<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hola,<br>
<br>
los RIRs no tenemos poder de policía ni rol de oversight. Somos
facilitadores de muchas actividades debido a nuestro contacto
cercano con la comunidad de operadores, pero no tenemos ningun
instrumento de sanción que aplicar. Y personalmente, creo que está
bien que eso sea así.<br>
<br>
Creo que la protección contra este tipo de ocurrencias pasa por
otros lados.<br>
<br>
s2<br>
<br>
Carlos<br>
<br>
<div class="moz-cite-prefix">On 4/3/14, 10:01 AM, Ivan Chapero
wrote:<br>
</div>
<blockquote
cite="mid:CAPQhFbcVhvmo5c1suHmmXkwWLpDe+DnE1yBJBJad6Uvqbq0M1Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)">Consulta
ingenua, ¿no tiene autoridad el RIR asociado al ISP para
penalizarlo por tremenda aberración repetida?. Su upstream
también fue bastante lights al permitir como si nada 300k
rutas de un peer que no estaba ni próximo a ese número en
estado normal.<br>
<br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)">Tiene
pinta de ser una redistribución a su IGP y luego inyección a
BGP nuevamente no?<br>
<br>
</div>
<div class="gmail_default"
style="font-family:tahoma,sans-serif;font-size:small;color:rgb(0,0,0)">
Slds.<br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-04-03 7:42 GMT-03:00 Alex Ojeda <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:alex@chilenetworks.com" target="_blank">alex@chilenetworks.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="ES-CL">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Mail
recibido de bgpmon:</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p><span lang="ES">De: Andree Toonk // BGPmon.net <br>
Enviado el: jueves, 03 de abril de 2014 2:27<br>
Para: Alex Ojeda<br>
Asunto: Additional information - Hijack event today
by Indosat</span></p>
<p> </p>
<p><span lang="EN-US">Dear BGPmon.net user,</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">Today we observed a large-scale
'hijack' event that amongst others affected one or
more of your prefixes. This email is to provide you
with some additional information.</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">What happened?</span></p>
<p><span lang="EN-US">Indosat, AS4761, one of
Indonesia's largest telecommunication networks
normally originates about 300 prefixes. Starting at
18:26 UTC (April 2, 2014) AS4761 began to originate
417,038 new prefixes normally announced by other
Autonomous Systems such as yours. The
'mis-origination' event by Indosat lasted for
several hours affecting different prefixes at
different times until approximately 21:15 UTC.</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">What caused this?</span></p>
<p><span lang="EN-US">Given the large scale of this
event we presume this is not malicious or
intentional but rather the result of an operational
issue. Other sources report this was the result of a
maintenance window gone bad. Interestingly we
documented a similar event involving Indosat in
2011, more details regarding that incident can be
found here:
</span><a moz-do-not-send="true"
href="http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/"
target="_blank"><span
style="color:windowtext;text-decoration:none"
lang="EN-US">http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/</span></a><span
lang="EN-US"></span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">Impact</span></p>
<p><span lang="EN-US">The impact of this event was
different per network, many of the hijacked routes
were seen by several providers in Thailand. This
means that it's likely that communication between
these providers in Thailand (as well as Indonesia)
and your prefix may have been affected. </span></p>
<p><span lang="EN-US">One of the heuristics we look at
to determine the global impact of an event like this
is the number of probes that detected the event. In
this case, out of the 400k affected prefixes, 8,182
were detected by more than 10 different probes,
which means that the scope and impact of this event
was larger for these prefixes.
</span></p>
<p><span lang="EN-US">The link below is an example of a
Syrian prefix that was hijacked by Indosat where the
'hijacked' route was seen from Australia to the US
and Canada.</span></p>
<p><a moz-do-not-send="true"
href="http://portal.bgpmon.net/data/indosat-hijack.png"
target="_blank"><span
style="color:windowtext;text-decoration:none"
lang="EN-US">http://portal.bgpmon.net/data/indosat-hijack.png</span></a><span
lang="EN-US"></span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">What was the impact for my
network?</span></p>
<p><span lang="EN-US">By clicking on the alert details
link in the alert email or portal you will see the
number of probes that detected the hijacked route
update. It also shows you where in the world these
updates were seen so you'll have an idea of the
geographical scope of the event.</span></p>
<p><span lang="EN-US">Users with a premium account also
have access to all the individual BGP updates as
well as the full AS path. This will tell you in
detail what networks selected this bad route and the
exact timestamps. Some of you also received a phone
call to inform you of the events immideatly after
detection (part of the Enterprise add-on).</span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">BGP probe and peering</span></p>
<p><span lang="EN-US">A BGP probe in this case means one
of our peering partners. You too can become a
peering partner and get access to our PeerMon
service, for more details see:</span></p>
<p><a moz-do-not-send="true"
href="http://portal.bgpmon.net/peermon.php"
target="_blank"><span
style="color:windowtext;text-decoration:none"
lang="EN-US">http://portal.bgpmon.net/peermon.php</span></a><span
lang="EN-US"></span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">Questions and more information</span></p>
<p><span lang="EN-US">I hope this provides you with some
useful additional information regarding this event.
Feel free to contact us should you have any follow
up questions or would like to have more information
for the purpose of further forensics. </span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">Kind regards,</span></p>
<p><span lang="EN-US">Andree Toonk </span></p>
<p><span lang="EN-US"> </span></p>
<p><span lang="EN-US">--</span></p>
<p><span lang="EN-US">BGPmon.net</span></p>
<p><span lang="EN-US"></span><a moz-do-not-send="true"
href="mailto:info@bgpmon.net" target="_blank"><span
style="color:windowtext;text-decoration:none"
lang="EN-US">info@bgpmon.net</span></a><span
lang="EN-US"></span></p>
<p><span lang="EN-US"></span><a moz-do-not-send="true"
href="http://www.bgpmon.net/" target="_blank"><span
style="color:windowtext;text-decoration:none"
lang="EN-US">http://www.bgpmon.net/</span></a><span
lang="EN-US"></span></p>
<div class="">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"
lang="EN-US"> </span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="EN-US"> </span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:13.0pt;font-family:"Verdana","sans-serif";color:#1f497d"
lang="ES-BO">Alex Matias Ojeda Mercado</span><span
style="font-size:13.0pt;font-family:"Tahoma","sans-serif";color:#1f497d"
lang="ES-BO"></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#44546a">NOG
CHILE</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#44546a"><a
moz-do-not-send="true"
href="mailto:alex@nog.cl" target="_blank">alex@nog.cl</a></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#44546a">+56971922362</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#44546a"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#44546a"> </span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
</div>
<div>
<div style="border:none;border-top:solid #e1e1e1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="ES">De:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""
lang="ES"> NOG [mailto:<a moz-do-not-send="true"
href="mailto:nog-bounces@nog.cl"
target="_blank">nog-bounces@nog.cl</a>]
<b>En nombre de </b><a moz-do-not-send="true"
href="mailto:nog@nog.cl" target="_blank">nog@nog.cl</a><br>
<b>Enviado el:</b> miércoles, 02 de abril de
2014 17:44</span></p>
<div>
<div class="h5"><br>
<b>Para:</b> Latin America and Caribbean Region
Network Operators Group; <a
moz-do-not-send="true"
href="mailto:nog@nog.cl" target="_blank">nog@nog.cl</a>;
<a moz-do-not-send="true"
href="mailto:lacnog@lacnog.org"
target="_blank">lacnog@lacnog.org</a><br>
<b>Asunto:</b> Re: [NOG-CHILE] [lacnog]
Secuestro prefijo</div>
</div>
</div>
</div>
<div>
<div class="h5">
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Hermoso
:-)</span></p>
</div>
</div>
<div>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr align="center" size="2" width="100%">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:
</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a
moz-do-not-send="true"
href="mailto:alex@chilenetworks.com"
target="_blank">Alex Ojeda</a></span><br>
<b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Sent:
</span>
</b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">02/04/2014
18:18</span><br>
<b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">To:
</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a
moz-do-not-send="true"
href="mailto:nog@nog.cl" target="_blank">nog@nog.cl</a>;
<a moz-do-not-send="true"
href="mailto:lacnog@lacnic.net"
target="_blank">Latin America and Caribbean
Region Network Operators Group</a>;
<a moz-do-not-send="true"
href="mailto:lacnog@lacnog.org"
target="_blank">lacnog@lacnog.org</a></span><br>
<b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Subject:
</span>
</b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Re:
[lacnog] [NOG-CHILE] Secuestro prefijo</span></p>
</div>
<p class="MsoNormal">Ya está más que confirmado que
este evento a es a nivel Global afectando a más de
320.000 prefijos del globo.<br>
<br>
<br>
Saludos!<br>
<br>
<br>
<br>
Alex Matias Ojeda Mercado<br>
NOG CHILE<br>
<a moz-do-not-send="true"
href="mailto:alex@nog.cl" target="_blank">alex@nog.cl</a><br>
+56971922362<br>
<br>
<br>
-----Mensaje original-----<br>
De: NOG [<a moz-do-not-send="true"
href="mailto:nog-bounces@nog.cl" target="_blank">mailto:nog-bounces@nog.cl</a>]
En nombre de
<a moz-do-not-send="true" href="mailto:nog@nog.cl"
target="_blank">nog@nog.cl</a><br>
Enviado el: miércoles, 02 de abril de 2014 16:02<br>
Para: Latin America and Caribbean Region Network
Operators Group; <a moz-do-not-send="true"
href="mailto:nog@nog.cl" target="_blank">
nog@nog.cl</a>; <a moz-do-not-send="true"
href="mailto:lacnog@lacnog.org" target="_blank">lacnog@lacnog.org</a><br>
Asunto: Re: [NOG-CHILE] [lacnog] Secuestro prefijo<br>
<br>
Los espero a *todos* en el tutorial de BGP+RPKI en
Cancún<br>
<br>
:-)<br>
<br>
<br>
<br>
On 4/2/14, 4:52 PM, Alex Ojeda wrote:<br>
> Se me acaban de alertar 4 x /24 adicionales<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> Alex Matias Ojeda Mercado<br>
> NOG CHILE<br>
> <a moz-do-not-send="true"
href="mailto:alex@nog.cl" target="_blank">alex@nog.cl</a><br>
> +56971922362<br>
> <br>
> <br>
> -----Mensaje original-----<br>
> De: NOG [<a moz-do-not-send="true"
href="mailto:nog-bounces@nog.cl" target="_blank">mailto:nog-bounces@nog.cl</a>]
En nombre de
<a moz-do-not-send="true" href="mailto:nog@nog.cl"
target="_blank">nog@nog.cl</a> Enviado <br>
> el: miércoles, 02 de abril de 2014 15:43<br>
> Para: Latin America and Caribbean Region
Network Operators Group; <br>
> '<a moz-do-not-send="true"
href="mailto:nog@nog.cl" target="_blank">nog@nog.cl</a>';
<a moz-do-not-send="true"
href="mailto:lacnog@lacnog.org" target="_blank">lacnog@lacnog.org</a><br>
> Asunto: Re: [NOG-CHILE] [lacnog] Secuestro
prefijo<br>
> <br>
> A nosotros también, y del mismo AS. De hecho
a nosotros también nos saltó como una alarma de
RPKI.<br>
> <br>
> <br>
> On 4/2/14, 4:32 PM, Alex Ojeda wrote:<br>
>> Me acaba de llegar una alerta de un
posible Prefix Hijack a uno de <br>
>> mis prefijos desde Indonesia.<br>
>><br>
>> Alguien màs con algo similar?<br>
<span lang="EN-US">>><br>
>> <br>
>><br>
>> <br>
>><br>
>>
====================================================================<br>
>><br>
>> Possible Prefix Hijack (Code: 10)<br>
>><br>
>>
====================================================================<br>
>><br>
>> Your prefix: <a
moz-do-not-send="true"
href="http://64.76.170.0/24" target="_blank">64.76.170.0/24</a>:<br>
>><br>
>> Update time: 2014-04-02 18:28
(UTC)<br>
>><br>
>> Detected by #peers: 1<br>
>><br>
>> Detected prefix: <a
moz-do-not-send="true"
href="http://64.76.170.0/24" target="_blank">64.76.170.0/24</a><br>
>><br>
>> Announced by: AS4761
(INDOSAT-INP-AP INDOSAT Internet Network<br>
>> Provider,ID)<br>
>><br>
>> Upstream AS: AS4651
(THAI-GATEWAY The Communications Authority<br>
>> of Thailand(CAT),TH)<br>
>><br>
>> ASpath: 18356 38794 4651
4761<br>
>><br>
>> <br>
>><br>
>> <br>
>><br>
>> <br>
>><br>
>> <br>
>><br>
>> <br>
>><br>
>> <br>
>><br>
>> Alex Matias Ojeda Mercado<br>
>><br>
>> NOG CHILE<br>
>><br>
>> </span><a moz-do-not-send="true"
href="mailto:alex@nog.cl" target="_blank"><span
lang="EN-US">alex@nog.cl</span></a><span
lang="EN-US"><br>
>><br>
>> +56971922362<br>
>><br>
>> <br>
>><br>
>> <br>
>><br>
>> <br>
>><br>
>><br>
>><br>
>>
_______________________________________________<br>
>> LACNOG mailing list<br>
>> </span><a moz-do-not-send="true"
href="mailto:LACNOG@lacnic.net" target="_blank"><span
lang="EN-US">LACNOG@lacnic.net</span></a><span
lang="EN-US"><br>
>> </span><a moz-do-not-send="true"
href="https://mail.lacnic.net/mailman/listinfo/lacnog"
target="_blank"><span lang="EN-US">https://mail.lacnic.net/mailman/listinfo/lacnog</span></a><span
lang="EN-US"><br>
>> Cancelar suscripcion: </span><a
moz-do-not-send="true"
href="mailto:lacnog-unsubscribe@lacnic.net"
target="_blank"><span lang="EN-US">lacnog-unsubscribe@lacnic.net</span></a><span
lang="EN-US"><br>
>><br>
> <br>
>
_______________________________________________<br>
> NOG mailing list<br>
> </span><a moz-do-not-send="true"
href="mailto:NOG@nog.cl" target="_blank"><span
lang="EN-US">NOG@nog.cl</span></a><span
lang="EN-US"><br>
> </span><a moz-do-not-send="true"
href="http://nog.cl/mailman/listinfo/nog_nog.cl"
target="_blank"><span lang="EN-US">http://nog.cl/mailman/listinfo/nog_nog.cl</span></a><span
lang="EN-US"><br>
>
_______________________________________________<br>
> LACNOG mailing list<br>
> </span><a moz-do-not-send="true"
href="mailto:LACNOG@lacnic.net" target="_blank"><span
lang="EN-US">LACNOG@lacnic.net</span></a><span
lang="EN-US"><br>
> </span><a moz-do-not-send="true"
href="https://mail.lacnic.net/mailman/listinfo/lacnog"
target="_blank"><span lang="EN-US">https://mail.lacnic.net/mailman/listinfo/lacnog</span></a><span
lang="EN-US"><br>
> Cancelar suscripcion: </span><a
moz-do-not-send="true"
href="mailto:lacnog-unsubscribe@lacnic.net"
target="_blank"><span lang="EN-US">lacnog-unsubscribe@lacnic.net</span></a><span
lang="EN-US"><br>
> <br>
<br>
_______________________________________________<br>
NOG mailing list<br>
</span><a moz-do-not-send="true"
href="mailto:NOG@nog.cl" target="_blank"><span
lang="EN-US">NOG@nog.cl</span></a><span
lang="EN-US"><br>
</span><a moz-do-not-send="true"
href="http://nog.cl/mailman/listinfo/nog_nog.cl"
target="_blank"><span lang="EN-US">http://nog.cl/mailman/listinfo/nog_nog.cl</span></a><span
lang="EN-US"><br>
_______________________________________________<br>
LACNOG mailing list<br>
</span><a moz-do-not-send="true"
href="mailto:LACNOG@lacnic.net" target="_blank"><span
lang="EN-US">LACNOG@lacnic.net</span></a><span
lang="EN-US"><br>
</span><a moz-do-not-send="true"
href="https://mail.lacnic.net/mailman/listinfo/lacnog"
target="_blank"><span lang="EN-US">https://mail.lacnic.net/mailman/listinfo/lacnog</span></a><span
lang="EN-US"><br>
Cancelar suscripcion: </span><a
moz-do-not-send="true"
href="mailto:lacnog-unsubscribe@lacnic.net"
target="_blank"><span lang="EN-US">lacnog-unsubscribe@lacnic.net</span></a><span
lang="EN-US"></span></p>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
LACNOG mailing list<br>
<a moz-do-not-send="true" href="mailto:LACNOG@lacnic.net">LACNOG@lacnic.net</a><br>
<a moz-do-not-send="true"
href="https://mail.lacnic.net/mailman/listinfo/lacnog"
target="_blank">https://mail.lacnic.net/mailman/listinfo/lacnog</a><br>
Cancelar suscripcion: <a moz-do-not-send="true"
href="mailto:lacnog-unsubscribe@lacnic.net">lacnog-unsubscribe@lacnic.net</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div dir="ltr"><b>Ivan Chapero<br>
<span style="color:rgb(102,102,102)">Área Técnica y Soporte</span></b><span
style="color:rgb(102,102,102)"> </span><br
style="color:rgb(102,102,102)">
<span style="color:rgb(102,102,102)">Fijo: 03464-470280
(interno 535)</span> | <span style="color:rgb(102,102,102)">Móvil:
03464-155-20282</span> | <span
style="color:rgb(102,102,102)">Skype ID: ivanchapero</span>
<div><span style="color:rgb(102,102,102)">--</span><br
style="color:rgb(102,102,102)">
<div style="text-align:center"><span
style="color:rgb(102,102,102)">GoDATA Banda Ancha -
CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito -
Santa Fe - Argentina</span></div>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
LACNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:LACNOG@lacnic.net">LACNOG@lacnic.net</a>
<a class="moz-txt-link-freetext" href="https://mail.lacnic.net/mailman/listinfo/lacnog">https://mail.lacnic.net/mailman/listinfo/lacnog</a>
Cancelar suscripcion: <a class="moz-txt-link-abbreviated" href="mailto:lacnog-unsubscribe@lacnic.net">lacnog-unsubscribe@lacnic.net</a>
</pre>
</blockquote>
<br>
</body>
</html>