[lacnog] Prefix Hijacking

Lucas Willian Bocchi lucas.bocchi en gmail.com
Jue Dic 19 15:17:12 -02 2019 

Gustavo

I don't know about these problem. Maybe we are a victim of these trouble
too.


Em qui., 19 de dez. de 2019 às 14:13, Gustavo Santos <gustkiller en gmail.com>
escreveu:

> Lucas,
>
> This issue is with their transit provider, Level3/Century Link. There are
> another Level3 / Century Link customers that are having this issue
> of stuck routes even after withdrawn or BGP session disabled with them.
>
>
>
> On Thu, Dec 19, 2019 at 2:01 PM Lucas Willian Bocchi <
> lucas.bocchi en gmail.com> wrote:
>
>> Arturo
>> We have session with these AS. It's our transit but when I cease the
>> session on my side, the announces continue to exists. Even when the BGP
>> router is powered off the announces continues for 30, 40 minutes or more.
>> It's impossible! The only way is hijacking the prefix but now appears to be
>> OK. We are testing with our another transits to check if the problem now
>> will solved.
>>
>> Em qui., 19 de dez. de 2019 às 13:53, Arturo Servin <
>> arturo.servin en gmail.com> escreveu:
>>
>>> According to RADB AS267759 is the correct origin.
>>>
>>> route:      45.167.18.0/23
>>> origin:     AS267759
>>> descr:      GRUPO INVERSOR EN COMUNICACIONES - Cliente de Trânsito da
>>> R-Line
>>> mnt-by:     MAINT-AS28145
>>> changed:    fabio en rline.com.br 20191213  #18:08:35Z
>>> source:     RADB
>>>
>>> No ROA apparently.
>>>
>>> So, not sure what the problem is.
>>>
>>> .as
>>>
>>>
>>> On Thu, Dec 19, 2019 at 4:49 PM Lucas Willian Bocchi <
>>> lucas.bocchi en gmail.com> wrote:
>>>
>>>> At the moment, appears.
>>>> We will test again in other time, maybe a time that the NOC doesn't are
>>>> reading the list threads.
>>>>
>>>>
>>>> Em qui., 19 de dez. de 2019 às 13:47, Ariel Antigua via LACNOG <
>>>> lacnog en lacnic.net> escreveu:
>>>>
>>>>> Maybe is fixed already?
>>>>>
>>>>>
>>>>>
>>>>> I was looking for your prefix and is not in my routing table or being
>>>>> announced by 263774.
>>>>>
>>>>>
>>>>>
>>>>> bird>
>>>>>
>>>>> bird> show route where bgp_path.last = 263774 primary
>>>>>
>>>>> 138.117.78.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 138.117.78.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 138.117.79.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 138.117.76.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 138.117.76.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 138.117.76.0/22    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 138.117.77.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 170.83.126.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 170.83.126.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774?]
>>>>>
>>>>> 170.83.127.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 170.83.124.0/23    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 170.83.124.0/22    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> 170.83.124.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774?]
>>>>>
>>>>> 170.83.125.0/24    via 185.1.119.40 on ens19 [t_loc_AS206499
>>>>> 2019-12-17 from 185.1.119.2] * (110) [AS263774i]
>>>>>
>>>>> bird> show route where bgp_path.last = 267759 primary
>>>>>
>>>>> bird>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> .aa
>>>>>
>>>>>
>>>>>
>>>>> *From: *Lucas Willian Bocchi <lucas.bocchi en gmail.com>
>>>>> *Sent: *Thursday, December 19, 2019 12:27 PM
>>>>> *To: *lacnog en lacnic.net
>>>>> *Subject: *[lacnog] Prefix Hijacking
>>>>>
>>>>>
>>>>>
>>>>> Hello.
>>>>>
>>>>>
>>>>>
>>>>> We have entered in contact with AS263774 informing the problem but we
>>>>> won't provide any solution to the trouble.
>>>>>
>>>>>
>>>>>
>>>>> Our BGP session with the AS263774 are totally down and the announces
>>>>> don't cease to exists. We believe that these provider hijack our announces
>>>>>
>>>>> Thu Dec 19 16:08:16.916 UTC
>>>>>
>>>>> BGP routing table entry for 45.167.18.0/24
>>>>>
>>>>> Versions:
>>>>>
>>>>>   Process           bRIB/RIB  SendTblVer
>>>>>
>>>>>   Speaker          497636789   497636789
>>>>>
>>>>> Last Modified: Dec 19 15:36:44.535 for 00:31:32
>>>>>
>>>>> Paths: (1 available, best #1)
>>>>>
>>>>>   Advertised IPv4 Unicast paths to peers (in unique update groups):
>>>>>
>>>>>     38.5.0.99
>>>>>
>>>>>   Path #1: Received by speaker 0
>>>>>
>>>>>   Advertised IPv4 Unicast paths to peers (in unique update groups):
>>>>>
>>>>>     38.5.0.99
>>>>>
>>>>>   3356 3549 263774 263774 267759
>>>>>
>>>>>     4.68.111.177 (metric 103030) from 38.28.1.83 (38.28.1.238)
>>>>>
>>>>>       Origin IGP, metric 4294967294, localpref 100, valid, internal, best, group-best, import-candidate
>>>>>
>>>>>       Received Path ID 0, Local Path ID 1, version 497636789
>>>>>
>>>>>       Community: 174:11401 174:20666 174:21100 174:22005
>>>>>
>>>>>       Originator: 38.28.1.238, Cluster list: 38.28.1.83, 38.28.1.67
>>>>>
>>>>> How are the correct solution to the case? The NOC are already alerted
>>>>> about the problem but says that "all is ok on your side".
>>>>>
>>>>>
>>>>>
>>>>> Regards.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> LACNOG mailing list
>>>>> LACNOG en lacnic.net
>>>>> https://mail.lacnic.net/mailman/listinfo/lacnog
>>>>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>>>>
>>>> _______________________________________________
>>>> LACNOG mailing list
>>>> LACNOG en lacnic.net
>>>> https://mail.lacnic.net/mailman/listinfo/lacnog
>>>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>>>
>>> _______________________________________________
>>> LACNOG mailing list
>>> LACNOG en lacnic.net
>>> https://mail.lacnic.net/mailman/listinfo/lacnog
>>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20191219/696677ce/attachment.html>

Más información sobre la lista de distribución LACNOG