[lacnog] [NOG-CHILE] Secuestro prefijo

Roque Gagliano rgaglian en gmail.com
Jue Abr 3 17:36:40 BRT 2014 

Pero la humiliación en listas de correos como esta tiene bastante
resultado. Imaginate entrevistar a un candidato para un puesto que te diga
que trabajó en el AS 4761 u otro de los célebres... :-)

r.


On Thu, Apr 3, 2014 at 3:32 PM, Ivan Chapero <info en ivanchapero.com.ar>wrote:

> Gracias por la aclaración, mi consulta volátil viene por el lado de que un
> RIR en definitiva cede un recurso y tal vez alguno podría aplicar
> condiciones de "uso adecuado" por así decirlo del mismo. En este caso el
> ASN por ej. Delirios personales :P
>
> Slds!
>
>
> 2014-04-03 10:21 GMT-03:00 Carlos M. Martinez <
> carlosmarcelomartinez en gmail.com>:
>
>  Hola,
>>
>> los RIRs no tenemos poder de policía ni rol de oversight. Somos
>> facilitadores de muchas actividades debido a nuestro contacto cercano con
>> la comunidad de operadores, pero no tenemos ningun instrumento de sanción
>> que aplicar. Y personalmente, creo que está bien que eso sea así.
>>
>> Creo que la protección contra este tipo de ocurrencias pasa por otros
>> lados.
>>
>> s2
>>
>> Carlos
>>
>>
>> On 4/3/14, 10:01 AM, Ivan Chapero wrote:
>>
>>  Consulta ingenua, ¿no tiene autoridad el RIR asociado al ISP para
>> penalizarlo por tremenda aberración repetida?. Su upstream también fue
>> bastante lights al permitir como si nada 300k rutas de un peer que no
>> estaba ni próximo a ese número en estado normal.
>>
>>  Tiene pinta de ser una redistribución a su IGP y luego inyección a BGP
>> nuevamente no?
>>
>>  Slds.
>>
>>
>> 2014-04-03 7:42 GMT-03:00 Alex Ojeda <alex en chilenetworks.com>:
>>
>>>  Mail recibido de bgpmon:
>>>
>>>
>>>
>>>
>>>
>>> De: Andree Toonk // BGPmon.net
>>> Enviado el: jueves, 03 de abril de 2014 2:27
>>> Para: Alex Ojeda
>>> Asunto: Additional information - Hijack event today by Indosat
>>>
>>>
>>>
>>> Dear BGPmon.net user,
>>>
>>>
>>>
>>> Today we observed a large-scale 'hijack' event that amongst others
>>> affected one or more of your prefixes. This email is to provide you with
>>> some additional information.
>>>
>>>
>>>
>>> What happened?
>>>
>>> Indosat, AS4761, one of Indonesia's largest telecommunication networks
>>> normally originates about 300 prefixes.  Starting at 18:26 UTC (April 2,
>>> 2014) AS4761 began to originate 417,038 new prefixes normally announced by
>>> other Autonomous Systems such as yours. The 'mis-origination' event by
>>> Indosat lasted for several hours affecting different prefixes at different
>>> times until approximately 21:15 UTC.
>>>
>>>
>>>
>>> What caused this?
>>>
>>> Given the large scale of this event we presume this is not malicious or
>>> intentional but rather the result of an operational issue. Other sources
>>> report this was the result of a maintenance window gone bad. Interestingly
>>> we documented a similar event involving Indosat in 2011, more details
>>> regarding that incident can be found here:
>>> http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/
>>>
>>>
>>>
>>> Impact
>>>
>>> The impact of this event was different per network, many of the hijacked
>>> routes were seen by several providers in Thailand.  This means that it's
>>> likely that communication between these providers in Thailand (as well as
>>> Indonesia) and your prefix may have been affected.
>>>
>>> One of the heuristics we look at to determine the global impact of an
>>> event like this is the number of probes that detected the event. In this
>>> case, out of the 400k affected prefixes, 8,182 were detected by more than
>>> 10 different probes, which means that the scope and impact of this event
>>> was larger for these prefixes.
>>>
>>> The link below is an example of a Syrian prefix that was hijacked by
>>> Indosat where the 'hijacked' route was seen from Australia to the US and
>>> Canada.
>>>
>>> http://portal.bgpmon.net/data/indosat-hijack.png
>>>
>>>
>>>
>>> What was the impact for my network?
>>>
>>> By clicking on the alert details link in the alert email or portal you
>>> will see the number of probes that detected the hijacked route update. It
>>> also shows you where in the world these updates were seen so you'll have an
>>> idea of the geographical scope of the event.
>>>
>>> Users with a premium account also have access to all the individual BGP
>>> updates as well as the full AS path. This will tell you in detail what
>>> networks selected this bad route and the exact timestamps. Some of you also
>>> received a phone call to inform you of the events immideatly after
>>> detection (part of the Enterprise add-on).
>>>
>>>
>>>
>>> BGP probe and peering
>>>
>>> A BGP probe in this case means one of our peering partners. You too can
>>> become a peering partner and get access to our PeerMon service, for more
>>> details see:
>>>
>>> http://portal.bgpmon.net/peermon.php
>>>
>>>
>>>
>>> Questions and more information
>>>
>>> I hope this provides you with some useful additional information
>>> regarding this event. Feel free to contact us should you have any follow up
>>> questions or would like to have more information for the purpose of further
>>> forensics.
>>>
>>>
>>>
>>> Kind regards,
>>>
>>> Andree Toonk
>>>
>>>
>>>
>>> --
>>>
>>> BGPmon.net
>>>
>>> info en bgpmon.net
>>>
>>> http://www.bgpmon.net/
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Alex Matias Ojeda Mercado
>>>
>>> NOG CHILE
>>>
>>> alex en nog.cl
>>>
>>> +56971922362
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *De:* NOG [mailto:nog-bounces en nog.cl] *En nombre de *nog en nog.cl
>>> *Enviado el:* miércoles, 02 de abril de 2014 17:44
>>>
>>> *Para:* Latin America and Caribbean Region Network Operators Group;
>>> nog en nog.cl; lacnog en lacnog.org
>>> *Asunto:* Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>>>
>>>
>>>
>>> Hermoso :-)
>>>   ------------------------------
>>>
>>> *From: *Alex Ojeda <alex en chilenetworks.com>
>>> *Sent: *02/04/2014 18:18
>>> *To: *nog en nog.cl; Latin America and Caribbean Region Network Operators
>>> Group <lacnog en lacnic.net>; lacnog en lacnog.org
>>> *Subject: *Re: [lacnog] [NOG-CHILE]    Secuestro prefijo
>>>
>>> Ya está más que confirmado que este evento a es a nivel Global afectando
>>> a más de 320.000 prefijos del globo.
>>>
>>>
>>> Saludos!
>>>
>>>
>>>
>>> Alex Matias Ojeda Mercado
>>> NOG CHILE
>>> alex en nog.cl
>>> +56971922362
>>>
>>>
>>> -----Mensaje original-----
>>> De: NOG [mailto:nog-bounces en nog.cl <nog-bounces en nog.cl>] En nombre de
>>> nog en nog.cl
>>> Enviado el: miércoles, 02 de abril de 2014 16:02
>>> Para: Latin America and Caribbean Region Network Operators Group;
>>> nog en nog.cl; lacnog en lacnog.org
>>> Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>>>
>>> Los espero a *todos* en el tutorial de BGP+RPKI en Cancún
>>>
>>> :-)
>>>
>>>
>>>
>>> On 4/2/14, 4:52 PM, Alex Ojeda wrote:
>>> > Se me acaban de alertar 4 x /24 adicionales
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > Alex Matias Ojeda Mercado
>>> > NOG CHILE
>>> > alex en nog.cl
>>> > +56971922362
>>> >
>>> >
>>> > -----Mensaje original-----
>>> > De: NOG [mailto:nog-bounces en nog.cl <nog-bounces en nog.cl>] En nombre de
>>> nog en nog.cl Enviado
>>> > el: miércoles, 02 de abril de 2014 15:43
>>> > Para: Latin America and Caribbean Region Network Operators Group;
>>> > 'nog en nog.cl'; lacnog en lacnog.org
>>> > Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>>> >
>>> > A nosotros también, y del mismo AS. De hecho a nosotros también nos
>>> saltó como una alarma de RPKI.
>>> >
>>> >
>>> > On 4/2/14, 4:32 PM, Alex Ojeda wrote:
>>> >> Me acaba de llegar una alerta de un posible Prefix Hijack a uno de
>>> >> mis prefijos desde Indonesia.
>>> >>
>>> >> Alguien màs con algo similar?
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> ====================================================================
>>> >>
>>> >> Possible Prefix Hijack (Code: 10)
>>> >>
>>> >> ====================================================================
>>> >>
>>> >> Your prefix:          64.76.170.0/24:
>>> >>
>>> >> Update time:          2014-04-02 18:28 (UTC)
>>> >>
>>> >> Detected by #peers:   1
>>> >>
>>> >> Detected prefix:      64.76.170.0/24
>>> >>
>>> >> Announced by:         AS4761 (INDOSAT-INP-AP INDOSAT Internet Network
>>> >> Provider,ID)
>>> >>
>>> >> Upstream AS:          AS4651 (THAI-GATEWAY The Communications
>>> Authority
>>> >> of Thailand(CAT),TH)
>>> >>
>>> >> ASpath:               18356 38794 4651 4761
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> Alex Matias Ojeda Mercado
>>> >>
>>> >> NOG CHILE
>>> >>
>>> >> alex en nog.cl
>>> >>
>>> >> +56971922362
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> LACNOG mailing list
>>> >> LACNOG en lacnic.net
>>> >> https://mail.lacnic.net/mailman/listinfo/lacnog
>>> >> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>>> >>
>>> >
>>> > _______________________________________________
>>> > NOG mailing list
>>> > NOG en nog.cl
>>> > http://nog.cl/mailman/listinfo/nog_nog.cl
>>> > _______________________________________________
>>> > LACNOG mailing list
>>> > LACNOG en lacnic.net
>>> > https://mail.lacnic.net/mailman/listinfo/lacnog
>>> > Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>>> >
>>>
>>> _______________________________________________
>>> NOG mailing list
>>> NOG en nog.cl
>>> http://nog.cl/mailman/listinfo/nog_nog.cl
>>> _______________________________________________
>>> LACNOG mailing list
>>> LACNOG en lacnic.net
>>> https://mail.lacnic.net/mailman/listinfo/lacnog
>>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>>>
>>> _______________________________________________
>>> LACNOG mailing list
>>> LACNOG en lacnic.net
>>> https://mail.lacnic.net/mailman/listinfo/lacnog
>>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>>>
>>>
>>
>>
>> --
>>
>> *Ivan Chapero Área Técnica y Soporte*
>> Fijo: 03464-470280 (interno 535) | Móvil:  03464-155-20282  | Skype ID:
>> ivanchapero
>> --
>> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 -
>> Arequito - Santa Fe - Argentina
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> LACNOG mailing listLACNOG en lacnic.nethttps://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>>
>>
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>>
>>
>
>
> --
>
> *Ivan ChaperoÁrea Técnica y Soporte*
> Fijo: 03464-470280 (interno 535) | Móvil:  03464-155-20282  | Skype ID:
> ivanchapero
> --
> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito
> - Santa Fe - Argentina
>
>
>
>
>
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>
>


-- 


At least I did something
Don Draper - Mad Men
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20140403/4f7be476/attachment.html>

Más información sobre la lista de distribución LACNOG