[MBNOG] local PCH data on 2017-12-12 Russian BGP Hijacks

Theodore Baschak theodore at ciscodude.net
Wed Dec 20 00:00:45 CST 2017 

I pulled down the file from PCH that has Dec 12th from YYCIX and their PCH
also saw the same hijacks.

<
https://www.pch.net/resources/Raw_Routing_Data/route-collector.yyc.pch.net/2017/12/12/route-collector.yyc.pch.net-mrt-bgp-updates-2017-12-12-07-08.gz>
contains the updates in question.

This likely means that PCH and HE.net have direct peering, masking the
visibility of the success of their endeavour from us in this real world
hijacking event.


Theodore Baschak - AS395089 - Hextet Systems
https://bgp.guru/ - https://hextet.net/
http://mbix.ca/ - http://mbnog.ca/




On Tue, Dec 19, 2017 at 9:40 PM, Sean McKenzie <SeanMcKenzie at rfnow.com>
wrote:

> It would be interesting to see if there was any difference between the
> collector at MBIX and YYCIX. Strict filtering was enabled on the route
> servers over there about two months ago.
>
> Would it be much work to generate the list from the yyc collector?
>
> Thanks,
> *Sean McKenzie* | *Network Architect* | *RFNow <http://www.rfnow.com/>, *
> P.O. Box 639, 297 Nelson Street West, Virden, MB, R0M 2C0
> <https://maps.google.com/?q=297+Nelson+Street+West,+Virden,+MB,+R0M+2C0&entry=gmail&source=g>
> Phone: 204-748-4834 <(204)%20748-4834> | Cell: 204-509-8611
> <(204)%20509-8611> | Email:seanmckenzie at rfnow.com
> <dustintaraschuk at rfnow.com>
>
>
> On Dec 13, 2017, at 10:35 PM, Theodore Baschak via MBNOG <
> mbnog at lists.mbnog.ca> wrote:
>
> The other day there was some prefixes hijacked by Russians.
> https://bgpmon.net/popular-destinations-rerouted-to-russia/
>
> I wanted to see if we were affected in Winnipeg. My own routing data would
> work, but I'm in the middle of learning about MRT files... (I really want
> to be collecting data in MRT format -- I'll get there soon)
>
> So I downloaded some of the larger update files from https://www.pch.net/
> resources/Raw_Routing_Data/route-collector.ywg.pch.net/2017/12/12/ and
> ran it thru MABO (https://github.com/ANSSI-FR/mabo) to see which prefixes
> that AS (39523) had announced.
>
> Turns out there was quite a few had leaked thru MBIX to PCH. This is via
> the HE.net <http://he.net> MBIX peer to PCH. (They may have direct
> peering, so even MBIX filtered them they could still have seen the bad
> routes via direct peering)
>
> I haven't looked into the list much yet, but from what I can see its an
> interesting mix of more specific advertisements, less specific
> advertisements, equal sized advertisements to what was seen and some
> otherwise unadvertised IP space.
>
> Quick parsing on orgs has:
> google (both 15169 and 36040, facebook, choopa (vultr), valve, riot games,
> microsoft, apple, twitch
> and some other ASNs that my quick lookup script doesn't have names on.
>
> Converting the BGP update to JSON then to YAML gives a more readable
> packet.
>
> (I've removed the legitimate prefix that 39523 normally originates from
> this output/list)
>
> type: update
> timestamp: 1513053806
> peer_as: 6939
> peer_ip: 206.72.208.13
> as_path: 6939 31133 39523
> announce:
>     - 1.21.6.0/24
>     - 1.21.7.0/24
>     - 103.194.164.0/22
>     - 104.237.160.0/19
>     - 111.89.0.0/16
>     - 13.104.0.0/14
>     - 13.64.0.0/11
>     - 13.96.0.0/13
>     - 155.131.0.0/16
>     - 155.132.0.0/15
>     - 155.133.245.0/24
>     - 162.254.00/16 <http://162.254.0.0/16>
>     - 162254.192.0/21 <http://162.254.192.0/21>
>     - 17.0.0.0/8
>     - 172.217.0.0/16
>     - 173.194.0.0/16
>     - 173.194.122.0/24
>     - 173.194.220.0/24
>     - 173.194.32.0/24
>     - 173.194.44.0/24
>     - 173.199.64.0/18
>     - 179.60.192.0/22
>     - 185.32.248.0/22
>     - 185.42.204.0/22
>     - 185.48.56.0/22
>     - 185.5.1360/22 <http://185.5.136.0/22>
>     - 188.128.96.0/24
>     - 192.16.64.0/21
>     - 194.85.113.0/24
>     - 204.79.195.0/24
>     - 204.79.196.0/23
>     - 207.198.114.0/24
>     - 209.85.128.0/17
>     - 209.85.233.0/24
>     - 216.239.32.0/19
>     - 216.58.192.0/19
>     - 216.58.201.0/24
>     - 216.58.206.0/24
>     - 217.69128.0/20 <http://217.69.128.0/20>
>     - 222.144.0.0/13
>     - 31.13.71.0/24
>     - 31.13.84.0/24
>     - 31.13.91.0/24
>     - 31.13.92.0/24
>     - 37.29.18.0/23 <http://37.2918.0/23>
>     - 43.229.64.0/22
>     - 45.121.186.0/23
>     - 45.32.0.0/16
>     - 45.63.0.0/16
>     - 45.76.0.0/15
>     - 46.61.0.0/16
>     - 46.8.60.0/23
>     - 46.8.62.0/23
>     - 5.143.0.0/17
>     - 64.233.160.0/19
>     - 64.233.162.0/24
>     - 64.233.163.0/24
>     - 66.102.0.0/20
>     - 66.220.144.0/20
>     - 66.249.80.0/20
>     - 72.14.192.0/18
>     - 74.125.0.0/16
>     - 74.125.205.0/24
>     - 74.125.232.0/24
>     - 79.142.100.0/23
>     - 85.114.0.0/16
>     - 87.225.0.0/17 <http://87.225.00/17>
>     - 87.240.128.0/17 <http://87.240128.0/17>
>     - 90.154.64.0/18
>     - 91.233.218.0/23
>     - 91.236.100.0/23
>     - 91.236.102.0/24
>     - 91.239.53.0/24
>     - 92.223.0.0/20
>     - 93.100.195.0/24
>     - 93.186.224.0/20
>     - 94.100.176.0/20
>     - 95.142.192.0/20
>     - 95.213.0.0/18
> withdraw: []
>
>
> Theodore Baschak - AS395089 - Hextet Systems
> https://bgp.guru/ - https://hextet.net/
> http://mbix.ca/ - http://mbnog.ca/
>
>
>
> _______________________________________________
> MBNOG mailing list
> MBNOG at lists.mbnog.ca
> https://lists.mbnog.ca/mailman/listinfo/mbnog
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mbnog.ca/pipermail/mbnog/attachments/20171220/c4cd14c4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unknown.jpg
Type: image/jpeg
Size: 3860 bytes
Desc: not available
URL: <http://lists.mbnog.ca/pipermail/mbnog/attachments/20171220/c4cd14c4/attachment-0001.jpg>

More information about the MBNOG mailing list