[lacnog] [NOG-CHILE] Secuestro prefijo
Carlos M. Martinez
carlosm3011 en gmail.com
Jue Abr 3 19:44:40 BRT 2014
Sin duda, el public shaming es un instrumento poderoso :-)
Podríamos iniciar un ranking de 'AS Célebres'
s2
C.
On 4/3/14, 5:36 PM, Roque Gagliano wrote:
> Pero la humiliación en listas de correos como esta tiene bastante
> resultado. Imaginate entrevistar a un candidato para un puesto que te
> diga que trabajó en el AS 4761 u otro de los célebres... :-)
>
> r.
>
>
> On Thu, Apr 3, 2014 at 3:32 PM, Ivan Chapero <info en ivanchapero.com.ar
> <mailto:info en ivanchapero.com.ar>> wrote:
>
> Gracias por la aclaración, mi consulta volátil viene por el lado de
> que un RIR en definitiva cede un recurso y tal vez alguno podría
> aplicar condiciones de "uso adecuado" por así decirlo del mismo. En
> este caso el ASN por ej. Delirios personales :P
>
> Slds!
>
>
> 2014-04-03 10:21 GMT-03:00 Carlos M. Martinez
> <carlosmarcelomartinez en gmail.com
> <mailto:carlosmarcelomartinez en gmail.com>>:
>
> Hola,
>
> los RIRs no tenemos poder de policía ni rol de oversight. Somos
> facilitadores de muchas actividades debido a nuestro contacto
> cercano con la comunidad de operadores, pero no tenemos ningun
> instrumento de sanción que aplicar. Y personalmente, creo que
> está bien que eso sea así.
>
> Creo que la protección contra este tipo de ocurrencias pasa por
> otros lados.
>
> s2
>
> Carlos
>
>
> On 4/3/14, 10:01 AM, Ivan Chapero wrote:
>> Consulta ingenua, ¿no tiene autoridad el RIR asociado al ISP
>> para penalizarlo por tremenda aberración repetida?. Su
>> upstream también fue bastante lights al permitir como si nada
>> 300k rutas de un peer que no estaba ni próximo a ese número en
>> estado normal.
>>
>> Tiene pinta de ser una redistribución a su IGP y luego
>> inyección a BGP nuevamente no?
>>
>> Slds.
>>
>>
>> 2014-04-03 7:42 GMT-03:00 Alex Ojeda <alex en chilenetworks.com
>> <mailto:alex en chilenetworks.com>>:
>>
>> Mail recibido de bgpmon:
>>
>>
>>
>>
>>
>> De: Andree Toonk // BGPmon.net
>> Enviado el: jueves, 03 de abril de 2014 2:27
>> Para: Alex Ojeda
>> Asunto: Additional information - Hijack event today by Indosat
>>
>>
>>
>> Dear BGPmon.net user,
>>
>>
>>
>> Today we observed a large-scale 'hijack' event that
>> amongst others affected one or more of your prefixes. This
>> email is to provide you with some additional information.
>>
>>
>>
>> What happened?
>>
>> Indosat, AS4761, one of Indonesia's largest
>> telecommunication networks normally originates about 300
>> prefixes. Starting at 18:26 UTC (April 2, 2014) AS4761
>> began to originate 417,038 new prefixes normally announced
>> by other Autonomous Systems such as yours. The
>> 'mis-origination' event by Indosat lasted for several
>> hours affecting different prefixes at different times
>> until approximately 21:15 UTC.
>>
>>
>>
>> What caused this?
>>
>> Given the large scale of this event we presume this is not
>> malicious or intentional but rather the result of an
>> operational issue. Other sources report this was the
>> result of a maintenance window gone bad. Interestingly we
>> documented a similar event involving Indosat in 2011, more
>> details regarding that incident can be found here:
>> http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/
>>
>>
>>
>> Impact
>>
>> The impact of this event was different per network, many
>> of the hijacked routes were seen by several providers in
>> Thailand. This means that it's likely that communication
>> between these providers in Thailand (as well as Indonesia)
>> and your prefix may have been affected.
>>
>> One of the heuristics we look at to determine the global
>> impact of an event like this is the number of probes that
>> detected the event. In this case, out of the 400k affected
>> prefixes, 8,182 were detected by more than 10 different
>> probes, which means that the scope and impact of this
>> event was larger for these prefixes.
>>
>> The link below is an example of a Syrian prefix that was
>> hijacked by Indosat where the 'hijacked' route was seen
>> from Australia to the US and Canada.
>>
>> http://portal.bgpmon.net/data/indosat-hijack.png
>>
>>
>>
>> What was the impact for my network?
>>
>> By clicking on the alert details link in the alert email
>> or portal you will see the number of probes that detected
>> the hijacked route update. It also shows you where in the
>> world these updates were seen so you'll have an idea of
>> the geographical scope of the event.
>>
>> Users with a premium account also have access to all the
>> individual BGP updates as well as the full AS path. This
>> will tell you in detail what networks selected this bad
>> route and the exact timestamps. Some of you also received
>> a phone call to inform you of the events immideatly after
>> detection (part of the Enterprise add-on).
>>
>>
>>
>> BGP probe and peering
>>
>> A BGP probe in this case means one of our peering
>> partners. You too can become a peering partner and get
>> access to our PeerMon service, for more details see:
>>
>> http://portal.bgpmon.net/peermon.php
>>
>>
>>
>> Questions and more information
>>
>> I hope this provides you with some useful additional
>> information regarding this event. Feel free to contact us
>> should you have any follow up questions or would like to
>> have more information for the purpose of further forensics.
>>
>>
>>
>> Kind regards,
>>
>> Andree Toonk
>>
>>
>>
>> --
>>
>> BGPmon.net
>>
>> info en bgpmon.net <mailto:info en bgpmon.net>
>>
>> http://www.bgpmon.net/
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Alex Matias Ojeda Mercado
>>
>> NOG CHILE
>>
>> alex en nog.cl <mailto:alex en nog.cl>
>>
>> +56971922362 <tel:%2B56971922362>
>>
>>
>>
>>
>>
>>
>>
>> *De:*NOG [mailto:nog-bounces en nog.cl
>> <mailto:nog-bounces en nog.cl>] *En nombre de *nog en nog.cl
>> <mailto:nog en nog.cl>
>> *Enviado el:* miércoles, 02 de abril de 2014 17:44
>>
>>
>> *Para:* Latin America and Caribbean Region Network
>> Operators Group; nog en nog.cl <mailto:nog en nog.cl>;
>> lacnog en lacnog.org <mailto:lacnog en lacnog.org>
>> *Asunto:* Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>>
>>
>>
>> Hermoso :-)
>>
>> ------------------------------------------------------------------------
>>
>> *From: *Alex Ojeda <mailto:alex en chilenetworks.com>
>> *Sent: *02/04/2014 18:18
>> *To: *nog en nog.cl <mailto:nog en nog.cl>; Latin America and
>> Caribbean Region Network Operators Group
>> <mailto:lacnog en lacnic.net>; lacnog en lacnog.org
>> <mailto:lacnog en lacnog.org>
>> *Subject: *Re: [lacnog] [NOG-CHILE] Secuestro prefijo
>>
>> Ya está más que confirmado que este evento a es a nivel
>> Global afectando a más de 320.000 prefijos del globo.
>>
>>
>> Saludos!
>>
>>
>>
>> Alex Matias Ojeda Mercado
>> NOG CHILE
>> alex en nog.cl <mailto:alex en nog.cl>
>> +56971922362 <tel:%2B56971922362>
>>
>>
>> -----Mensaje original-----
>> De: NOG [mailto:nog-bounces en nog.cl] En nombre de
>> nog en nog.cl <mailto:nog en nog.cl>
>> Enviado el: miércoles, 02 de abril de 2014 16:02
>> Para: Latin America and Caribbean Region Network Operators
>> Group; nog en nog.cl <mailto:nog en nog.cl>; lacnog en lacnog.org
>> <mailto:lacnog en lacnog.org>
>> Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>>
>> Los espero a *todos* en el tutorial de BGP+RPKI en Cancún
>>
>> :-)
>>
>>
>>
>> On 4/2/14, 4:52 PM, Alex Ojeda wrote:
>> > Se me acaban de alertar 4 x /24 adicionales
>> >
>> >
>> >
>> >
>> >
>> > Alex Matias Ojeda Mercado
>> > NOG CHILE
>> > alex en nog.cl <mailto:alex en nog.cl>
>> > +56971922362 <tel:%2B56971922362>
>> >
>> >
>> > -----Mensaje original-----
>> > De: NOG [mailto:nog-bounces en nog.cl] En nombre de
>> nog en nog.cl <mailto:nog en nog.cl> Enviado
>> > el: miércoles, 02 de abril de 2014 15:43
>> > Para: Latin America and Caribbean Region Network
>> Operators Group;
>> > 'nog en nog.cl <mailto:nog en nog.cl>'; lacnog en lacnog.org
>> <mailto:lacnog en lacnog.org>
>> > Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo
>> >
>> > A nosotros también, y del mismo AS. De hecho a nosotros
>> también nos saltó como una alarma de RPKI.
>> >
>> >
>> > On 4/2/14, 4:32 PM, Alex Ojeda wrote:
>> >> Me acaba de llegar una alerta de un posible Prefix
>> Hijack a uno de
>> >> mis prefijos desde Indonesia.
>> >>
>> >> Alguien màs con algo similar?
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> ====================================================================
>> >>
>> >> Possible Prefix Hijack (Code: 10)
>> >>
>> >>
>> ====================================================================
>> >>
>> >> Your prefix: 64.76.170.0/24
>> <http://64.76.170.0/24>:
>> >>
>> >> Update time: 2014-04-02 18:28 (UTC)
>> >>
>> >> Detected by #peers: 1
>> >>
>> >> Detected prefix: 64.76.170.0/24
>> <http://64.76.170.0/24>
>> >>
>> >> Announced by: AS4761 (INDOSAT-INP-AP INDOSAT
>> Internet Network
>> >> Provider,ID)
>> >>
>> >> Upstream AS: AS4651 (THAI-GATEWAY The
>> Communications Authority
>> >> of Thailand(CAT),TH)
>> >>
>> >> ASpath: 18356 38794 4651 4761
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Alex Matias Ojeda Mercado
>> >>
>> >> NOG CHILE
>> >>
>> >> alex en nog.cl <mailto:alex en nog.cl>
>> >>
>> >> +56971922362 <tel:%2B56971922362>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> LACNOG mailing list
>> >> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
>> >> https://mail.lacnic.net/mailman/listinfo/lacnog
>> >> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>> <mailto:lacnog-unsubscribe en lacnic.net>
>> >>
>> >
>> > _______________________________________________
>> > NOG mailing list
>> > NOG en nog.cl <mailto:NOG en nog.cl>
>> > http://nog.cl/mailman/listinfo/nog_nog.cl
>> > _______________________________________________
>> > LACNOG mailing list
>> > LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
>> > https://mail.lacnic.net/mailman/listinfo/lacnog
>> > Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>> <mailto:lacnog-unsubscribe en lacnic.net>
>> >
>>
>> _______________________________________________
>> NOG mailing list
>> NOG en nog.cl <mailto:NOG en nog.cl>
>> http://nog.cl/mailman/listinfo/nog_nog.cl
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>> <mailto:lacnog-unsubscribe en lacnic.net>
>>
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>> <mailto:lacnog-unsubscribe en lacnic.net>
>>
>>
>>
>>
>> --
>> *Ivan Chapero
>> Área Técnica y Soporte*
>> Fijo: 03464-470280 (interno 535) | Móvil: 03464-155-20282
>> | Skype ID: ivanchapero
>> --
>> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 -
>> 2183 - Arequito - Santa Fe - Argentina
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net <mailto:lacnog-unsubscribe en lacnic.net>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
> <mailto:lacnog-unsubscribe en lacnic.net>
>
>
>
>
> --
> *Ivan Chapero
> Área Técnica y Soporte*
> Fijo: 03464-470280 (interno 535) | Móvil: 03464-155-20282 | Skype
> ID: ivanchapero
> --
> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 -
> Arequito - Santa Fe - Argentina
>
>
>
>
>
>
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net <mailto:LACNOG en lacnic.net>
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
> <mailto:lacnog-unsubscribe en lacnic.net>
>
>
>
>
> --
>
>
> At least I did something
> Don Draper - Mad Men
>
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>
Más información sobre la lista de distribución LACNOG