | Móvil: 03464-155-20282
> | Skype ID: ivanchapero
> --
> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 -
> Arequito - Santa Fe - Argentina
>
>
>
>
>
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
> <mailto:lacnog-unsubscribe en lacnic.net>
>
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20140403/564cbaa5/attachment.html>
Más información sobre la lista de distribución LACNOG