nanog mailing list archives

Re: BGP Hijack/Sickness with AS4637

From: Alain Hebert <ahebert () pubnix net>
Date: Thu, 31 May 2018 10:31:26 -0400

    Thanks for the ideas and the hint.  Good read.

    Will do.

PS: Still curious how, beside some RIB/FIB failure, how our ASended up there.


-----
Alain Hebert                                ahebert () pubnix net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 05/31/18 10:15, Job Snijders wrote:

On Thu, May 31, 2018 at 09:49:47AM -0400, Alain Hebert wrote:

Well bad news on the ColoAU front, they refused to cooperate.

We'll pushback thru our GTT accounts...  But I'm running out of ideas.

If anyone has any good ideas how to proceed at this point feel free to
share =D.

This feels like a BGP "optimiser" at work inside AS 4637.

>From the https://lg.coloau.com.au/ looking glass:

BGP 'show route'
     18.29.238.0/23  *[BGP/170] 1w0d 18:49:44, localpref 90, from 103.97.52.2
                     AS path: 4637 3257 29909 16532 16532 16532 16532 I, validation-state: unverified

However, a data-plane traceroute:

     AS path: 4637 -> 174 ->  ...

     traceroute to 18.29.238.1 (18.29.238.1), 30 hops max, 40 byte packets
      1  103.52.116.49 (103.52.116.49)  114.573 ms  113.965 ms  117.141 ms
          MPLS Label=691873 CoS=0 TTL=1 S=0
          MPLS Label=17 CoS=0 TTL=1 S=1
      2  202.127.69.34 (202.127.69.34)  113.768 ms  113.763 ms  113.731 ms
      3  202.84.148.113 (202.84.148.113) [AS  4637]  114.759 ms  117.956 ms  115.796 ms
      4  202.84.141.13 (202.84.141.13) [AS  4637]  181.873 ms 202.84.141.169 (202.84.141.169) [AS  4637]  181.618 ms  
182.688 ms
      5  202.84.253.82 (202.84.253.82) [AS  4637]  181.949 ms 202.40.149.226 (202.40.149.226) [AS  4637]  183.194 ms 
202.84.253.82 (202.84.253.82) [AS  4637]  201.282 ms
      6  154.54.10.133 (154.54.10.133) [AS  174]  181.055 ms  181.100 ms  181.065 ms
      7  154.54.27.117 (154.54.27.117) [AS  174]  175.410 ms  182.956 ms 154.54.3.69 (154.54.3.69) [AS  174]  175.176 ms
      8  154.54.45.161 (154.54.45.161) [AS  174]  212.531 ms 154.54.44.85 (154.54.44.85) [AS  174]  202.470 ms  187.361 
ms
      9  154.54.42.78 (154.54.42.78) [AS  174]  195.585 ms  195.812 ms 154.54.42.66 (154.54.42.66) [AS  174]  211.713 ms
     10  154.54.30.161 (154.54.30.161) [AS  174]  235.896 ms  216.173 ms  211.246 ms
     11  154.54.28.129 (154.54.28.129) [AS  174]  233.516 ms  225.413 ms  225.551 ms
     12  154.54.24.221 (154.54.24.221) [AS  174]  236.432 ms  236.701 ms  236.595 ms
     13  154.54.40.109 (154.54.40.109) [AS  174]  273.564 ms  279.452 ms  248.212 ms
     14  154.54.46.33 (154.54.46.33) [AS  174]  248.098 ms  247.802 ms  248.084 ms
     15  * * *

Discongruity between RIB and FIB like this, and the hijack being a
more-specific of a /16, is a typical sign of BGP 'optimisers'.

I recommend you reach out to AUSNOG and APOPS and hope someone there
knows someone at Telstra Hong Kong.

More thoughts on BGP optimisers: http://seclists.org/nanog/2017/Aug/318

Kind regards,

Job

Current thread:

BGP Hijack/Sickness with AS4637 Alain Hebert (May 25)
- Re: BGP Hijack/Sickness with AS4637 Nikolas Geyer (May 25)
  - Re: BGP Hijack/Sickness with AS4637 Tom Paseka via NANOG (May 25)
    - Message not available
    - Re: BGP Hijack/Sickness with AS4637 Alain Hebert (May 31)
    - Message not available
    - Re: BGP Hijack/Sickness with AS4637 Alain Hebert (May 31)
    - Re: BGP Hijack/Sickness with AS4637 Job Snijders (May 31)
    - Re: BGP Hijack/Sickness with AS4637 Alain Hebert (May 31)
    - Re: BGP Hijack/Sickness with AS4637 Job Snijders (May 31)
    - Re: BGP Hijack/Sickness with AS4637 Job Snijders (May 31)
    - Re: BGP Hijack/Sickness with AS4637 Mark Tinka (May 31)
    - Re: BGP Hijack/Sickness with AS4637 Mark Tinka (May 31)