Microsoft security contact
Hello, can someone from Microsoft responsible for security contact me off-list please? Thanks regards -- Henri Wahl IT Department Leibniz-Institut fuer Festkoerper- u. Werkstoffforschung Dresden tel: (03 51) 46 59 - 797 email: h.w...@ifw-dresden.de http://www.ifw-dresden.de Nagios status monitor Nagstamon: http://nagstamon.ifw-dresden.de DHCPv6 server dhcpy6d: http://dhcpy6d.ifw-dresden.de IFW Dresden e.V., Helmholtzstrasse 20, D-01069 Dresden VR Dresden Nr. 1369 Vorstand: Prof. Dr. Juergen Eckert, Dr. h.c. Dipl.-Finw. Rolf Pfrengle signature.asc Description: OpenPGP digital signature
Re: Microsoft security contact
Replied offlist Mehmet On Apr 1, 2014, at 23:11, Henri Wahl h.w...@ifw-dresden.de wrote: Hello, can someone from Microsoft responsible for security contact me off-list please? Thanks regards -- Henri Wahl IT Department Leibniz-Institut fuer Festkoerper- u. Werkstoffforschung Dresden tel: (03 51) 46 59 - 797 email: h.w...@ifw-dresden.de http://www.ifw-dresden.de Nagios status monitor Nagstamon: http://nagstamon.ifw-dresden.de DHCPv6 server dhcpy6d: http://dhcpy6d.ifw-dresden.de IFW Dresden e.V., Helmholtzstrasse 20, D-01069 Dresden VR Dresden Nr. 1369 Vorstand: Prof. Dr. Juergen Eckert, Dr. h.c. Dipl.-Finw. Rolf Pfrengle
Re: new DNS forwarder vulnerability
[catching up] That's a good question, but I know that during the ongoing survey within the Open Resolver Project [http://openresolverproject.org/], Jared found thousands of CPE devices which responded as resolvers. Not thousands, *tens of millions*. Our estimate from mid-2013 was 32M such devices (detailed in an IMC paper last year; http://www.icir.org/mallman/pubs/SCRA13/). And, that roughly agrees with both the openresolverproject.org numbers and another (not public) study I know of. And, as if that isn't bad enough ... there is a 2010 IMC paper that puts the number at 15M. I.e., the instances of brokenness are getting worse---doubling in 3 years! UGH. allman pgpql33S7o1ct.pgp Description: PGP signature
Re: new DNS forwarder vulnerability
On Apr 2, 2014, at 8:38 AM, Mark Allman mall...@icir.org wrote: [catching up] That's a good question, but I know that during the ongoing survey within the Open Resolver Project [http://openresolverproject.org/], Jared found thousands of CPE devices which responded as resolvers. Not thousands, *tens of millions*. Our estimate from mid-2013 was 32M such devices (detailed in an IMC paper last year; http://www.icir.org/mallman/pubs/SCRA13/). And, that roughly agrees with both the openresolverproject.org numbers and another (not public) study I know of. And, as if that isn't bad enough ... there is a 2010 IMC paper that puts the number at 15M. I.e., the instances of brokenness are getting worse---doubling in 3 years! UGH. One observation: The OpenResolverProject collects responses that come from ports that the query was not sent to (ie: device responds from UDP/12345 not from UDP/53, which obviously is broken and doesn't work, but they actually return DNS payload which can be used for abuse). Some good news though: http://openresolverproject.org/breakdown-graph1.cgi Since the start of 2014 there seem to be new CPE devices out there that are resolving this issue. The linear nature of the line in the decrease doesn't seem to be something like ISPs started blocking udp/53 to customers, which would appear more like a step function. I'm aware of some other studies ongoing to fingerprint CPE and their behaviors/aggregated resolver dependencies. I expect to see some of that data presented at the upcoming DNS-OARC meeting in Warsaw. Getting everyone to update their firmware on devices would go a long way as well. Some vendors have no software QA on this front so add/remove the response on the WAN interface as their releases march forward. - Jared
real-world data about fragmentation
Hi all, It's common wisdom that a datagram that needs to be fragmented between endpoints (because it is bigger than the path MTU) will demonstrate less reliable delivery and reassembly than a datagram that doesn't need to be fragmented, because math, firewall, other, take your pick. Is anybody aware of any wide-scale studies that examine the probability of fragmentation of datagrams of different sizes? For example, I could reasonable expect an IPv4 packet of 576 bytes not to be fragmented very often (to choose a size not at random). The probability of a 10,000 octet IPv4 packet getting fragmented seems likely to be 100%, if we're talking about arbitrary paths across the Internet. What does the curve look like between 576 bytes and 10,000 bytes? I might expect exciting curve action around 1500 bytes (because ethernet), 1492 (PPPoE), 1480 (GRE), etc. But I'm interested in actual data. Anybody have any pointers? IPv4 and IPv6 are both interesting. Joe
Re: real-world data about fragmentation
I can send you a copy of an invited presentation at AINTEC from 2009. /bill On Wed, Apr 02, 2014 at 02:14:22PM -0400, Joe Abley wrote: Hi all, It's common wisdom that a datagram that needs to be fragmented between endpoints (because it is bigger than the path MTU) will demonstrate less reliable delivery and reassembly than a datagram that doesn't need to be fragmented, because math, firewall, other, take your pick. Is anybody aware of any wide-scale studies that examine the probability of fragmentation of datagrams of different sizes? For example, I could reasonable expect an IPv4 packet of 576 bytes not to be fragmented very often (to choose a size not at random). The probability of a 10,000 octet IPv4 packet getting fragmented seems likely to be 100%, if we're talking about arbitrary paths across the Internet. What does the curve look like between 576 bytes and 10,000 bytes? I might expect exciting curve action around 1500 bytes (because ethernet), 1492 (PPPoE), 1480 (GRE), etc. But I'm interested in actual data. Anybody have any pointers? IPv4 and IPv6 are both interesting. Joe
BGPMON Alert Questions
So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
I just received the same exact notification -- same AS announcing one of my blocks. On Wed, Apr 2, 2014 at 2:51 PM, Joseph Jenkins j...@breathe-underwater.comwrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
RE: BGPMON Alert Questions
I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
I have received those for two prefixes so far. Same origin+transit Br, Tolli On 2.4.2014, at 18:57, Joseph Jenkins j...@breathe-underwater.com wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
RE: BGPMON Alert Questions
I just got the same thing. Possible Prefix Hijack (Code: 10) Your prefix: 173.44.32.0/19: Prefix Description: AS8100 Update time: 2014-04-02 18:40 (UTC) Detected by #peers: 1 Detected prefix: 173.44.32.0/19 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41639483 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41639483 Possible Prefix Hijack (Code: 10) Your prefix: 173.205.80.0/20: Prefix Description: AS8100 Update time: 2014-04-02 18:40 (UTC) Detected by #peers: 1 Detected prefix: 173.205.80.0/20 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41639484 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41639484 -- Kate Gerry Network Manager k...@quadranet.com 1-888-5-QUADRA Ext 206 | www.QuadraNet.com Dedicated Servers, Colocation, Cloud Services and more. Datacenters in Los Angeles, Dallas and Miami. Follow us on: -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 2, 2014 11:52 AM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
On 4/2/14, 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Same here for one of my /21s. Origin of AS4761 through AS4651. ~Seth
RE: BGPMON Alert Questions
If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
RE: BGPMON Alert Questions
Lol, and two minutes after I replied to you, I got the same alert about the same AS with two of my prefixes. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
Same alert for me on two of my prefixes. Still looking into it. On Wed, Apr 2, 2014 at 1:59 PM, Frank Bulk frnk...@iname.com wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
On 02/04/14 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Same here. I got an alert for two prefixes. Same origin AS, same AS path for one of them: 18356 9931 4651 4761, but a different one for the other: 18356 38794 4651 4761.
RE: BGPMON Alert Questions
Sadly, it doesn't look like this is the first for Indosat either: January 14th, 2011 http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/ Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 -Original Message- From: Þórhallur Hálfdánarson [mailto:thorhallur.halfdanar...@advania.is] Sent: Wednesday, April 02, 2014 2:59 PM To: Joseph Jenkins Cc: nanog@nanog.org Subject: Re: BGPMON Alert Questions I have received those for two prefixes so far. Same origin+transit Br, Tolli
Prefix hijack by AS4761 (was Re: BGPMON Alert Questions)
I'm seeing the same hijack of prefixes by multiple networks under my watch, at 18:40 UTC and 19:06 UTC. -- Stephen On 2014-04-02 2:51 PM, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
On 4/2/14, 8:51 PM, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? You can check RIPEstat's BGP looking-glass: https://stat.ripe.net/widget/looking-glass#w.resource=8.37.93.0%2F24 This combines the result of 13 RIPE RIS route collectors. A minute ago I saw the INDOSAT announcement at 2 locations (Amsterdam, Frankfurt) from 3 out of 101 peers, but it seems to have stopped just now. -- Rene Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Cogent - ATT issue?
Anyone know if there is a connectivity issue between Cogent and ATT in the northeast? We're seeing random timeouts to some systems we have in an ATT data center but only from sources on Cogent's network. Thanks... - Eric :)
RE: BGPMON Alert Questions
This seems to be occurring to many, I have two of my prefixes being announced by the same AS's, and I have confirmation from several others who are seeing this as well. Chris -Original Message- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Wednesday, April 02, 2014 12:03 PM To: nanog@nanog.org Subject: Re: BGPMON Alert Questions On 4/2/14, 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Same here for one of my /21s. Origin of AS4761 through AS4651. ~Seth
RE: BGPMON Alert Questions
bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
... and same here. Indosat looks now to have developed a solid experience in BGP prefix hijack mess (last time was in 2011). Olivier On 4/2/14, 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Same here for one of my /21s. Origin of AS4761 through AS4651. ~Seth
Re: BGPMON Alert Questions
I can confirm that indosat appears to be hijacking many prefixes. HE 6939 is one of the networks picking it up and distributing it further. Here's an example for a Syrian prefix: http://portal.bgpmon.net/data/indosat-hijack.png Possible Prefix Hijack (Code: 10) Your prefix: 5.0.0.0/18: Prefix Description: STE Public Data Network Backbone and LIR Update time: 2014-04-02 18:47 (UTC) Detected by #peers: 13 Detected prefix: 5.0.0.0/18 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS6939 (HURRICANE - Hurricane Electric, Inc.,US) ASpath: 271 6939 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41644877 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41644877 Andree (BGPMON.net) .-- My secret spy satellite informs me that at 2014-04-02 11:59 AM Kate Gerry wrote: I just got the same thing. Possible Prefix Hijack (Code: 10) Your prefix: 173.44.32.0/19: Prefix Description: AS8100 Update time: 2014-04-02 18:40 (UTC) Detected by #peers: 1 Detected prefix: 173.44.32.0/19 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41639483 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41639483 Possible Prefix Hijack (Code: 10) Your prefix: 173.205.80.0/20: Prefix Description: AS8100 Update time: 2014-04-02 18:40 (UTC) Detected by #peers: 1 Detected prefix: 173.205.80.0/20 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41639484 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41639484 -- Kate Gerry Network Manager k...@quadranet.com 1-888-5-QUADRA Ext 206 | www.QuadraNet.com Dedicated Servers, Colocation, Cloud Services and more. Datacenters in Los Angeles, Dallas and Miami. Follow us on: -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 2, 2014 11:52 AM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
RE: BGPMON Alert Questions
Snap, announcing a few of our /21s and a /23. Seems they did something similar a few year ago: http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/ I can't make any contact with Indosat (website non responsive / email queuing). This is what I have back from Aware Corp. AS18356 (first AS in the path): I can confirm that we are seeing your prefixes as advertised by AS4761, via one of our upstreams CAT AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) We (Aware Corporation - AS18356) operate a BGPMon PeerMon node which is probably why you are seeing this alert from our AS. It is likely that your highjacked prefixes are being advertised to all of CAT's customers. I suggest contacting AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) directly for resolution as there is little we can do as a stub AS. Regards, Lee. -Original Message- From: Vlade Ristevski [mailto:vrist...@ramapo.edu] Sent: 02 April 2014 20:05 To: nanog@nanog.org Subject: Re: BGPMON Alert Questions I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: Prefix hijack by AS4761 (was Re: BGPMON Alert Questions)
yeah you're seeing the impact of a pretty broad prefix injection indosat's upstream filters seem to be working for the most part. On 4/2/14, 12:10 PM, Stephen Fulton wrote: I'm seeing the same hijack of prefixes by multiple networks under my watch, at 18:40 UTC and 19:06 UTC. -- Stephen On 2014-04-02 2:51 PM, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 signature.asc Description: OpenPGP digital signature
Re: BGPMON Alert Questions
Just got the same for 5 of my prefixes. Possible Prefix Hijack (Code: 10) Your prefix: 192.225.232.0/21: Prefix Description: ARIN direct allocation Update time: 2014-04-02 19:26 (UTC) Detected by #peers: 1 Detected prefix: 192.225.232.0/21 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41651791 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41651791 Possible Prefix Hijack (Code: 10) Your prefix: 199.87.232.0/21: Prefix Description: Direct ARIN allocation Update time: 2014-04-02 19:26 (UTC) Detected by #peers: 1 Detected prefix: 199.87.232.0/21 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41651792 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41651792 Possible Prefix Hijack (Code: 10) Your prefix: 162.245.228.0/24: Update time: 2014-04-02 19:26 (UTC) Detected by #peers: 1 Detected prefix: 162.245.228.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41651793 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41651793 Possible Prefix Hijack (Code: 10) Your prefix: 198.44.191.0/24: Prefix Description: ARIN direct allocation Update time: 2014-04-02 19:26 (UTC) Detected by #peers: 1 Detected prefix: 198.44.191.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41651794 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41651794 Possible Prefix Hijack (Code: 10) Your prefix: 23.249.176.0/20: Prefix Description: ARIN direct allocation Update time: 2014-04-02 19:26 (UTC) Detected by #peers: 1 Detected prefix: 23.249.176.0/20 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41651795 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41651795 On Wed, Apr 2, 2014 at 1:12 PM, Rene Wilhelm wilh...@ripe.net wrote: On 4/2/14, 8:51 PM, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? You can check RIPEstat's BGP looking-glass: https://stat.ripe.net/widget/looking-glass#w.resource=8.37.93.0%2F24 This combines the result of 13 RIPE RIS route collectors. A minute ago I saw the INDOSAT announcement at 2 locations (Amsterdam, Frankfurt) from 3 out of 101 peers, but it seems to have stopped just now. -- Rene Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
Another 5 of ours just got hit. Anyone have any ideas on what will be done about it? On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote: bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
Re: Prefix hijack by AS4761 (was Re: BGPMON Alert Questions)
On Wed, Apr 2, 2014 at 3:41 PM, joel jaeggli joe...@bogus.com wrote: yeah you're seeing the impact of a pretty broad prefix injection indosat's upstream filters seem to be working for the most part. Based on the image they tweeted, I don't think they are doing much filtering; the Syrian prefix was spread to a number of countries and AS. If you have good US connectivity the impact seems limited due to better AS Paths winning, but for less well connected prefixes I'm assuming it's more up in the air. Bob
Re: BGPMON Alert Questions
Yes, I too have alerts for some of our prefixes from the same offending origin 4761 On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change event for your prefix (66.201.48.0/20 slash 20 bottom of nor cal) The detected prefix: 66.201.48.0/20, was announced by AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Alert description: Origin AS Change Detected Prefix: 66.201.48.0/20 Detected Origin AS: 4761 Expected Origin AS: 26803 Bob Evans CTO So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
I have someone from cat.net.th on the phone and he doesn't speak a lot of English and I don't speak any Thai. He knew what indosat was and their AS number. He further stated he got my email (never told him who I was), but he said he would be replying ASAP. We only had one /24 announced by indosat. James Laszko Mythos Technology Inc Sent from my iPad On Apr 2, 2014, at 1:08 PM, Bryan Tong cont...@nullivex.com wrote: Another 5 of ours just got hit. Anyone have any ideas on what will be done about it? On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote: bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
Re: BGPMON Alert Questions
I called into +66 2104-2374 James Laszko Mythos Technology Inc Sent from my iPad On Apr 2, 2014, at 1:08 PM, Bryan Tong cont...@nullivex.com wrote: Another 5 of ours just got hit. Anyone have any ideas on what will be done about it? On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote: bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
Re: BGPMON Alert Questions
Seeing the same here for a /21. This seems to have happened before with AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from january 2011. On Wed, Apr 2, 2014 at 8:51 PM, Joseph Jenkins j...@breathe-underwater.comwrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: real-world data about fragmentation
This isn't a direct answer to the question, but I find this paper pretty useful (even though it is dated now): Beyond Folklore: Observations on Fragmented Traffic by Colleen Shannon, David Moore, and k claffy IEEE/ACM Transactions on Networking, December 2002 http://www.caida.org/publications/papers/2002/Frag/frag.pdf (Bill, I'd be curious to see your AINTEC slides, too.) -- Jen On Apr 2, 2014, at 2:50 PM, bmann...@vacation.karoshi.com wrote: I can send you a copy of an invited presentation at AINTEC from 2009. /bill On Wed, Apr 02, 2014 at 02:14:22PM -0400, Joe Abley wrote: Hi all, It's common wisdom that a datagram that needs to be fragmented between endpoints (because it is bigger than the path MTU) will demonstrate less reliable delivery and reassembly than a datagram that doesn't need to be fragmented, because math, firewall, other, take your pick. Is anybody aware of any wide-scale studies that examine the probability of fragmentation of datagrams of different sizes? For example, I could reasonable expect an IPv4 packet of 576 bytes not to be fragmented very often (to choose a size not at random). The probability of a 10,000 octet IPv4 packet getting fragmented seems likely to be 100%, if we're talking about arbitrary paths across the Internet. What does the curve look like between 576 bytes and 10,000 bytes? I might expect exciting curve action around 1500 bytes (because ethernet), 1492 (PPPoE), 1480 (GRE), etc. But I'm interested in actual data. Anybody have any pointers? IPv4 and IPv6 are both interesting. Joe
Re: BGPMON Alert Questions
Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad smime.p7s Description: S/MIME cryptographic signature
Re: BGPMON Alert Questions
route-views4 /64.25.208.71 has seen updates that contains large amount of prefixes at time 1396464452 (04 / 02 / 14 @ 6:47:32pm UTC) with path [20225, 6939, 4761] full prefixes list: http://pastebin.com/Eu4ePgp4 is it normal for single update to contain such large amount NLRI info? On Wed, Apr 2, 2014 at 12:08 PM, Octavio Alvarez alvar...@alvarezp.ods.orgwrote: On 02/04/14 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Same here. I got an alert for two prefixes. Same origin AS, same AS path for one of them: 18356 9931 4651 4761, but a different one for the other: 18356 38794 4651 4761.
Re: BGPMON Alert Questions
They have advertised all of ours now. On Wed, Apr 2, 2014 at 2:16 PM, Bob Evans b...@fiberinternetcenter.comwrote: Yes, I too have alerts for some of our prefixes from the same offending origin 4761 On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change event for your prefix (66.201.48.0/20 slash 20 bottom of nor cal) The detected prefix: 66.201.48.0/20, was announced by AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Alert description: Origin AS Change Detected Prefix: 66.201.48.0/20 Detected Origin AS: 4761 Expected Origin AS: 26803 Bob Evans CTO So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
Re: BGPMON Alert Questions
Saw this as well on my blocks. Is this malicious or did someone redistribute all of bgp with bad upstream filtering? On Wed, Apr 2, 2014 at 3:16 PM, James Laszko jam...@mythostech.com wrote: I have someone from cat.net.th on the phone and he doesn't speak a lot of English and I don't speak any Thai. He knew what indosat was and their AS number. He further stated he got my email (never told him who I was), but he said he would be replying ASAP. We only had one /24 announced by indosat. James Laszko Mythos Technology Inc Sent from my iPad On Apr 2, 2014, at 1:08 PM, Bryan Tong cont...@nullivex.com wrote: Another 5 of ours just got hit. Anyone have any ideas on what will be done about it? On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote: bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
Re: new DNS forwarder vulnerability
In message c7e435c6-344f-49cd-9152-7a9ef2fa6...@puck.nether.net, Jared Mauch writes: On Apr 2, 2014, at 8:38 AM, Mark Allman mall...@icir.org wrote: [catching up] That's a good question, but I know that during the ongoing survey within the Open Resolver Project [http://openresolverproject.org/], Jared found thousands of CPE devices which responded as resolvers. Not thousands, *tens of millions*. Our estimate from mid-2013 was 32M such devices (detailed in an IMC paper last year; http://www.icir.org/mallman/pubs/SCRA13/). And, that roughly agrees with both the openresolverproject.org numbers and another (not public) study I know of. And, as if that isn't bad enough ... there is a 2010 IMC paper that puts the number at 15M. I.e., the instances of brokenness are getting worse---doubling in 3 years! UGH. One observation: The OpenResolverProject collects responses that come from ports that the query was not sent to (ie: device responds from UDP/12345 not from UDP/53, which obviously is broken and doesn't work, but they actually return DNS payload which can be used for abuse). Some good news though: http://openresolverproject.org/breakdown-graph1.cgi I see axes, legend but no data points. If I hover over various spots on the graph I see data values pop up. Since the start of 2014 there seem to be new CPE devices out there that are resolving this issue. The linear nature of the line in the decrease doesn't seem to be something like ISPs started blocking udp/53 to customers, which would appear more like a step function. I'm aware of some other studies ongoing to fingerprint CPE and their behaviors/aggregated resolver dependencies. I expect to see some of that data presented at the upcoming DNS-OARC meeting in Warsaw. Getting everyone to update their firmware on devices would go a long way as well. Some vendors have no software QA on this front so add/remove the response on the WAN interface as their releases march forward. - Jared -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: BGPMON Alert Questions
where did you get that number ? aut-num:AS4761 as-name:INDOSAT-INP-AP descr: INDOSAT Internet Network Provider descr: Internet Network Access Point in INDONESIA country:ID admin-c:IH151-AP tech-c: DA205-AP mnt-by: MAINT-ID-INDOSAT-INP changed:hostmas...@indosat.com 20081006 source: APNIC person: Dewi Amalia nic-hdl:DA205-AP e-mail: dewi.ama...@indosat.com address:PT INDOSAT address:JL. Medan Merdeka Barat 21 address:Jakarta Pusat phone: +62-21-30444066 fax-no: +62-21-30001073 country:ID changed:dewi.ama...@indosat.com 20080117 mnt-by: MAINT-ID-INDOSAT-INP source: APNIC person: INDOSAT INP Hostmaster nic-hdl:IH151-AP e-mail: hostmas...@indosat.com address:PT Indosat address:Jl. Medan Merdeka Barat 21 address:Jakarta Pusat phone: +62-21-30444066 fax-no: +62-21-30001073 country:ID changed:hostmas...@indosat.com 20120104 mnt-by: MAINT-ID-INDOSAT-INP source: APNIC Bob Evans CTO I called into +66 2104-2374 James Laszko Mythos Technology Inc Sent from my iPad On Apr 2, 2014, at 1:08 PM, Bryan Tong cont...@nullivex.com wrote: Another 5 of ours just got hit. Anyone have any ideas on what will be done about it? On Wed, Apr 2, 2014 at 1:18 PM, Frank Bulk frnk...@iname.com wrote: bgpmon has tweeted that We're currently observing a large hijack event. Indosat AS4761 originating many prefixes not assigned to them. Let's hope that AS4651 can quickly apply filters. Frank -Original Message- From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you present to the suspect party more likely to be acted upon. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- eSited LLC (701) 390-9638
RE: BGPMON Alert Questions
Three of ours just got jacked. I have tried to contact via email for update / fix of their end. -Mike -Original Message- From: Felix Aronsson [mailto:fe...@mrfriday.com] Sent: Wednesday, April 02, 2014 3:22 PM To: Joseph Jenkins Cc: nanog@nanog.org Subject: Re: BGPMON Alert Questions Seeing the same here for a /21. This seems to have happened before with AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from january 2011. On Wed, Apr 2, 2014 at 8:51 PM, Joseph Jenkins j...@breathe-underwater.comwrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
Same here: Possible Prefix Hijack (Code: 10) Your prefix: 132.206.0.0/16: Prefix Description: MCGILL-NET-132-206 Update time: 2014-04-02 20:11 (UTC) Detected by #peers: 1 Detected prefix: 132.206.0.0/16 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41664976 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41664976 Possible Prefix Hijack (Code: 10) Your prefix: 142.157.128.0/18: Prefix Description: McGill Update time: 2014-04-02 20:11 (UTC) Detected by #peers: 1 Detected prefix: 142.157.128.0/18 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 Alert details: https://portal.bgpmon.net/alerts.php?detailsalert_id=41664977 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=41664977 On Wed, Apr 2, 2014 at 3:21 PM, Felix Aronsson fe...@mrfriday.com wrote: Seeing the same here for a /21. This seems to have happened before with AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from january 2011. On Wed, Apr 2, 2014 at 8:51 PM, Joseph Jenkins j...@breathe-underwater.comwrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
I emailed hostmas...@indosat.com a little over an hour ago, and no response as yet. Anyone having luck making contact with Indosat themselves? On Wed, Apr 2, 2014 at 2:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: BGPMON Alert Questions
Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: BGPMON Alert Questions
We are getting multiple alerts for a mix of our and customers prefixes. Could someone from HE tell if they started filtering yet ? Erik Bais Verstuurd vanaf mijn iPad Op 2 apr. 2014 om 21:21 heeft Felix Aronsson fe...@mrfriday.com het volgende geschreven: Seeing the same here for a /21. This seems to have happened before with AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from january 2011. On Wed, Apr 2, 2014 at 8:51 PM, Joseph Jenkins j...@breathe-underwater.comwrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761
Re: BGPMON Alert Questions
On 4/2/14, 13:31, Bob Evans wrote: where did you get that number ? I think that was a number for CAT, AS4651. ~Seth
Re: BGPMON Alert Questions
On Wed, Apr 2, 2014 at 1:24 PM, Blake Dunlap iki...@gmail.com wrote: Is this malicious or did someone redistribute all of bgp with bad upstream filtering? They perfectly re-advertized all mine. Loos like a huge mistake. And still ongoing. Although this was nice to see: RPKI Validation Failed (Code: 9) Your prefix: 199.47.80.0/21: Prefix Description: NET-199-47-80-0-1 Update time: 2014-04-02 20:29 (UTC) Detected by #peers: 1 Detected prefix: 199.47.80.0/21 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 RPKI Status: ROA validation failed: Invalid Origin ASN, expected 46851 Albeit ineffective. ../C
Re: BGPMON Alert Questions
I got a bounce from Indosat saying: Dear Senders, Thank you for your email, started March,1st 2012 email address for correspondence with Indosat IP Support All Support INP will be change and not active with detail information as follows : 1. Correspondence and complain handling for Indosat Corporate customers (INP, IDIA and INIX services) please kindly address to : corporatesolut...@indosat.com (Service Desk MIDI Indosat Corporate Solution) 2. Correspondence and coordination for upstream and peering purpose please kindly address to : snocips...@indosat.com (SNOC IP Surveillance) Thank you for your kind cooperation and understanding. Indosat IP Support Perhaps the ³SNOC IP Surveillance² address is better? For CAT Thailand, the contact details I have are: NOC call center CAT Telecom Tel: 66 2 104 2382 FAX: 66 2 104 2281 e-mail: cuss...@cattelecom.com As someone mentioned, English may be an issue, especially at this time of the morning over there. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th From: Aris Lambrianidis effulge...@gmail.com Date: Wednesday 02 April 2014 at 22:40 To: Andrew Ashley andre...@aware.co.th Cc: nanog@nanog.org nanog@nanog.org Subject: Re: BGPMON Alert Questions Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.th wrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 tel:%2B27%2021%20673%206841 E-mail: andre...@aware.co.th Web: www.aware.co.th http://www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24 http://8.37.93.0/24 : Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 http://8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad smime.p7s Description: S/MIME cryptographic signature
Re: BGPMON Alert Questions
They are advertising one of /22 right now as well, Bret On 04/02/2014 04:21 PM, Bryan Tong wrote: They have advertised all of ours now. On Wed, Apr 2, 2014 at 2:16 PM, Bob Evans b...@fiberinternetcenter.comwrote: Yes, I too have alerts for some of our prefixes from the same offending origin 4761 On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change event for your prefix (66.201.48.0/20 slash 20 bottom of nor cal) The detected prefix: 66.201.48.0/20, was announced by AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Alert description: Origin AS Change Detected Prefix: 66.201.48.0/20 Detected Origin AS: 4761 Expected Origin AS: 26803 Bob Evans CTO So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Spectra Access 25 Lowell Street Manchester, NH 03042 603-296-0760 www.spectraaccess.net
Re: BGPMON Alert Questions
Same here : Your prefix: 178.212.137.0/24: Prefix Description: Engine Networks EU Update time: 2014-04-02 20:54 (UTC) Detected by #peers: 1 Detected prefix: 178.212.137.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 and many others -- Luca Simonetti Engine Networks http://www.enginenetworks.net http://www.facebook.com/enginenetworks http://twitter.com/enginenetworks Datacenter GENEVA 1: Rue de la Confédération, 6 1204 Geneve - CH Datacenter ZURICH 1: Josefstrasse, 225 - 8005 Zürich - CH Datacenter MILAN 1: Via Caldera, 21 - 20100 Milan - IT Datacenter TURIN 1: C.so Svizzera, 185 - 10149 Turin - IT
Re: BGPMON Alert Questions
So, Just tired e-mailing to that address. *Delivery has failed to these recipients or groups:* indriana.triyunianingt...@indosat.com mailto:indriana.triyunianingt...@indosat.com The recipient's mailbox is full and can't accept messages now. Please try resending this message later, or contact the recipient directly. Sincerely, Mark Keymer CFO/COO Vivio Technologies On 4/2/2014 1:40 PM, Aris Lambrianidis wrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: BGPMON Alert Questions
Tried the recipients mailbox is full, but it looks like all of the bgpmon alerts have cleared. On Wed, Apr 2, 2014 at 1:40 PM, Aris Lambrianidis effulge...@gmail.comwrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: BGPMON Alert Questions
Thanks, also emailed support@ noc@. Didn't receive any bounce emails.. e...@zerofail.com AS40191 On Apr 2, 2014 5:06 PM, Aris Lambrianidis effulge...@gmail.com wrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. Thanks. Regards, Andrew Ashley Office: +27 21 673 6841 E-mail: andre...@aware.co.th Web: www.aware.co.thhttp://www.aware.co.th On 2014/04/02, 21:05, Vlade Ristevski vrist...@ramapo.edu wrote: I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS, either. Frank -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 1:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting the provider about their misconfiguration and announcing my prefixes and get them to fix it. Any other recommendations? Is there a way I can verify what they are announcing just to make sure they are still doing it? Here is the alert for reference: Your prefix: 8.37.93.0/24: Update time: 2014-04-02 18:26 (UTC) Detected by #peers: 2 Detected prefix: 8.37.93.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 9931 4651 4761 -- Vlad
Re: BGPMON Alert Questions
Got this response from HE We are not in the as-path of the routes listed below. It seems we accepted some of them from a route server. I'm not seeing them in the table at this time. -- Rob Mosher Senior Network and Software Engineer Hurricane Electric / AS6939 On Wed, Apr 2, 2014 at 2:51 PM, Seth Mattinen se...@rollernet.us wrote: On 4/2/14, 13:31, Bob Evans wrote: where did you get that number ? I think that was a number for CAT, AS4651. ~Seth -- eSited LLC (701) 390-9638
Re: BGPMON Alert Questions
They're just leaking every route right? Is it possible to poison the AS paths you announce with their own AS to get them to let go of your prefixes until it's fixed? Would that work, or some other trick that can be done without their cooperation? Thanks, Laszlo
Re: BGPMON Alert Questions
Same here. AS path is 18356 38794 4651 4761. Did anybody had any contact with AS 4761? Regards, Peter Op 2 apr. 2014 om 22:57 heeft Curtis Doty cur...@greenkey.net het volgende geschreven: On Wed, Apr 2, 2014 at 1:24 PM, Blake Dunlap iki...@gmail.com wrote: Is this malicious or did someone redistribute all of bgp with bad upstream filtering? They perfectly re-advertized all mine. Loos like a huge mistake. And still ongoing. Although this was nice to see: RPKI Validation Failed (Code: 9) Your prefix: 199.47.80.0/21: Prefix Description: NET-199-47-80-0-1 Update time: 2014-04-02 20:29 (UTC) Detected by #peers: 1 Detected prefix: 199.47.80.0/21 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH) ASpath: 18356 38794 4651 4761 RPKI Status: ROA validation failed: Invalid Origin ASN, expected 46851 Albeit ineffective. ../C
Re: BGPMON Alert Questions
Already too late :( *Delivery has failed to these recipients or groups:* indriana.triyunianingt...@indosat.com mailto:indriana.triyunianingt...@indosat.com The recipient's mailbox is full and can't accept messages now. Please try resending this message later, or contact the recipient directly. On 02.04.2014 23:40, Aris Lambrianidis wrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. -- Best regards, Adrian Minta
Re: Cogent - ATT issue?
My connectivity between Fios and Cogent in Washington DC has been mostly down for the past hour. Andrew Andrew Fried andrew.fr...@gmail.com On 4/2/14, 3:03 PM, Eric wrote: Anyone know if there is a connectivity issue between Cogent and ATT in the northeast? We're seeing random timeouts to some systems we have in an ATT data center but only from sources on Cogent's network. Thanks... - Eric :)
Re: BGPMON Alert Questions
On Wed, 2 Apr 2014, Laszlo Hanyecz wrote: They're just leaking every route right? Is it possible to poison the AS paths you announce with their own AS to get them to let go of your prefixes until it's fixed? Would that work, or some other trick that can be done without their cooperation? Keep in mind that the more AS hops there are between you and Indosat, the less effective that any hackery you do in your own BGP table will be. Two things need to happen: 1. Indosat needs to clean their mess up. 2. Indosat's upstreams need to apply some BGP clue to Indosat's announcements. It's pretty clear that both parties have dropped the ball in a big way, in terms of sane BGP filtering practices. jms
Re: BGPMON Alert Questions
On Thu, 3 Apr 2014, Adrian Minta wrote: Already too late :( *Delivery has failed to these recipients or groups:* indriana.triyunianingt...@indosat.com mailto:indriana.triyunianingt...@indosat.com The recipient's mailbox is full and can't accept messages now. Please try resending this message later, or contact the recipient directly. As long as that's not the only person behind the ip@indosat.com mail alias, all hope is not lost. Still, I imagine their NOC is getting crushed with reports right now. jms On 02.04.2014 23:40, Aris Lambrianidis wrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley andre...@aware.co.thwrote: Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communications Authority of Thailand AS4651) is not filtering them, hence they are announced to us and are triggering these BGPMon alerts. I have had several mails to our NOC about this already and have responded directly to those. I suggest contacting Indosat directly to get this resolved. AS18356 is a stub AS, so we are not actually advertising these learned hijacked prefixes to anyone but BGPMon for data collection purposes. -- Best regards, Adrian Minta
Re: BGPMON Alert Questions
On 4/2/14, 11:59 AM, Justin M. Streiner wrote: Two things need to happen: 1. Indosat needs to clean their mess up. 2. Indosat's upstreams need to apply some BGP clue to Indosat's announcements. It's pretty clear that both parties have dropped the ball in a big way, in terms of sane BGP filtering practices. actually that's no at all clear. https://twitter.com/renesys/status/451456391656796161 it looked like the filtering worked rather well. certainly as a customer of many of 4761s transit providers I did not see any of them pick up this advertisement in asia. the impact was limited even when it began, and it should be largely over. One of the things it says as that this sort of announcement is highly visible to the monitoring infrastructure, which is rather good to know. jms signature.asc Description: OpenPGP digital signature
Re: BGPMON Alert Questions
Quick update from BGPmon: We've detected 415,652 prefixes being hijacked by Indosat today. 8,233 of those were seen by more than 10 of our BGP collectors. When receiving a BGPmon alerts, one of the metrics to look at that will help with determining the scope and impact is the 'Detected by #peers' value. Many of the alerts where only seen by one or two peers in Thailand. This indicates that communications for those prefixes would likely have been affected for some in Thailand. 8,233 of the hijacked prefixes were seen by more than 10 of our peers. For those the impact would have been more severe. Since we're on Nanog, here's al list of US based networks affected by Indosat hijack that were seen by more than 10 unique ASns: http://portal.bgpmon.net/data/indosat-us.txt it includes apple, telia, ntt, level3, comcast, cableone, akamai, Joyent Same for Canadian prefixes (keep in mind there were more hijacked prefixes, this is just the list for which the hijack was seen by more than 10 of our peers) http://portal.bgpmon.net/data/indosat-ca.txt Cheers, Andree .-- My secret spy satellite informs me that at 2014-04-02 2:20 PM Laszlo Hanyecz wrote: They're just leaking every route right? Is it possible to poison the AS paths you announce with their own AS to get them to let go of your prefixes until it's fixed? Would that work, or some other trick that can be done without their cooperation? Thanks, Laszlo
Re: BGPMON Alert Questions
note joels careful use of 'injected'. imiho, 'hijacked' is perjorative implying evil intent. i very much doubt that is the case here. it looks much more like an accident. could we try to be less accusatory with our language. 'injected', 'mis-originated', ... would seem to descrive the situation. and, btw, how many of those whose prefixes were mis-originated had registered those prefixes in the rpki? randy
Re: BGPMON Alert Questions
On Wed, 02 Apr 2014 16:16:23 -0700, Andree Toonk said: Quick update from BGPmon: We've detected 415,652 prefixes being hijacked by Indosat today. Those who do not understand AS7007 are doomed to repeat it? pgpU55zVC12U9.pgp Description: PGP signature
Re: BGPMON Alert Questions
Agreed - focus on the fix. Then take a deep breath and figure out what happened. BTW - Indosat is down hard. Cannot call into their network (cell phone). I've got my team reaching in to their buddies to help. On Apr 3, 2014, at 7:22 AM, Randy Bush ra...@psg.com wrote: note joels careful use of 'injected'. imiho, 'hijacked' is perjorative implying evil intent. i very much doubt that is the case here. it looks much more like an accident. could we try to be less accusatory with our language. 'injected', 'mis-originated', ... would seem to descrive the situation. and, btw, how many of those whose prefixes were mis-originated had registered those prefixes in the rpki? randy signature.asc Description: Message signed with OpenPGP using GPGMail
Re: BGPMON Alert Questions
Hi Team, Confirmation from my team talking directly to Indosat - self inflected with a bad update during a maintenance window. Nothing malicious or intentional. Barry signature.asc Description: Message signed with OpenPGP using GPGMail
Re: BGPMON Alert Questions
We've detected 415,652 prefixes being hijacked by Indosat today. Those who do not understand AS7007 are doomed to repeat it? i very much doubt this is a 7007, where bgp was redistributed into rip, which sliced it into a jillion /24s, and then redistributed from rip back into bgp. of course the lack of filtering or origin validation is an endemic disease. randy
Re: BGPMON Alert Questions
So we're somewhat safe until the fast food burger grills and fries cookers advance to level-3 routing? Or Daquiri blenders get their own ASNs? Bad enough that professional folks can goof to this extent, but scarier still that the Internet of Everything seems to progress without bounds... Jeff On 4/2/2014 11:43 PM, Randy Bush wrote: We've detected 415,652 prefixes being hijacked by Indosat today. Those who do not understand AS7007 are doomed to repeat it? i very much doubt this is a 7007, where bgp was redistributed into rip, which sliced it into a jillion /24s, and then redistributed from rip back into bgp. of course the lack of filtering or origin validation is an endemic disease. randy
