[MBNOG] local PCH data on 2017-12-12 Russian BGP Hijacks

Theodore Baschak theodore at ciscodude.net
Thu Dec 14 00:35:25 CST 2017 

The other day there was some prefixes hijacked by Russians.
https://bgpmon.net/popular-destinations-rerouted-to-russia/

I wanted to see if we were affected in Winnipeg. My own routing data would
work, but I'm in the middle of learning about MRT files... (I really want
to be collecting data in MRT format -- I'll get there soon)

So I downloaded some of the larger update files from
https://www.pch.net/resources/Raw_Routing_Data/route-collector.ywg.pch.net/2017/12/12/
and ran it thru MABO (https://github.com/ANSSI-FR/mabo) to see which
prefixes that AS (39523) had announced.

Turns out there was quite a few had leaked thru MBIX to PCH. This is via
the HE.net MBIX peer to PCH. (They may have direct peering, so even MBIX
filtered them they could still have seen the bad routes via direct peering)

I haven't looked into the list much yet, but from what I can see its an
interesting mix of more specific advertisements, less specific
advertisements, equal sized advertisements to what was seen and some
otherwise unadvertised IP space.

Quick parsing on orgs has:
google (both 15169 and 36040, facebook, choopa (vultr), valve, riot games,
microsoft, apple, twitch
and some other ASNs that my quick lookup script doesn't have names on.

Converting the BGP update to JSON then to YAML gives a more readable packet.

(I've removed the legitimate prefix that 39523 normally originates from
this output/list)

type: update
timestamp: 1513053806
peer_as: 6939
peer_ip: 206.72.208.13
as_path: 6939 31133 39523
announce:
    - 1.21.6.0/24
    - 1.21.7.0/24
    - 103.194.164.0/22
    - 104.237.160.0/19
    - 111.89.0.0/16
    - 13.104.0.0/14
    - 13.64.0.0/11
    - 13.96.0.0/13
    - 155.131.0.0/16
    - 155.132.0.0/15
    - 155.133.245.0/24
    - 162.254.0.0/16
    - 162.254.192.0/21
    - 17.0.0.0/8
    - 172.217.0.0/16
    - 173.194.0.0/16
    - 173.194.122.0/24
    - 173.194.220.0/24
    - 173.194.32.0/24
    - 173.194.44.0/24
    - 173.199.64.0/18
    - 179.60.192.0/22
    - 185.32.248.0/22
    - 185.42.204.0/22
    - 185.48.56.0/22
    - 185.5.136.0/22
    - 188.128.96.0/24
    - 192.16.64.0/21
    - 194.85.113.0/24
    - 204.79.195.0/24
    - 204.79.196.0/23
    - 207.198.114.0/24
    - 209.85.128.0/17
    - 209.85.233.0/24
    - 216.239.32.0/19
    - 216.58.192.0/19
    - 216.58.201.0/24
    - 216.58.206.0/24
    - 217.69.128.0/20
    - 222.144.0.0/13
    - 31.13.71.0/24
    - 31.13.84.0/24
    - 31.13.91.0/24
    - 31.13.92.0/24
    - 37.29.18.0/23
    - 43.229.64.0/22
    - 45.121.186.0/23
    - 45.32.0.0/16
    - 45.63.0.0/16
    - 45.76.0.0/15
    - 46.61.0.0/16
    - 46.8.60.0/23
    - 46.8.62.0/23
    - 5.143.0.0/17
    - 64.233.160.0/19
    - 64.233.162.0/24
    - 64.233.163.0/24
    - 66.102.0.0/20
    - 66.220.144.0/20
    - 66.249.80.0/20
    - 72.14.192.0/18
    - 74.125.0.0/16
    - 74.125.205.0/24
    - 74.125.232.0/24
    - 79.142.100.0/23
    - 85.114.0.0/16
    - 87.225.0.0/17
    - 87.240.128.0/17
    - 90.154.64.0/18
    - 91.233.218.0/23
    - 91.236.100.0/23
    - 91.236.102.0/24
    - 91.239.53.0/24
    - 92.223.0.0/20
    - 93.100.195.0/24
    - 93.186.224.0/20
    - 94.100.176.0/20
    - 95.142.192.0/20
    - 95.213.0.0/18
withdraw: []


Theodore Baschak - AS395089 - Hextet Systems
https://bgp.guru/ - https://hextet.net/
http://mbix.ca/ - http://mbnog.ca/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mbnog.ca/pipermail/mbnog/attachments/20171214/daf8d9c1/attachment.html>

More information about the MBNOG mailing list