[MBNOG] local PCH data on 2017-12-12 Russian BGP Hijacks
Theodore Baschak
theodore at ciscodude.net
Wed Dec 20 12:33:30 CST 2017
The other thing is that IRR itself isn't a 100% trustworthy source of information. So building a bunch of filters that include data that anyone technical can create can still allow prefixes to be hijacked intentionally if things are planned in advance. IRR-based filters do protect very well against escaped routes from things like routing optimizers, IGP craziness, etc.
For instance 393927 -- a local MB ASN -- was hijacked by someone in 2016 and 2017 to originate a bunch of /18's and /22's and whatnot. [1] All of these routes had IRR entries created weeks or months in advance. Most of these are gone now, but a handful of them still exist today. [2] They had lots of time to be imported by every filter around the world. I saw the false IRR entries show up one day on BGP.he.net, setup monitoring for the prefixes, and waited for the hijacks to come -- which they did a few months later starting 2016-04-20 at 3:30pm local Manitoba time. I've seen false IRR entries used fairly often in intentional BGP hijacks.
[1]: https://stat.ripe.net/widget/routing-history#w.resource=AS393927 <https://stat.ripe.net/widget/routing-history#w.resource=AS393927>
[2]: https://apps.db.ripe.net/db-web-ui/#/query?searchtext=ANTBR-MNT&inverse=mnt-by&bflag=true&source=RIPE <https://apps.db.ripe.net/db-web-ui/#/query?searchtext=ANTBR-MNT&inverse=mnt-by&bflag=true&source=RIPE>
Theodore Baschak - AS395089 - Hextet Systems
https://bgp.guru/ - https://hextet.net/
http://mbix.ca/ - http://mbnog.ca/
> On Dec 20, 2017, at 12:07 PM, Sean McKenzie <SeanMcKenzie at rfnow.com> wrote:
>
> I thought that might be the situation over there as well. Would have been neat to see the result if they were not direct peered. Thanks for checking it out though.
>
> Sean McKenzie | Network Architect | RFNow <http://www.rfnow.com/>,
> P.O. Box 639, 297 Nelson Street West, Virden, MB, R0M 2C0
> Phone: 204-748-4834 | Cell: 204-509-8611 | Email:seanmckenzie at rfnow.com <mailto:dustintaraschuk at rfnow.com>
>
> <unknown.jpg>
>
>> On Dec 19, 2017, at 10:00 PM, Theodore Baschak via MBNOG <mbnog at lists.mbnog.ca <mailto:mbnog at lists.mbnog.ca>> wrote:
>>
>> I pulled down the file from PCH that has Dec 12th from YYCIX and their PCH also saw the same hijacks.
>>
>> <https://www.pch.net/resources/Raw_Routing_Data/route-collector.yyc.pch.net/2017/12/12/route-collector.yyc.pch.net-mrt-bgp-updates-2017-12-12-07-08.gz <https://www.pch.net/resources/Raw_Routing_Data/route-collector.yyc.pch.net/2017/12/12/route-collector.yyc.pch.net-mrt-bgp-updates-2017-12-12-07-08.gz>> contains the updates in question.
>>
>> This likely means that PCH and HE.net <http://he.net/> have direct peering, masking the visibility of the success of their endeavour from us in this real world hijacking event.
>>
>>
>>
>> Theodore Baschak - AS395089 - Hextet Systems
>> https://bgp.guru/ <https://bgp.guru/> - https://hextet.net/ <https://hextet.net/>
>> http://mbix.ca/ <http://mbix.ca/> - http://mbnog.ca/ <http://mbnog.ca/>
>>
>>
>>
>> On Tue, Dec 19, 2017 at 9:40 PM, Sean McKenzie <SeanMcKenzie at rfnow.com <mailto:SeanMcKenzie at rfnow.com>> wrote:
>> It would be interesting to see if there was any difference between the collector at MBIX and YYCIX. Strict filtering was enabled on the route servers over there about two months ago.
>>
>> Would it be much work to generate the list from the yyc collector?
>>
>> Thanks,
>> Sean McKenzie | Network Architect | RFNow <http://www.rfnow.com/>,
>> P.O. Box 639, 297 Nelson Street West, Virden, MB, R0M 2C0 <https://maps.google.com/?q=297+Nelson+Street+West,+Virden,+MB,+R0M+2C0&entry=gmail&source=g>
>> Phone: 204-748-4834 <tel:(204)%20748-4834> | Cell: 204-509-8611 <tel:(204)%20509-8611> | Email:seanmckenzie at rfnow.com <mailto:dustintaraschuk at rfnow.com>
>>
>> <unknown.jpg>
>>
>>> On Dec 13, 2017, at 10:35 PM, Theodore Baschak via MBNOG <mbnog at lists.mbnog.ca <mailto:mbnog at lists.mbnog.ca>> wrote:
>>>
>>> The other day there was some prefixes hijacked by Russians.
>>> https://bgpmon.net/popular-destinations-rerouted-to-russia/ <https://bgpmon.net/popular-destinations-rerouted-to-russia/>
>>>
>>> I wanted to see if we were affected in Winnipeg. My own routing data would work, but I'm in the middle of learning about MRT files... (I really want to be collecting data in MRT format -- I'll get there soon)
>>>
>>> So I downloaded some of the larger update files from https://www.pch.net/resources/Raw_Routing_Data/route-collector.ywg.pch.net/2017/12/12/ <https://www.pch.net/resources/Raw_Routing_Data/route-collector.ywg.pch.net/2017/12/12/> and ran it thru MABO (https://github.com/ANSSI-FR/mabo <https://github.com/ANSSI-FR/mabo>) to see which prefixes that AS (39523) had announced.
>>>
>>> Turns out there was quite a few had leaked thru MBIX to PCH. This is via the HE.net <http://he.net/> MBIX peer to PCH. (They may have direct peering, so even MBIX filtered them they could still have seen the bad routes via direct peering)
>>>
>>> I haven't looked into the list much yet, but from what I can see its an interesting mix of more specific advertisements, less specific advertisements, equal sized advertisements to what was seen and some otherwise unadvertised IP space.
>>>
>>> Quick parsing on orgs has:
>>> google (both 15169 and 36040, facebook, choopa (vultr), valve, riot games, microsoft, apple, twitch
>>> and some other ASNs that my quick lookup script doesn't have names on.
>>>
>>> Converting the BGP update to JSON then to YAML gives a more readable packet.
>>>
>>> (I've removed the legitimate prefix that 39523 normally originates from this output/list)
>>>
>>> type: update
>>> timestamp: 1513053806
>>> peer_as: 6939
>>> peer_ip: 206.72.208.13
>>> as_path: 6939 31133 39523
>>> announce:
>>> - 1.21.6.0/24 <http://1.21.6.0/24>
>>> - 1.21.7.0/24 <http://1.21.7.0/24>
>>> - 103.194.164.0/22 <http://103.194.164.0/22>
>>> - 104.237.160.0/19 <http://104.237.160.0/19>
>>> - 111.89.0.0/16 <http://111.89.0.0/16>
>>> - 13.104.0.0/14 <http://13.104.0.0/14>
>>> - 13.64.0.0/11 <http://13.64.0.0/11>
>>> - 13.96.0.0/13 <http://13.96.0.0/13>
>>> - 155.131.0.0/16 <http://155.131.0.0/16>
>>> - 155.132.0.0/15 <http://155.132.0.0/15>
>>> - 155.133.245.0/24 <http://155.133.245.0/24>
>>> - 162.254.00/16 <http://162.254.0.0/16>
>>> - 162254.192.0/21 <http://162.254.192.0/21>
>>> - 17.0.0.0/8 <http://17.0.0.0/8>
>>> - 172.217.0.0/16 <http://172.217.0.0/16>
>>> - 173.194.0.0/16 <http://173.194.0.0/16>
>>> - 173.194.122.0/24 <http://173.194.122.0/24>
>>> - 173.194.220.0/24 <http://173.194.220.0/24>
>>> - 173.194.32.0/24 <http://173.194.32.0/24>
>>> - 173.194.44.0/24 <http://173.194.44.0/24>
>>> - 173.199.64.0/18 <http://173.199.64.0/18>
>>> - 179.60.192.0/22 <http://179.60.192.0/22>
>>> - 185.32.248.0/22 <http://185.32.248.0/22>
>>> - 185.42.204.0/22 <http://185.42.204.0/22>
>>> - 185.48.56.0/22 <http://185.48.56.0/22>
>>> - 185.5.1360/22 <http://185.5.136.0/22>
>>> - 188.128.96.0/24 <http://188.128.96.0/24>
>>> - 192.16.64.0/21 <http://192.16.64.0/21>
>>> - 194.85.113.0/24 <http://194.85.113.0/24>
>>> - 204.79.195.0/24 <http://204.79.195.0/24>
>>> - 204.79.196.0/23 <http://204.79.196.0/23>
>>> - 207.198.114.0/24 <http://207.198.114.0/24>
>>> - 209.85.128.0/17 <http://209.85.128.0/17>
>>> - 209.85.233.0/24 <http://209.85.233.0/24>
>>> - 216.239.32.0/19 <http://216.239.32.0/19>
>>> - 216.58.192.0/19 <http://216.58.192.0/19>
>>> - 216.58.201.0/24 <http://216.58.201.0/24>
>>> - 216.58.206.0/24 <http://216.58.206.0/24>
>>> - 217.69128.0/20 <http://217.69.128.0/20>
>>> - 222.144.0.0/13 <http://222.144.0.0/13>
>>> - 31.13.71.0/24 <http://31.13.71.0/24>
>>> - 31.13.84.0/24 <http://31.13.84.0/24>
>>> - 31.13.91.0/24 <http://31.13.91.0/24>
>>> - 31.13.92.0/24 <http://31.13.92.0/24>
>>> - 37.29.18.0/23 <http://37.2918.0/23>
>>> - 43.229.64.0/22 <http://43.229.64.0/22>
>>> - 45.121.186.0/23 <http://45.121.186.0/23>
>>> - 45.32.0.0/16 <http://45.32.0.0/16>
>>> - 45.63.0.0/16 <http://45.63.0.0/16>
>>> - 45.76.0.0/15 <http://45.76.0.0/15>
>>> - 46.61.0.0/16 <http://46.61.0.0/16>
>>> - 46.8.60.0/23 <http://46.8.60.0/23>
>>> - 46.8.62.0/23 <http://46.8.62.0/23>
>>> - 5.143.0.0/17 <http://5.143.0.0/17>
>>> - 64.233.160.0/19 <http://64.233.160.0/19>
>>> - 64.233.162.0/24 <http://64.233.162.0/24>
>>> - 64.233.163.0/24 <http://64.233.163.0/24>
>>> - 66.102.0.0/20 <http://66.102.0.0/20>
>>> - 66.220.144.0/20 <http://66.220.144.0/20>
>>> - 66.249.80.0/20 <http://66.249.80.0/20>
>>> - 72.14.192.0/18 <http://72.14.192.0/18>
>>> - 74.125.0.0/16 <http://74.125.0.0/16>
>>> - 74.125.205.0/24 <http://74.125.205.0/24>
>>> - 74.125.232.0/24 <http://74.125.232.0/24>
>>> - 79.142.100.0/23 <http://79.142.100.0/23>
>>> - 85.114.0.0/16 <http://85.114.0.0/16>
>>> - 87.225.0.0/17 <http://87.225.0.0/17>
>>> - 87.240.128.0/17 <http://87.240128.0/17>
>>> - 90.154.64.0/18 <http://90.154.64.0/18>
>>> - 91.233.218.0/23 <http://91.233.218.0/23>
>>> - 91.236.100.0/23 <http://91.236.100.0/23>
>>> - 91.236.102.0/24 <http://91.236.102.0/24>
>>> - 91.239.53.0/24 <http://91.239.53.0/24>
>>> - 92.223.0.0/20 <http://92.223.0.0/20>
>>> - 93.100.195.0/24 <http://93.100.195.0/24>
>>> - 93.186.224.0/20 <http://93.186.224.0/20>
>>> - 94.100.176.0/20 <http://94.100.176.0/20>
>>> - 95.142.192.0/20 <http://95.142.192.0/20>
>>> - 95.213.0.0/18 <http://95.213.0.0/18>
>>> withdraw: []
>>>
>>>
>>>
>>> Theodore Baschak - AS395089 - Hextet Systems
>>> https://bgp.guru/ <https://bgp.guru/> - https://hextet.net/ <https://hextet.net/>
>>> http://mbix.ca/ <http://mbix.ca/> - http://mbnog.ca/ <http://mbnog.ca/>
>>>
>>>
>>> _______________________________________________
>>> MBNOG mailing list
>>> MBNOG at lists.mbnog.ca <mailto:MBNOG at lists.mbnog.ca>
>>> https://lists.mbnog.ca/mailman/listinfo/mbnog <https://lists.mbnog.ca/mailman/listinfo/mbnog>
>>
>>
>> _______________________________________________
>> MBNOG mailing list
>> MBNOG at lists.mbnog.ca <mailto:MBNOG at lists.mbnog.ca>
>> https://lists.mbnog.ca/mailman/listinfo/mbnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mbnog.ca/pipermail/mbnog/attachments/20171220/83862d9d/attachment-0001.html>
More information about the MBNOG
mailing list