[lacnog] ¿¿ 8.8.8.0/24 secuestrado en Venezuela ??

Roque Gagliano rgaglian en gmail.com
Mie Mar 19 18:03:01 BRT 2014 

I guess the conclusion is that AS7908 did originated the
8.8.8.8/32announcement and then the (small coverage) leakage could
have been
prevented by RPKI if configured at their upstreams.
r.


On Wed, Mar 19, 2014 at 9:48 PM, Carlos M. Martinez <
carlosmarcelomartinez en gmail.com> wrote:

> Doug,
>
> thanks for the good wishes and thank you very much for your very clear
> and complete answer, that is just what I was looking for.
>
> Kind regards,
>
> ~Carlos
>
> On 3/19/14, 5:44 PM, Doug Madory wrote:
> > Hola Carlos,
> >
> > Congrats on your new role at LACNIC!
> >
> > It is true that AS7908 announced 8.8.8.8/32 for about 20 minutes on
> Saturday, although I'm skeptical of how significant this is.
> >
> > For one, because the route is a /32 it didn't travel very far. We had 4
> of our 416 peers see it. I believe BGPmon had about the same number of
> peers see the route. The article you cite implies that there was global
> impact, however the actual number of users impacted is likely small. As far
> as what the "impact" was, there isn't any evidence that this wasn't just a
> leak of some internal route for proper handling of Google DNS queries. If
> there were queries that were blocked or returned with bogus information,
> then that would be concerning.
> >
> > Half of the routes that BT Latam (AS7908) transits (about 200) are from
> Argentina, 80 are from Brazil, 40 from Venezuela and the rest from other
> LATAM countries. I suspect this leaked route was probably there to make
> sure the queries were handled in a certain way like directed to the local
> Google DNS resolvers in Buenos Aires or Sao Paulo. I don't believe that we
> know that any Google DNS queries at all were actually redirected to
> Venezuela as the article suggests.
> >
> > What's more, AS7908 regularly announces 125.125.125.0/24, which is
> Chinese address space that is currently in use by China Telecom. Given the
> repeating pattern of the octets, I believe this is another internal route
> they are inadvertently leaking - as opposed to hijacking the Chinese. :-) I
> encounter this kind of thing regularly. Also AS7908 leaked internal routes
> earlier that day. These things contribute to the appearance of  sloppiness
> more than anything nefarious.
> >
> > Rogers of Canada also announced 8.8.8.8/30 last year and it was
> discussed on the NANOG list:
> > http://mailman.nanog.org/pipermail/nanog/2013-July/059736.html
> > That ultimately appeared to be benign:
> > http://mailman.nanog.org/pipermail/nanog/2013-July/059743.html
> >
> > There are other examples. Such as AS39605 announcing 8.8.8.0/24 last
> month for almost 6 hours.
> >
> > Having said all that, BGP hijacking is a legitimate concern that ought
> to be addressed in a thoughtful way.
> >
> > Doug Madory
> > 603-643-9300 x115
> > Hanover, NH
> > "The Internet Intelligence Authority"
> >
> > On Mar 19, 2014, at 11:00 AM, lacnog-request en lacnic.net wrote:
> >
> >> Date: Tue, 18 Mar 2014 17:34:55 -0300
> >> From: Carlos Martinez-Cagnazzo <carlosm3011 en gmail.com>
> >> To: Latin America and Caribbean Region Network Operators Group
> >>      <lacnog en lacnic.net>
> >> Subject: [lacnog] ¿¿ 8.8.8.0/24 secuestrado en Venezuela ??
> >> Message-ID:
> >>      <CA+z-_EXMyjqZ5EgqApjM97WMif1CEj_-B1z3--N9=-
> o13Qa25A en mail.gmail.com>
> >> Content-Type: text/plain; charset="iso-8859-1"
> >>
> >> Recién estaba leyendo esto:
> >>
> >> http://thehackernews.com/2014/03/google-public-dns-server-traffic.html
> >>
> >> Quisiera entender si realmente fue un 'hijacking' de BGP, que es lo que
> >> parecería a juzgar por el screenshot de BGPMon que se publica en el
> >> artículo o si fué algún otro tipo de problema.
> >>
> >> En particular, quiero entenderlo para saber si RPKI en este escenario
> >> hubiera sido útil para mitigar el evento.**
> >>
> >> s2
> >>
> >> ~Carlos
> >>
> >> **Así de paso lo agrego a mi powerpoint de RPKI :-)
> > _______________________________________________
> > LACNOG mailing list
> > LACNOG en lacnic.net
> > https://mail.lacnic.net/mailman/listinfo/lacnog
> > Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: lacnog-unsubscribe en lacnic.net
>



-- 


At least I did something
Don Draper - Mad Men
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20140319/f299ec2e/attachment.html>

Más información sobre la lista de distribución LACNOG