+1 The summary below aligns with our analysis as well.
We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact. -----Original Message----- From: Andree Toonk [mailto:andree+na...@toonk.nl] Sent: March-26-15 11:54 AM To: Peter Rocca Cc: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Hi List, this morning our BGPmon system picked up many new more specific announcements by a variety of Origin ASns, the interesting part is that the majority of them were classified as BGP Man In The middle attacks (MITM). A typical alert would look like: ==================================================================== Possible BGP MITM attack (Code: 21) ==================================================================== Your prefix: 23.20.0.0/15: Prefix Description: acxiom-online.com --- Amazon EC2 IAD prefix Update time: 2015-03-26 11:27 (UTC) Detected by #peers: 24 Detected prefix: 23.21.112.0/20 Announced by: AS14618 (AMAZON-AES - Amazon.com, Inc.,US) Upstream AS: AS3257 (TINET-BACKBONE Tinet SpA,DE) ASpath: 4608 24130 7545 6939 40633 18978 3257 14618 All alerts have the following part of the AS Path is common: 40633 1897 We're still looking into the details of this particular cases, but based on past experience it's likely that it is not in fact 14618 AWS, that originated this more specific (in this example), but most likely 18978 (or 40633), which leaked it to AS40633 Los Angeles Internet exchange, where others picked it up and propagated it to their customers. In the past we've seen similar issues caused by BGP traffic optimizers. These devices introduce new more specifics (try to keep the ASpath in tact) for Traffic engineering purposes, and then folks leak those. A good write up of a previous example can be found here: http://www.bgpmon.net/accidentally-stealing-the-internet/ A quick scan show that this affected over 5000 prefixes and about 145 Autonomous systems. All of these appear to be more specific prefixes (which is the scary part). Cheers, Andree PS. It appears this is not related to INDOSAT, they just happen to be one of the peers that picked this up. .-- My secret spy satellite informs me that at 2015-03-26 7:43 AM Peter Rocca wrote: > We just received a similar alert from bgpmon - part of 108.168.0.0/17 is > being advertised as /20's - although we're still listed as the origin. We are > 40788. > > 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > -----Original Message----- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy > Sent: March-26-15 10:08 AM > To: nanog@nanog.org > Subject: Prefix hijack by INDOSAT AS4795 / AS4761 > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing > more specifics on one of our prefixes. Anyone else seeing similar or > is it just us? > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 >
