[lacnog] ¿¿ 8.8.8.0/24 secuestrado en Venezuela ??

Doug Madory dmadory en renesys.com
Mie Mar 19 17:44:30 BRT 2014


Hola Carlos,

Congrats on your new role at LACNIC!

It is true that AS7908 announced 8.8.8.8/32 for about 20 minutes on Saturday, although I'm skeptical of how significant this is.

For one, because the route is a /32 it didn't travel very far. We had 4 of our 416 peers see it. I believe BGPmon had about the same number of peers see the route. The article you cite implies that there was global impact, however the actual number of users impacted is likely small. As far as what the "impact" was, there isn't any evidence that this wasn't just a leak of some internal route for proper handling of Google DNS queries. If there were queries that were blocked or returned with bogus information, then that would be concerning.

Half of the routes that BT Latam (AS7908) transits (about 200) are from Argentina, 80 are from Brazil, 40 from Venezuela and the rest from other LATAM countries. I suspect this leaked route was probably there to make sure the queries were handled in a certain way like directed to the local Google DNS resolvers in Buenos Aires or Sao Paulo. I don't believe that we know that any Google DNS queries at all were actually redirected to Venezuela as the article suggests.

What's more, AS7908 regularly announces 125.125.125.0/24, which is Chinese address space that is currently in use by China Telecom. Given the repeating pattern of the octets, I believe this is another internal route they are inadvertently leaking - as opposed to hijacking the Chinese. :-) I encounter this kind of thing regularly. Also AS7908 leaked internal routes earlier that day. These things contribute to the appearance of  sloppiness more than anything nefarious.

Rogers of Canada also announced 8.8.8.8/30 last year and it was discussed on the NANOG list:
http://mailman.nanog.org/pipermail/nanog/2013-July/059736.html
That ultimately appeared to be benign:
http://mailman.nanog.org/pipermail/nanog/2013-July/059743.html

There are other examples. Such as AS39605 announcing 8.8.8.0/24 last month for almost 6 hours.

Having said all that, BGP hijacking is a legitimate concern that ought to be addressed in a thoughtful way.

Doug Madory
603-643-9300 x115
Hanover, NH
"The Internet Intelligence Authority"

On Mar 19, 2014, at 11:00 AM, lacnog-request en lacnic.net wrote:

> Date: Tue, 18 Mar 2014 17:34:55 -0300
> From: Carlos Martinez-Cagnazzo <carlosm3011 en gmail.com>
> To: Latin America and Caribbean Region Network Operators Group
> 	<lacnog en lacnic.net>
> Subject: [lacnog] ¿¿ 8.8.8.0/24 secuestrado en Venezuela ??
> Message-ID:
> 	<CA+z-_EXMyjqZ5EgqApjM97WMif1CEj_-B1z3--N9=-o13Qa25A en mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Recién estaba leyendo esto:
> 
> http://thehackernews.com/2014/03/google-public-dns-server-traffic.html
> 
> Quisiera entender si realmente fue un 'hijacking' de BGP, que es lo que
> parecería a juzgar por el screenshot de BGPMon que se publica en el
> artículo o si fué algún otro tipo de problema.
> 
> En particular, quiero entenderlo para saber si RPKI en este escenario
> hubiera sido útil para mitigar el evento.**
> 
> s2
> 
> ~Carlos
> 
> **Así de paso lo agrego a mi powerpoint de RPKI :-)




Más información sobre la lista de distribución LACNOG