[GTER] Sequestro de prefixo...

Urik B. da Silva urik at rootz.com.br
Thu Apr 3 15:50:06 -03 2014 

Boa tarde,



O problema foi originado por um grande provedor da Indonesia, AS4761
Recebemos o email abaixo da BGPMon:


Dear BGPmon.net user,

Today we observed a large-scale 'hijack' event that amongst others 
affected one or more of your prefixes. This email is to provide you with 
some additional information.

What happened?
Indosat, AS4761, one of Indonesia's largest telecommunication networks 
normally originates about 300 prefixes.  Starting at 18:26 UTC (April 2, 
2014) AS4761 began to originate 417,038 new prefixes normally announced 
by other Autonomous Systems such as yours. The 'mis-origination' event 
by Indosat lasted for several hours affecting different prefixes at 
different times until approximately 21:15 UTC.

What caused this?
Given the large scale of this event we presume this is not malicious or 
intentional but rather the result of an operational issue. Other sources 
report this was the result of a maintenance window gone bad. 
Interestingly we documented a similar event involving Indosat in 2011, 
more details regarding that incident can be found here: 
http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/

Impact
The impact of this event was different per network, many of the hijacked 
routes were seen by several providers in Thailand. This means that it's 
likely that communication between these providers in Thailand (as well 
as Indonesia) and your prefix may have been affected.
One of the heuristics we look at to determine the global impact of an 
event like this is the number of probes that detected the event. In this 
case, out of the 400k affected prefixes, 8,182 were detected by more 
than 10 different probes, which means that the scope and impact of this 
event was larger for these prefixes.
The link below is an example of a Syrian prefix that was hijacked by 
Indosat where the 'hijacked' route was seen from Australia to the US and 
Canada.
http://portal.bgpmon.net/data/indosat-hijack.png

What was the impact for my network?
By clicking on the alert details link in the alert email or portal you 
will see the number of probes that detected the hijacked route update. 
It also shows you where in the world these updates were seen so you'll 
have an idea of the geographical scope of the event.
Users with a premium account also have access to all the individual BGP 
updates as well as the full AS path. This will tell you in detail what 
networks selected this bad route and the exact timestamps. Some of you 
also received a phone call to inform you of the events immideatly after 
detection (part of the Enterprise add-on).

BGP probe and peering
A BGP probe in this case means one of our peering partners. You too can 
become a peering partner and get access to our PeerMon service, for more 
details see:
http://portal.bgpmon.net/peermon.php

Questions and more information
I hope this provides you with some useful additional information 
regarding this event. Feel free to contact us should you have any follow 
up questions or would like to have more information for the purpose of 
further forensics.

Kind regards,
  Andree Toonk

--
  BGPmon.net
  info at bgpmon.net
  http://www.bgpmon.net/


Atenciosamente,


Urik Barbosa da Silva
http://www.linkedin.com/in/urikbs
Linux User #431806

Em 02-04-2014 23:28, Gustavo Rodrigues Ramos escreveu:
> Marcelo,
>
> Esse mesmo alerta também foi comentado em outras listas. O pessoal do
> BGPmon publicou no twitter [1] que detectaram alertas para mais de 400k
> prefixos.
>
> O volume de atualizações de anúncios deste AS [2] desde 18h até 21h UTC
> também indica que "alguém configurou algo errado"...
>
> [1] https://twitter.com/bgpmon/status/451473684440416256
> [2] https://stat.ripe.net/AS4651#tabId=routing
>
> Abraços,
> Gustavo.
>
>
> On Wed, Apr 2, 2014 at 5:21 PM, Marcelo Seabra <marcelo.seabra at ps5.com.br>wrote:
>
>> Aparentemente o anunci dos meus prefixos está normal na ripe.net
>> Vou considerar como alarme falso... e ficar de olho claro...
>>
>>       o
>>         *13*RRCs see*102*peers announcing*189.50.95.0/24*originated
>>         byAS28327 <https://stat.ripe.net/AS28327>.expand everything
>>           +
>>             ?RRC00 in*Amsterdam, Netherlands*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC01 in*London, United Kingdom*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC03 in*Amsterdam, Netherlands*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC04 in*Geneva, Switzerland*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC05 in*Vienna, Austria*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC06 in*Tokyo, Japan*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC07 in*Stockholm, Sweden*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC10 in*Milan, Italy*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC11 in*New York City, New York, US*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC12 in*Frankfurt, Germany*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC13 in*Moscow, Russian Federation*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC14 in*Palo Alto, California, US*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>           +
>>             ?RRC15 in*Sao Paulo, Brazil*sees*1*ASN
>>             originating/189.50.95.0/24/.AS28327
>>
>>
>>
>>
>> --
>> gter list    https://eng.registro.br/mailman/listinfo/gter
>>
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter

More information about the gter mailing list