<div dir="ltr">I guess the conclusion is that AS7908 did originated the <a href="http://8.8.8.8/32" target="_blank">8.8.8.8/32</a> announcement and then the (small coverage) leakage could have been prevented by RPKI if configured at their upstreams.<br>
r.<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Mar 19, 2014 at 9:48 PM, Carlos M. Martinez <span dir="ltr"><<a href="mailto:carlosmarcelomartinez@gmail.com" target="_blank">carlosmarcelomartinez@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Doug,<br>
<br>
thanks for the good wishes and thank you very much for your very clear<br>
and complete answer, that is just what I was looking for.<br>
<br>
Kind regards,<br>
<br>
~Carlos<br>
<div class="HOEnZb"><div class="h5"><br>
On 3/19/14, 5:44 PM, Doug Madory wrote:<br>
> Hola Carlos,<br>
><br>
> Congrats on your new role at LACNIC!<br>
><br>
> It is true that AS7908 announced <a href="http://8.8.8.8/32" target="_blank">8.8.8.8/32</a> for about 20 minutes on Saturday, although I'm skeptical of how significant this is.<br>
><br>
> For one, because the route is a /32 it didn't travel very far. We had 4 of our 416 peers see it. I believe BGPmon had about the same number of peers see the route. The article you cite implies that there was global impact, however the actual number of users impacted is likely small. As far as what the "impact" was, there isn't any evidence that this wasn't just a leak of some internal route for proper handling of Google DNS queries. If there were queries that were blocked or returned with bogus information, then that would be concerning.<br>
><br>
> Half of the routes that BT Latam (AS7908) transits (about 200) are from Argentina, 80 are from Brazil, 40 from Venezuela and the rest from other LATAM countries. I suspect this leaked route was probably there to make sure the queries were handled in a certain way like directed to the local Google DNS resolvers in Buenos Aires or Sao Paulo. I don't believe that we know that any Google DNS queries at all were actually redirected to Venezuela as the article suggests.<br>
><br>
> What's more, AS7908 regularly announces <a href="http://125.125.125.0/24" target="_blank">125.125.125.0/24</a>, which is Chinese address space that is currently in use by China Telecom. Given the repeating pattern of the octets, I believe this is another internal route they are inadvertently leaking - as opposed to hijacking the Chinese. :-) I encounter this kind of thing regularly. Also AS7908 leaked internal routes earlier that day. These things contribute to the appearance of sloppiness more than anything nefarious.<br>
><br>
> Rogers of Canada also announced <a href="http://8.8.8.8/30" target="_blank">8.8.8.8/30</a> last year and it was discussed on the NANOG list:<br>
> <a href="http://mailman.nanog.org/pipermail/nanog/2013-July/059736.html" target="_blank">http://mailman.nanog.org/pipermail/nanog/2013-July/059736.html</a><br>
> That ultimately appeared to be benign:<br>
> <a href="http://mailman.nanog.org/pipermail/nanog/2013-July/059743.html" target="_blank">http://mailman.nanog.org/pipermail/nanog/2013-July/059743.html</a><br>
><br>
> There are other examples. Such as AS39605 announcing <a href="http://8.8.8.0/24" target="_blank">8.8.8.0/24</a> last month for almost 6 hours.<br>
><br>
> Having said all that, BGP hijacking is a legitimate concern that ought to be addressed in a thoughtful way.<br>
><br>
> Doug Madory<br>
> 603-643-9300 x115<br>
> Hanover, NH<br>
> "The Internet Intelligence Authority"<br>
><br>
> On Mar 19, 2014, at 11:00 AM, <a href="mailto:lacnog-request@lacnic.net">lacnog-request@lacnic.net</a> wrote:<br>
><br>
>> Date: Tue, 18 Mar 2014 17:34:55 -0300<br>
>> From: Carlos Martinez-Cagnazzo <<a href="mailto:carlosm3011@gmail.com">carlosm3011@gmail.com</a>><br>
>> To: Latin America and Caribbean Region Network Operators Group<br>
>> <<a href="mailto:lacnog@lacnic.net">lacnog@lacnic.net</a>><br>
>> Subject: [lacnog] ¿¿ <a href="http://8.8.8.0/24" target="_blank">8.8.8.0/24</a> secuestrado en Venezuela ??<br>
>> Message-ID:<br>
>> <CA+z-_EXMyjqZ5EgqApjM97WMif1CEj_-B1z3--N9=-<a href="mailto:o13Qa25A@mail.gmail.com">o13Qa25A@mail.gmail.com</a>><br>
>> Content-Type: text/plain; charset="iso-8859-1"<br>
>><br>
>> Recién estaba leyendo esto:<br>
>><br>
>> <a href="http://thehackernews.com/2014/03/google-public-dns-server-traffic.html" target="_blank">http://thehackernews.com/2014/03/google-public-dns-server-traffic.html</a><br>
>><br>
>> Quisiera entender si realmente fue un 'hijacking' de BGP, que es lo que<br>
>> parecería a juzgar por el screenshot de BGPMon que se publica en el<br>
>> artículo o si fué algún otro tipo de problema.<br>
>><br>
>> En particular, quiero entenderlo para saber si RPKI en este escenario<br>
>> hubiera sido útil para mitigar el evento.**<br>
>><br>
>> s2<br>
>><br>
>> ~Carlos<br>
>><br>
>> **Así de paso lo agrego a mi powerpoint de RPKI :-)<br>
> _______________________________________________<br>
> LACNOG mailing list<br>
> <a href="mailto:LACNOG@lacnic.net">LACNOG@lacnic.net</a><br>
> <a href="https://mail.lacnic.net/mailman/listinfo/lacnog" target="_blank">https://mail.lacnic.net/mailman/listinfo/lacnog</a><br>
> Cancelar suscripcion: <a href="mailto:lacnog-unsubscribe@lacnic.net">lacnog-unsubscribe@lacnic.net</a><br>
<br>
_______________________________________________<br>
LACNOG mailing list<br>
<a href="mailto:LACNOG@lacnic.net">LACNOG@lacnic.net</a><br>
<a href="https://mail.lacnic.net/mailman/listinfo/lacnog" target="_blank">https://mail.lacnic.net/mailman/listinfo/lacnog</a><br>
Cancelar suscripcion: <a href="mailto:lacnog-unsubscribe@lacnic.net">lacnog-unsubscribe@lacnic.net</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><br><br>At least I did something<br>Don Draper - Mad Men
</div>