[lacnog] Prefix Hijacking

Gustavo Santos gustkiller en gmail.com
Jue Dic 19 15:13:03 -02 2019 

Lucas,

This issue is with their transit provider, Level3/Century Link. There are
another Level3 / Century Link customers that are having this issue
of stuck routes even after withdrawn or BGP session disabled with them.



On Thu, Dec 19, 2019 at 2:01 PM Lucas Willian Bocchi <lucas.bocchi en gmail.com>
wrote:

> Arturo
> We have session with these AS. It's our transit but when I cease the
> session on my side, the announces continue to exists. Even when the BGP
> router is powered off the announces continues for 30, 40 minutes or more.
> It's impossible! The only way is hijacking the prefix but now appears to be
> OK. We are testing with our another transits to check if the problem now
> will solved.
>
> Em qui., 19 de dez. de 2019 às 13:53, Arturo Servin <
> arturo.servin en gmail.com> escreveu:
>
>> According to RADB AS267759 is the correct origin.
>>
>> route:      45.167.18.0/23
>> origin:     AS267759
>> descr:      GRUPO INVERSOR EN COMUNICACIONES - Cliente de Trânsito da
>> R-Line
>> mnt-by:     MAINT-AS28145
>> changed:    fabio en rline.com.br 20191213  #18:08:35Z
>> source:     RADB
>>
>> No ROA apparently.
>>
>> So, not sure what the problem is.
>>
>> .as
>>
>>
>> On Thu, Dec 19, 2019 at 4:49 PM Lucas Willian Bocchi <
>> lucas.bocchi en gmail.com> wrote:
>>
>>> At the moment, appears.
>>> We will test again in other time, maybe a time that the NOC doesn't are
>>> reading the list threads.
>>>
>>>
>>> Em qui., 19 de dez. de 2019 às 13:47, Ariel Antigua via LACNOG <
>>> lacnog en lacnic.net> escreveu:
>>>
>>>> Maybe is fixed already?
>>>>
>>>>
>>>>
>>>> I was looking for your prefix and is not in my routing table or being
>>>> announced by 263774.
>>>>
>>>>
>>>>
>>>> bird>
>>>>
>>>> bird> show route where bgp_path.last = 263774 primary
>>>>
>>>> 138.117.78.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 138.117.78.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 138.117.79.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 138.117.76.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 138.117.76.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 138.117.76.0/22    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 138.117.77.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 170.83.126.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 170.83.126.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774?]
>>>>
>>>> 170.83.127.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 170.83.124.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 170.83.124.0/22    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> 170.83.124.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774?]
>>>>
>>>> 170.83.125.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>
>>>> bird> show route where bgp_path.last = 267759 primary
>>>>
>>>> bird>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> .aa
>>>>
>>>>
>>>>
>>>> *From: *Lucas Willian Bocchi <lucas.bocchi en gmail.com>
>>>> *Sent: *Thursday, December 19, 2019 12:27 PM
>>>> *To: *lacnog en lacnic.net
>>>> *Subject: *[lacnog] Prefix Hijacking
>>>>
>>>>
>>>>
>>>> Hello.
>>>>
>>>>
>>>>
>>>> We have entered in contact with AS263774 informing the problem but we
>>>> won't provide any solution to the trouble.
>>>>
>>>>
>>>>
>>>> Our BGP session with the AS263774 are totally down and the announces
>>>> don't cease to exists. We believe that these provider hijack our announces
>>>>
>>>> Thu Dec 19 16:08:16.916 UTC
>>>>
>>>> BGP routing table entry for 45.167.18.0/24
>>>>
>>>> Versions:
>>>>
>>>>   Process           bRIB/RIB  SendTblVer
>>>>
>>>>   Speaker          497636789   497636789
>>>>
>>>> Last Modified: Dec 19 15:36:44.535 for 00:31:32
>>>>
>>>> Paths: (1 available, best #1)
>>>>
>>>>   Advertised IPv4 Unicast paths to peers (in unique update groups):
>>>>
>>>>     38.5.0.99
>>>>
>>>>   Path #1: Received by speaker 0
>>>>
>>>>   Advertised IPv4 Unicast paths to peers (in unique update groups):
>>>>
>>>>     38.5.0.99
>>>>
>>>>   3356 3549 263774 263774 267759
>>>>
>>>>     4.68.111.177 (metric 103030) from 38.28.1.83 (38.28.1.238)
>>>>
>>>>       Origin IGP, metric 4294967294, localpref 100, valid, internal, best, group-best, import-candidate
>>>>
>>>>       Received Path ID 0, Local Path ID 1, version 497636789
>>>>
>>>>       Community: 174:11401 174:20666 174:21100 174:22005
>>>>
>>>>       Originator: 38.28.1.238, Cluster list: 38.28.1.83, 38.28.1.67
>>>>
>>>> How are the correct solution to the case? The NOC are already alerted
>>>> about the problem but says that "all is ok on your side".
>>>>
>>>>
>>>>
>>>> Regards.
>>>>
>>>>
>>>> _______________________________________________
>>>> LACNOG mailing list
>>>> LACNOG en lacnic.net
>>>> https://mail.lacnic.net/mailman/listinfo/lacnog
>>>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>>>
>>> _______________________________________________
>>> LACNOG mailing list
>>> LACNOG en lacnic.net
>>> https://mail.lacnic.net/mailman/listinfo/lacnog
>>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20191219/05cbdc11/attachment.html>

Más información sobre la lista de distribución LACNOG