[lacnog] Prefix Hijacking

Lucas Willian Bocchi lucas.bocchi en gmail.com
Jue Dic 19 15:01:01 -02 2019 

Arturo
We have session with these AS. It's our transit but when I cease the
session on my side, the announces continue to exists. Even when the BGP
router is powered off the announces continues for 30, 40 minutes or more.
It's impossible! The only way is hijacking the prefix but now appears to be
OK. We are testing with our another transits to check if the problem now
will solved.

Em qui., 19 de dez. de 2019 às 13:53, Arturo Servin <arturo.servin en gmail.com>
escreveu:

> According to RADB AS267759 is the correct origin.
>
> route:      45.167.18.0/23
> origin:     AS267759
> descr:      GRUPO INVERSOR EN COMUNICACIONES - Cliente de Trânsito da
> R-Line
> mnt-by:     MAINT-AS28145
> changed:    fabio en rline.com.br 20191213  #18:08:35Z
> source:     RADB
>
> No ROA apparently.
>
> So, not sure what the problem is.
>
> .as
>
>
> On Thu, Dec 19, 2019 at 4:49 PM Lucas Willian Bocchi <
> lucas.bocchi en gmail.com> wrote:
>
>> At the moment, appears.
>> We will test again in other time, maybe a time that the NOC doesn't are
>> reading the list threads.
>>
>>
>> Em qui., 19 de dez. de 2019 às 13:47, Ariel Antigua via LACNOG <
>> lacnog en lacnic.net> escreveu:
>>
>>> Maybe is fixed already?
>>>
>>>
>>>
>>> I was looking for your prefix and is not in my routing table or being
>>> announced by 263774.
>>>
>>>
>>>
>>> bird>
>>>
>>> bird> show route where bgp_path.last = 263774 primary
>>>
>>> 138.117.78.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 138.117.78.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 138.117.79.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 138.117.76.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 138.117.76.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 138.117.76.0/22    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 138.117.77.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 170.83.126.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 170.83.126.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774?]
>>>
>>> 170.83.127.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 170.83.124.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 170.83.124.0/22    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> 170.83.124.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774?]
>>>
>>> 170.83.125.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499 2019-12-17
>>> from 185.1.119.2] * (110) [AS263774i]
>>>
>>> bird> show route where bgp_path.last = 267759 primary
>>>
>>> bird>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> .aa
>>>
>>>
>>>
>>> *From: *Lucas Willian Bocchi <lucas.bocchi en gmail.com>
>>> *Sent: *Thursday, December 19, 2019 12:27 PM
>>> *To: *lacnog en lacnic.net
>>> *Subject: *[lacnog] Prefix Hijacking
>>>
>>>
>>>
>>> Hello.
>>>
>>>
>>>
>>> We have entered in contact with AS263774 informing the problem but we
>>> won't provide any solution to the trouble.
>>>
>>>
>>>
>>> Our BGP session with the AS263774 are totally down and the announces
>>> don't cease to exists. We believe that these provider hijack our announces
>>>
>>> Thu Dec 19 16:08:16.916 UTC
>>>
>>> BGP routing table entry for 45.167.18.0/24
>>>
>>> Versions:
>>>
>>>   Process           bRIB/RIB  SendTblVer
>>>
>>>   Speaker          497636789   497636789
>>>
>>> Last Modified: Dec 19 15:36:44.535 for 00:31:32
>>>
>>> Paths: (1 available, best #1)
>>>
>>>   Advertised IPv4 Unicast paths to peers (in unique update groups):
>>>
>>>     38.5.0.99
>>>
>>>   Path #1: Received by speaker 0
>>>
>>>   Advertised IPv4 Unicast paths to peers (in unique update groups):
>>>
>>>     38.5.0.99
>>>
>>>   3356 3549 263774 263774 267759
>>>
>>>     4.68.111.177 (metric 103030) from 38.28.1.83 (38.28.1.238)
>>>
>>>       Origin IGP, metric 4294967294, localpref 100, valid, internal, best, group-best, import-candidate
>>>
>>>       Received Path ID 0, Local Path ID 1, version 497636789
>>>
>>>       Community: 174:11401 174:20666 174:21100 174:22005
>>>
>>>       Originator: 38.28.1.238, Cluster list: 38.28.1.83, 38.28.1.67
>>>
>>> How are the correct solution to the case? The NOC are already alerted
>>> about the problem but says that "all is ok on your side".
>>>
>>>
>>>
>>> Regards.
>>>
>>>
>>> _______________________________________________
>>> LACNOG mailing list
>>> LACNOG en lacnic.net
>>> https://mail.lacnic.net/mailman/listinfo/lacnog
>>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20191219/c1dddbf4/attachment-0001.html>

Más información sobre la lista de distribución LACNOG