[MBNOG] local PCH data on 2017-12-12 Russian BGP Hijacks
Sean McKenzie
SeanMcKenzie at rfnow.com
Wed Dec 20 12:07:21 CST 2017
I thought that might be the situation over there as well. Would have been neat to see the result if they were not direct peered. Thanks for checking it out though.
Sean McKenzie | Network Architect | RFNow<http://www.rfnow.com/>,
P.O. Box 639, 297 Nelson Street West, Virden, MB, R0M 2C0
Phone: 204-748-4834 | Cell: 204-509-8611 | Email:seanmckenzie at rfnow.com<mailto:dustintaraschuk at rfnow.com>
[cid:78B6E830-B532-469B-9E4A-A4FD988EA7A5 at gateway.2wire.net]
On Dec 19, 2017, at 10:00 PM, Theodore Baschak via MBNOG <mbnog at lists.mbnog.ca<mailto:mbnog at lists.mbnog.ca>> wrote:
I pulled down the file from PCH that has Dec 12th from YYCIX and their PCH also saw the same hijacks.
<https://www.pch.net/resources/Raw_Routing_Data/route-collector.yyc.pch.net/2017/12/12/route-collector.yyc.pch.net-mrt-bgp-updates-2017-12-12-07-08.gz> contains the updates in question.
This likely means that PCH and HE.net<http://he.net> have direct peering, masking the visibility of the success of their endeavour from us in this real world hijacking event.
Theodore Baschak - AS395089 - Hextet Systems
https://bgp.guru/ - https://hextet.net/
http://mbix.ca/ - http://mbnog.ca/
On Tue, Dec 19, 2017 at 9:40 PM, Sean McKenzie <SeanMcKenzie at rfnow.com<mailto:SeanMcKenzie at rfnow.com>> wrote:
It would be interesting to see if there was any difference between the collector at MBIX and YYCIX. Strict filtering was enabled on the route servers over there about two months ago.
Would it be much work to generate the list from the yyc collector?
Thanks,
Sean McKenzie | Network Architect | RFNow<http://www.rfnow.com/>,
P.O. Box 639, 297 Nelson Street West, Virden, MB, R0M 2C0<https://maps.google.com/?q=297+Nelson+Street+West,+Virden,+MB,+R0M+2C0&entry=gmail&source=g>
Phone: 204-748-4834<tel:(204)%20748-4834> | Cell: 204-509-8611<tel:(204)%20509-8611> | Email:seanmckenzie at rfnow.com<mailto:dustintaraschuk at rfnow.com>
<unknown.jpg>
On Dec 13, 2017, at 10:35 PM, Theodore Baschak via MBNOG <mbnog at lists.mbnog.ca<mailto:mbnog at lists.mbnog.ca>> wrote:
The other day there was some prefixes hijacked by Russians.
https://bgpmon.net/popular-destinations-rerouted-to-russia/
I wanted to see if we were affected in Winnipeg. My own routing data would work, but I'm in the middle of learning about MRT files... (I really want to be collecting data in MRT format -- I'll get there soon)
So I downloaded some of the larger update files from https://www.pch.net/resources/Raw_Routing_Data/route-collector.ywg.pch.net/2017/12/12/ and ran it thru MABO (https://github.com/ANSSI-FR/mabo) to see which prefixes that AS (39523) had announced.
Turns out there was quite a few had leaked thru MBIX to PCH. This is via the HE.net<http://he.net/> MBIX peer to PCH. (They may have direct peering, so even MBIX filtered them they could still have seen the bad routes via direct peering)
I haven't looked into the list much yet, but from what I can see its an interesting mix of more specific advertisements, less specific advertisements, equal sized advertisements to what was seen and some otherwise unadvertised IP space.
Quick parsing on orgs has:
google (both 15169 and 36040, facebook, choopa (vultr), valve, riot games, microsoft, apple, twitch
and some other ASNs that my quick lookup script doesn't have names on.
Converting the BGP update to JSON then to YAML gives a more readable packet.
(I've removed the legitimate prefix that 39523 normally originates from this output/list)
type: update
timestamp: 1513053806
peer_as: 6939
peer_ip: 206.72.208.13
as_path: 6939 31133 39523
announce:
- 1.21.6.0/24<http://1.21.6.0/24>
- 1.21.7.0/24<http://1.21.7.0/24>
- 103.194.164.0/22<http://103.194.164.0/22>
- 104.237.160.0/19<http://104.237.160.0/19>
- 111.89.0.0/16<http://111.89.0.0/16>
- 13.104.0.0/14<http://13.104.0.0/14>
- 13.64.0.0/11<http://13.64.0.0/11>
- 13.96.0.0/13<http://13.96.0.0/13>
- 155.131.0.0/16<http://155.131.0.0/16>
- 155.132.0.0/15<http://155.132.0.0/15>
- 155.133.245.0/24<http://155.133.245.0/24>
- 162.254.00/16<http://162.254.0.0/16>
- 162254.192.0/21<http://162.254.192.0/21>
- 17.0.0.0/8<http://17.0.0.0/8>
- 172.217.0.0/16<http://172.217.0.0/16>
- 173.194.0.0/16<http://173.194.0.0/16>
- 173.194.122.0/24<http://173.194.122.0/24>
- 173.194.220.0/24<http://173.194.220.0/24>
- 173.194.32.0/24<http://173.194.32.0/24>
- 173.194.44.0/24<http://173.194.44.0/24>
- 173.199.64.0/18<http://173.199.64.0/18>
- 179.60.192.0/22<http://179.60.192.0/22>
- 185.32.248.0/22<http://185.32.248.0/22>
- 185.42.204.0/22<http://185.42.204.0/22>
- 185.48.56.0/22<http://185.48.56.0/22>
- 185.5.1360/22<http://185.5.136.0/22>
- 188.128.96.0/24<http://188.128.96.0/24>
- 192.16.64.0/21<http://192.16.64.0/21>
- 194.85.113.0/24<http://194.85.113.0/24>
- 204.79.195.0/24<http://204.79.195.0/24>
- 204.79.196.0/23<http://204.79.196.0/23>
- 207.198.114.0/24<http://207.198.114.0/24>
- 209.85.128.0/17<http://209.85.128.0/17>
- 209.85.233.0/24<http://209.85.233.0/24>
- 216.239.32.0/19<http://216.239.32.0/19>
- 216.58.192.0/19<http://216.58.192.0/19>
- 216.58.201.0/24<http://216.58.201.0/24>
- 216.58.206.0/24<http://216.58.206.0/24>
- 217.69128.0/20<http://217.69.128.0/20>
- 222.144.0.0/13<http://222.144.0.0/13>
- 31.13.71.0/24<http://31.13.71.0/24>
- 31.13.84.0/24<http://31.13.84.0/24>
- 31.13.91.0/24<http://31.13.91.0/24>
- 31.13.92.0/24<http://31.13.92.0/24>
- 37.29.18.0/23<http://37.2918.0/23>
- 43.229.64.0/22<http://43.229.64.0/22>
- 45.121.186.0/23<http://45.121.186.0/23>
- 45.32.0.0/16<http://45.32.0.0/16>
- 45.63.0.0/16<http://45.63.0.0/16>
- 45.76.0.0/15<http://45.76.0.0/15>
- 46.61.0.0/16<http://46.61.0.0/16>
- 46.8.60.0/23<http://46.8.60.0/23>
- 46.8.62.0/23<http://46.8.62.0/23>
- 5.143.0.0/17<http://5.143.0.0/17>
- 64.233.160.0/19<http://64.233.160.0/19>
- 64.233.162.0/24<http://64.233.162.0/24>
- 64.233.163.0/24<http://64.233.163.0/24>
- 66.102.0.0/20<http://66.102.0.0/20>
- 66.220.144.0/20<http://66.220.144.0/20>
- 66.249.80.0/20<http://66.249.80.0/20>
- 72.14.192.0/18<http://72.14.192.0/18>
- 74.125.0.0/16<http://74.125.0.0/16>
- 74.125.205.0/24<http://74.125.205.0/24>
- 74.125.232.0/24<http://74.125.232.0/24>
- 79.142.100.0/23<http://79.142.100.0/23>
- 85.114.0.0/16<http://85.114.0.0/16>
- 87.225.0.0/17<http://87.225.00/17>
- 87.240.128.0/17<http://87.240128.0/17>
- 90.154.64.0/18<http://90.154.64.0/18>
- 91.233.218.0/23<http://91.233.218.0/23>
- 91.236.100.0/23<http://91.236.100.0/23>
- 91.236.102.0/24<http://91.236.102.0/24>
- 91.239.53.0/24<http://91.239.53.0/24>
- 92.223.0.0/20<http://92.223.0.0/20>
- 93.100.195.0/24<http://93.100.195.0/24>
- 93.186.224.0/20<http://93.186.224.0/20>
- 94.100.176.0/20<http://94.100.176.0/20>
- 95.142.192.0/20<http://95.142.192.0/20>
- 95.213.0.0/18<http://95.213.0.0/18>
withdraw: []
Theodore Baschak - AS395089 - Hextet Systems
https://bgp.guru/ - https://hextet.net/
http://mbix.ca/ - http://mbnog.ca/
_______________________________________________
MBNOG mailing list
MBNOG at lists.mbnog.ca<mailto:MBNOG at lists.mbnog.ca>
https://lists.mbnog.ca/mailman/listinfo/mbnog
_______________________________________________
MBNOG mailing list
MBNOG at lists.mbnog.ca<mailto:MBNOG at lists.mbnog.ca>
https://lists.mbnog.ca/mailman/listinfo/mbnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mbnog.ca/pipermail/mbnog/attachments/20171220/a11a7af9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unknown.jpg
Type: image/jpeg
Size: 3860 bytes
Desc: unknown.jpg
URL: <http://lists.mbnog.ca/pipermail/mbnog/attachments/20171220/a11a7af9/attachment-0001.jpg>
More information about the MBNOG
mailing list