[lacnog] Hijacking bloque de IP's 200.33.113.0/24
Job Snijders
job en sobornost.net
Dom Ene 3 13:05:14 -03 2021
Dear Javier,
On Sun, Jan 03, 2021 at 11:50:15AM -0400, Javier Galvez vía LACNOG wrote:
> tengo 2 problemas
>
> 1) no se llega de todo lado....
>
> http://ping.pe/200.33.113.1
This indeed is indicative of a problem, I gather there are two upstream
providers for this /24. Since roughly half the probing seems broken I
think the problem can be narrowed down to one of the two upstream
circuits.
> 2) cuando solicite a HE.NET el anuncio enviando el LOA me dijeron que
> NO podian hacerlo manualmente, y que se deberia usar el IRR y que el
> IRR de whois.ALTDB.NET y whois.LACNIC.NET no igualan y que se deberia
> hacer que ambos igualen (del asn del proveedor AS22541 que anunciara
> el asn del cliente AS264747)
>
> 200.33.113.0/24,rejected,origin 264747 RPKI status VALID. ASN 22541
> and prefix RIR handles do not match. Prefix missing from IRR policy.
A valid RPKI ROA object should be sufficient of a LOA, and certainly
should be considered more trustworthy than an IRR object entry!
The problem is visible here:
nero01.ring.nlnog.net$ mtr -w -r 200.33.113.1
Start: 2021-01-03T15:58:10+0000
HOST: nero01.ring.nlnog.net Loss% Snt Last Avg Best Wrst StDev
1.|-- eugn-noc-gw.nero.net 0.0% 10 0.9 1.4 0.8 6.5 1.8
2.|-- eugn-p1-gw.nero.net 0.0% 10 2.0 3.1 1.8 11.6 3.0
3.|-- eugn-core1-gw.nero.net 0.0% 10 0.8 0.8 0.7 1.1 0.1
4.|-- 5-1-4.bear1.Sacramento1.Level3.net 50.0% 10 12.2 12.3 12.2 12.4 0.1
5.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
6.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
7.|-- ae1-80G.ar2.LIM1.gblx.net 90.0% 10 148.4 148.4 148.4 148.4 0.0
8.|-- 190.216.122.102 0.0% 10 148.0 147.8 147.7 148.0 0.1
9.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
10.|-- as22541.r0.101.si.lim.pe.iptp.net 0.0% 10 170.0 169.8 169.7 170.0 0.1
11.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
*** blackhole starts ***
proserve01.ring.nlnog.net$ mtr -w -r 200.33.113.1
Start: Sun Jan 3 15:58:59 2021
HOST: proserve01.ring.nlnog.net Loss% Snt Last Avg Best Wrst StDev
1.|-- ip-space.by.proserve.nl 0.0% 10 0.3 0.3 0.3 0.5 0.0
2.|-- routed.by.proserve.nl 0.0% 10 0.3 5.7 0.3 52.8 16.5
3.|-- te1-2-vl7.cr1.nkf.nl.proserve.nl 0.0% 10 2.6 2.6 2.6 2.7 0.0
4.|-- te0-23.cr1.nkf.as49685.net 0.0% 10 3.2 3.3 3.0 4.4 0.3
5.|-- 5-1-15.ear4.Amsterdam1.Level3.net 0.0% 10 3.2 2.9 2.9 3.2 0.0
6.|-- ae-2-3203.edge4.Amsterdam1.Level3.net 0.0% 10 3.1 3.2 3.0 3.8 0.0
7.|-- 4.68.75.54 0.0% 10 3.2 5.5 3.2 21.6 5.7
8.|-- ae1-80G.ar2.LIM1.gblx.net 90.0% 10 174.6 174.6 174.6 174.6 0.0
9.|-- 190.216.122.102 0.0% 10 175.0 175.0 174.9 175.0 0.0
10.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
*** blackhole starts ***
Looking at the IPTP looking glass: https://www.iptp.net/en_US/iptp-tools/lg/?command=bgp&query=200.33.113.1&router=9efdce37e359&protocol=ipv4
we see that their best path is via AS 25541 :
22541 22541 22541 264747
91.194.117.242 (metric 3236) from 91.194.117.244 (91.194.117.244)
Origin IGP, metric 0, localpref 120, valid, internal, best
Community: 41095:3000 41095:3700 41095:14999
Originator: 91.194.117.242, Cluster list: 91.194.117.244, 91.194.117.241, 91.194.117.205, 91.194.117.217
rx pathid: 0, tx pathid: 0x0
I recommend to investigate whether there is some problem close to the
AS22541 <> AS264747 circuit. You can also test if reachability improves
if the circuit towards AS22541 is temporarily disabled.
Kind regards,
Job
Más información sobre la lista de distribución LACNOG