Yes, see this thread: https://puck.nether.net/pipermail/outages/2015-March/007687.html
Frank -----Original Message----- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Debottym Mukherjee Sent: Friday, March 27, 2015 10:14 AM To: nanog@nanog.org Subject: Level 3 Outage Did anyone else experience a Level 3 outage in the last couple of days? Seems like we've been affected with quite a few VPNV4 outages (one that lasted for upto 9 hrs) and didn't get resolved until they rebuilt their vpnv4 address family on their PE router(s)? On Thu, Mar 26, 2015 at 8:00 AM, <nanog-requ...@nanog.org> wrote: > Send NANOG mailing list submissions to > nanog@nanog.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.nanog.org/mailman/listinfo/nanog > or, via email, send a message with subject or body 'help' to > nanog-requ...@nanog.org > > You can reach the person managing the list at > nanog-ow...@nanog.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of NANOG digest..." > > > Today's Topics: > > 1. godaddy contact (Tim) > 2. Frontier: Blocking port 22 because of illegal files? > (Aaron C. de Bruyn) > 3. Re: Frontier: Blocking port 22 because of illegal files? > (Eygene Ryabinkin) > 4. Re: Frontier: Blocking port 22 because of illegal files? > (Jon Lewis) > 5. Re: Frontier: Blocking port 22 because of illegal files? > (Stephen Satchell) > 6. Re: Frontier: Blocking port 22 because of illegal files? > (Seth Mos) > 7. booster to gain distance above 60km (Rodrigo Augusto) > 8. Re: Frontier: Blocking port 22 because of illegal files? > (Jens Link) > 9. Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) > 10. Re: Frontier: Blocking port 22 because of illegal files? > (Livingood, Jason) > 11. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) > 12. Re: Frontier: Blocking port 22 because of illegal files? > (Jeff Richmond) > 13. Re: Frontier: Blocking port 22 because of illegal files? > (Daniel Corbe) > 14. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) > 15. RE: Prefix hijack by INDOSAT AS4795 / AS4761 (Peter Rocca) > 16. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) > 17. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christopher Morrow) > 18. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Randy) > 19. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Pierre Emeriaud) > 20. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Paul S.) > 21. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Chuck Anderson) > 22. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Christian Teuschel) > 23. Re: Prefix hijack by INDOSAT AS4795 / AS4761 (Andree Toonk) > 24. RE: Prefix hijack by INDOSAT AS4795 / AS4761 (Peter Rocca) > 25. Charter Engineer (Shawn L) > 26. RE: More specifics from AS18978 [was: Prefix hijack by > INDOSAT AS4795 / AS4761] (Randy) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 25 Mar 2015 16:41:50 -0600 > From: Tim <tim...@progressivemarketingnetwork.com> > To: nanog@nanog.org > Subject: godaddy contact > Message-ID: <551339ae.8010...@progressivemarketingnetwork.com> > Content-Type: text/plain; charset=utf-8 > > Anyone from godaddy on here or have contact details for them? We are > having a routing issue to them. > > > > ------------------------------ > > Message: 2 > Date: Wed, 25 Mar 2015 19:31:35 -0700 > From: "Aaron C. de Bruyn" <aa...@heyaaron.com> > To: NANOG mailing list <nanog@nanog.org> > Subject: Frontier: Blocking port 22 because of illegal files? > Message-ID: > <CAEE+rGqimJYAfgmzm9AJ72+gcmJxfZLM7n4Rf03vynxKN= > q...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > I've had a handful of clients contact me over the last week with > trouble using SCP (usually WinSCP) to manage their website content on > my servers. Either they get timeout messages from WinSCP or a message > saying they should switch to SFTP. > > After getting a few helpful users on the phone to run some quick > tests, we found port 22 was blocked. > > When my customers contacted Frontier, they were told that port 22 was > blocked because it is used to transfer illegal files. > > I called them, and got the same ridiculous excuse. > > Just a friendly heads-up to anyone from Frontier who might be > listening, I have a few additional ports you may wish to block: > > 80 - Allows users to use Google to search for illegal files > 443 - Allows users to use Google to search for illegal files in a secure > manner > 69 - Allows users to trivially transfer illegal files > 3389 - Allows users to connect to unlicensed Windows machines > 179 - Allows users to exchange routes to illegal file shares > 53 - Allows people to look up illegal names > > -A > > > ------------------------------ > > Message: 3 > Date: Thu, 26 Mar 2015 07:21:45 +0300 > From: Eygene Ryabinkin <rea+na...@grid.kiae.ru> > To: "Aaron C. de Bruyn" <aa...@heyaaron.com> > Cc: NANOG mailing list <nanog@nanog.org> > Subject: Re: Frontier: Blocking port 22 because of illegal files? > Message-ID: <nwCOvNPJTWOEp6pB7jt97dzYZ/0@xD7c2HZfPDzIruDUr3Qm9QhN1kk> > Content-Type: text/plain; charset=us-ascii > > Wed, Mar 25, 2015 at 07:31:35PM -0700, Aaron C. de Bruyn wrote: > > Just a friendly heads-up to anyone from Frontier who might be > > listening, I have a few additional ports you may wish to block: > > > > 80 - Allows users to use Google to search for illegal files > > 443 - Allows users to use Google to search for illegal files in a secure > manner > > 69 - Allows users to trivially transfer illegal files > > 3389 - Allows users to connect to unlicensed Windows machines > > 179 - Allows users to exchange routes to illegal file shares > > 53 - Allows people to look up illegal names > > Can't help to add that there are > > - port 21 that allow users to give commands to examine > the existence and initiate transfers of illegal files; > > - ports 1025 - 65535 that allow users to create data streams > to actually transfer illegal files in an (oh my) passive mode. > > ;) > -- > Eygene Ryabinkin, National Research Centre "Kurchatov Institute" > > Always code as if the guy who ends up maintaining your code will be > a violent psychopath who knows where you live. > > > ------------------------------ > > Message: 4 > Date: Thu, 26 Mar 2015 00:56:21 -0400 (EDT) > From: Jon Lewis <jle...@lewis.org> > To: "Aaron C. de Bruyn" <aa...@heyaaron.com> > Cc: NANOG mailing list <nanog@nanog.org> > Subject: Re: Frontier: Blocking port 22 because of illegal files? > Message-ID: <pine.lnx.4.61.1503260052100.10...@soloth.lewis.org> > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > > On Wed, 25 Mar 2015, Aaron C. de Bruyn wrote: > > > I've had a handful of clients contact me over the last week with > > trouble using SCP (usually WinSCP) to manage their website content on > > my servers. Either they get timeout messages from WinSCP or a message > > saying they should switch to SFTP. > > > > After getting a few helpful users on the phone to run some quick > > tests, we found port 22 was blocked. > > > > When my customers contacted Frontier, they were told that port 22 was > > blocked because it is used to transfer illegal files. > > > > I called them, and got the same ridiculous excuse. > > > > Just a friendly heads-up to anyone from Frontier who might be > > listening, I have a few additional ports you may wish to block: > > I wonder if their support is just confused, and Frontier is really > blocking outbound tcp/22 to stop complaints generated by infected > customers with sshd scanners. After all, most of their customers probably > don't know what SSH is. > > ---------------------------------------------------------------------- > Jon Lewis, MCP :) | I route > | therefore you are > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > > > ------------------------------ > > Message: 5 > Date: Thu, 26 Mar 2015 04:24:38 -0700 > From: Stephen Satchell <l...@satchell.net> > To: nanog@nanog.org > Subject: Re: Frontier: Blocking port 22 because of illegal files? > Message-ID: <5513ec76.5060...@satchell.net> > Content-Type: text/plain; charset=UTF-8 > > On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote: > > After getting a few helpful users on the phone to run some quick > > tests, we found port 22 was blocked. > > It's been a while since I did this, but you can select an additional > port to accept SSH connections. A Google search indicates you can > specify multiple ports in OpenSSH. Picking the right port to use is an > exercise, though, that will depend on what other services you are > running on your server. > > People with sane ISPs can use the standard port. People on Frontier can > use the alternate port, which shouldn't be firewalled by the provider. > If Frontier is running a mostly-closed firewall configuration, then you > have to be damn careful about the port you select. > > > > > ------------------------------ > > Message: 6 > Date: Thu, 26 Mar 2015 12:56:31 +0100 > From: Seth Mos <seth....@dds.nl> > To: nanog@nanog.org > Subject: Re: Frontier: Blocking port 22 because of illegal files? > Message-ID: <5513f3ef.2080...@dds.nl> > Content-Type: text/plain; charset=utf-8 > > Stephen Satchell schreef op 26-3-2015 om 12:24: > > On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote: > >> After getting a few helpful users on the phone to run some quick > >> tests, we found port 22 was blocked. > > > > It's been a while since I did this, but you can select an additional > > port to accept SSH connections. A Google search indicates you can > > specify multiple ports in OpenSSH. Picking the right port to use is an > > exercise, though, that will depend on what other services you are > > running on your server. > > > > People with sane ISPs can use the standard port. People on Frontier can > > use the alternate port, which shouldn't be firewalled by the provider. > > If Frontier is running a mostly-closed firewall configuration, then you > > have to be damn careful about the port you select. > > Ahem, just to clarify, he is not talking about inbound on the Frontier > connection, but outbound *from* the Frontier network. > > Akin to the "Let's block outbound port 25 (smtp)". > > This is just a really really bad idea m'kay. > > Cheers > > > > > ------------------------------ > > Message: 7 > Date: Thu, 26 Mar 2015 09:07:39 -0300 > From: Rodrigo Augusto <rodr...@1telecom.com.br> > To: nanog <nanog@nanog.org> > Subject: booster to gain distance above 60km > Message-ID: <d1397cdb.35c0b%rodr...@1telecom.com.br> > Content-Type: text/plain; charset="ISO-8859-1" > > Hi folksŠ we have a point and have a 63km between point A to point BŠ. We > have a sigle fiber ( only one fiber) and use a fiberstore sfp+ 10GB dibi > 1270/1330 module to connect these sites. All attenuation are okŠI don¹t > have > any trouble on fiber Š. > I have received this signal on my sfp+: > > Receiver signal average optical power : 0.0026 mW / -25.85 dBm > > > Does anyone know if have some possible to amplifier this scenario to get > more 7db ? Is it possible to put any booster or any way to solve this? > I think to use a optical PreAmlifierŠbut I don¹t know if is possible > because > my scenario have just one fiberŠor, use a ROPA- remote optical pumping > amplifier) because I have 63kmŠ > Does anyone have some idea? > > Rodrigo Augusto > Gestor de T.I. Grupo Connectoway > http://www.connectoway.com.br <http://www.connectoway.com.br/> > http://www.1telecom.com.br <http://www.1telecom.com.br/> > * rodr...@connectoway.com.br <mailto:rodr...@connectoway.com.br> > ( (81) 3497-6060 > ( (81) 8184-3646 > ( INOC-DBA 52965*100 > > > > > ------------------------------ > > Message: 8 > Date: Thu, 26 Mar 2015 13:10:35 +0100 > From: Jens Link <li...@quux.de> > To: nanog@nanog.org > Subject: Re: Frontier: Blocking port 22 because of illegal files? > Message-ID: <87mw30hscj....@pc8.berlin.quux.de> > Content-Type: text/plain > > Stephen Satchell <l...@satchell.net> writes: > > > It's been a while since I did this, but you can select an additional > > port to accept SSH connections. > > That's easy: > > jens@screen:~$ grep Port /etc/ssh/sshd_config > Port 22 > Port 443 > > > Picking the right port to use is an exercise, though, that will depend > > on what other services you are running on your server. > > I always have at least one sshd listening on port 443. For all the > hotel, coffee house, customer networks blocking ssh. > > You can even multiplex and run ssh and ssl on the same port: > > http://www.rutschle.net/tech/sslh.shtml > > Jens > -- > > ---------------------------------------------------------------------------- > | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 > | > | http://blog.quux.de | jabber: jensl...@jabber.quux.de | > --------------- | > > ---------------------------------------------------------------------------- > > > ------------------------------ > > Message: 9 > Date: Thu, 26 Mar 2015 07:08:20 -0700 > From: Randy <a...@djlab.com> > To: nanog@nanog.org > Subject: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: <b8636bc52cdc7f7f595ff96c7b078...@mailbox.fastserv.com> > Content-Type: text/plain; charset=US-ASCII; format=flowed > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing > more specifics on one of our prefixes. Anyone else seeing similar or > is it just us? > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > -- > Randy > > > ------------------------------ > > Message: 10 > Date: Thu, 26 Mar 2015 14:09:52 +0000 > From: "Livingood, Jason" <jason_living...@cable.comcast.com> > To: "Aaron C. de Bruyn" <aa...@heyaaron.com>, NANOG mailing list > <nanog@nanog.org> > Subject: Re: Frontier: Blocking port 22 because of illegal files? > Message-ID: <d1398b6b.fde9e%jason_living...@cable.comcast.com> > Content-Type: text/plain; charset="Windows-1252" > > ISPs are generally expected to disclose any port blocking. A quick Google > search shows this is Frontier’s list: > http://www.frontierhelp.com/faq.cfm?qstid=277 > > On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aa...@heyaaron.com<mailto: > aa...@heyaaron.com>> wrote: > > I've had a handful of clients contact me over the last week with > trouble using SCP (usually WinSCP) to manage their website content on > my servers. Either they get timeout messages from WinSCP or a message > saying they should switch to SFTP. > > After getting a few helpful users on the phone to run some quick > tests, we found port 22 was blocked. > > When my customers contacted Frontier, they were told that port 22 was > blocked because it is used to transfer illegal files. > > I called them, and got the same ridiculous excuse. > > Just a friendly heads-up to anyone from Frontier who might be > listening, I have a few additional ports you may wish to block: > > 80 - Allows users to use Google to search for illegal files > 443 - Allows users to use Google to search for illegal files in a secure > manner > 69 - Allows users to trivially transfer illegal files > 3389 - Allows users to connect to unlicensed Windows machines > 179 - Allows users to exchange routes to illegal file shares > 53 - Allows people to look up illegal names > > -A > > > > ------------------------------ > > Message: 11 > Date: Thu, 26 Mar 2015 10:27:21 -0400 > From: Christopher Morrow <morrowc.li...@gmail.com> > To: a...@djlab.com > Cc: nanog list <nanog@nanog.org> > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: > <CAL9jLaY17-8nVwXDDs1dncU= > 252pbsefpdi1qagxq5zej-a...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On Thu, Mar 26, 2015 at 10:08 AM, Randy <a...@djlab.com> wrote: > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing > more > > specifics on one of our prefixes. Anyone else seeing similar or is it > just > > us? > > is your AS in the path below? (what is your AS so folk can check for > your prefixes/customer-prefixes and attempt to help?) > > > > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > > > -- > > Randy > > > ------------------------------ > > Message: 12 > Date: Thu, 26 Mar 2015 07:28:57 -0700 > From: Jeff Richmond <jeff.richm...@gmail.com> > To: "Livingood, Jason" <jason_living...@cable.comcast.com> > Cc: "Aaron C. de Bruyn" <aa...@heyaaron.com>, NANOG mailing list > <nanog@nanog.org> > Subject: Re: Frontier: Blocking port 22 because of illegal files? > Message-ID: <006e35ad-00e6-4b61-890f-29e580ce9...@gmail.com> > Content-Type: text/plain; charset=windows-1252 > > All, I have reached out to Aaron privately for details, but we do not > block port 22 traffic unless it is in direct response to an attack or > related item. Please let me know directly if you have any specific > questions. > > Thanks, > -Jeff > > > On Mar 26, 2015, at 7:09 AM, Livingood, Jason < > jason_living...@cable.comcast.com> wrote: > > > > ISPs are generally expected to disclose any port blocking. A quick > Google search shows this is Frontier’s list: > > http://www.frontierhelp.com/faq.cfm?qstid=277 > > > > On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aa...@heyaaron.com<mailto: > aa...@heyaaron.com>> wrote: > > > > I've had a handful of clients contact me over the last week with > > trouble using SCP (usually WinSCP) to manage their website content on > > my servers. Either they get timeout messages from WinSCP or a message > > saying they should switch to SFTP. > > > > After getting a few helpful users on the phone to run some quick > > tests, we found port 22 was blocked. > > > > When my customers contacted Frontier, they were told that port 22 was > > blocked because it is used to transfer illegal files. > > > > I called them, and got the same ridiculous excuse. > > > > Just a friendly heads-up to anyone from Frontier who might be > > listening, I have a few additional ports you may wish to block: > > > > 80 - Allows users to use Google to search for illegal files > > 443 - Allows users to use Google to search for illegal files in a secure > manner > > 69 - Allows users to trivially transfer illegal files > > 3389 - Allows users to connect to unlicensed Windows machines > > 179 - Allows users to exchange routes to illegal file shares > > 53 - Allows people to look up illegal names > > > > -A > > > > > > ------------------------------ > > Message: 13 > Date: Thu, 26 Mar 2015 10:32:31 -0400 > From: Daniel Corbe <co...@corbe.net> > To: "Livingood\, Jason" <jason_living...@cable.comcast.com> > Cc: "Aaron C. de Bruyn" <aa...@heyaaron.com>, NANOG mailing list > <nanog@nanog.org> > Subject: Re: Frontier: Blocking port 22 because of illegal files? > Message-ID: <874mp7hls0....@corbe.net> > Content-Type: text/plain; charset=utf-8 > > > Nothing helps promote a free and open Internet more than micromanaging > your users' download activity. > > Not really sure how someone comes to the conclusion that nobody really > *needs* ssh for anything. > > "Livingood, Jason" <jason_living...@cable.comcast.com> writes: > > > ISPs are generally expected to disclose any port blocking. A quick > Google search shows this is Frontier’s list: > > http://www.frontierhelp.com/faq.cfm?qstid=277 > > > > On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aa...@heyaaron.com<mailto: > aa...@heyaaron.com>> wrote: > > > > I've had a handful of clients contact me over the last week with > > trouble using SCP (usually WinSCP) to manage their website content on > > my servers. Either they get timeout messages from WinSCP or a message > > saying they should switch to SFTP. > > > > After getting a few helpful users on the phone to run some quick > > tests, we found port 22 was blocked. > > > > When my customers contacted Frontier, they were told that port 22 was > > blocked because it is used to transfer illegal files. > > > > I called them, and got the same ridiculous excuse. > > > > Just a friendly heads-up to anyone from Frontier who might be > > listening, I have a few additional ports you may wish to block: > > > > 80 - Allows users to use Google to search for illegal files > > 443 - Allows users to use Google to search for illegal files in a secure > manner > > 69 - Allows users to trivially transfer illegal files > > 3389 - Allows users to connect to unlicensed Windows machines > > 179 - Allows users to exchange routes to illegal file shares > > 53 - Allows people to look up illegal names > > > > -A > > > ------------------------------ > > Message: 14 > Date: Thu, 26 Mar 2015 07:38:08 -0700 > From: Randy <a...@djlab.com> > To: Christopher Morrow <morrowc.li...@gmail.com> > Cc: christopher.mor...@gmail.com, nanog list <nanog@nanog.org> > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: <d9f578bfd7e75bf125e26a2911c67...@mailbox.fastserv.com> > Content-Type: text/plain; charset=US-ASCII; format=flowed > > On 03/26/2015 7:27 am, Christopher Morrow wrote: > > is your AS in the path below? (what is your AS so folk can check for > > your prefixes/customer-prefixes and attempt to help?) > > Sorry, we're 29889. > > > > ------------------------------ > > Message: 15 > Date: Thu, 26 Mar 2015 14:43:20 +0000 > From: Peter Rocca <ro...@start.ca> > To: "nanog@nanog.org" <nanog@nanog.org> > Subject: RE: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: <44c3b7398b0c46b8a842c44da3f379be@APP02.start.local> > Content-Type: text/plain; charset="us-ascii" > > We just received a similar alert from bgpmon - part of 108.168.0.0/17 is > being advertised as /20's - although we're still listed as the origin. We > are 40788. > > 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > -----Original Message----- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy > Sent: March-26-15 10:08 AM > To: nanog@nanog.org > Subject: Prefix hijack by INDOSAT AS4795 / AS4761 > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing > more specifics on one of our prefixes. Anyone else seeing similar or > is it just us? > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > -- > Randy > > > ------------------------------ > > Message: 16 > Date: Thu, 26 Mar 2015 10:44:28 -0400 > From: Christopher Morrow <morrowc.li...@gmail.com> > To: a...@djlab.com > Cc: nanog list <nanog@nanog.org> > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: > <CAL9jLaYvGYc6s4uhAqfKG+qikWSa4U3Mp= > xo6uuvfaz_4gg...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On Thu, Mar 26, 2015 at 10:38 AM, Randy <a...@djlab.com> wrote: > > On 03/26/2015 7:27 am, Christopher Morrow wrote: > >> > >> is your AS in the path below? (what is your AS so folk can check for > >> your prefixes/customer-prefixes and attempt to help?) > > > > > > Sorry, we're 29889. > > > > ok, and it looks like the path you clipped is: > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > possibly LAIX is passing along your /24 you didn't mean them to pass on? > > > ------------------------------ > > Message: 17 > Date: Thu, 26 Mar 2015 10:45:09 -0400 > From: Christopher Morrow <morrowc.li...@gmail.com> > To: Peter Rocca <ro...@start.ca> > Cc: "nanog@nanog.org" <nanog@nanog.org> > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: > < > cal9jlaalxcncc4uytkz7suduks4b+vjza56no6n_tdhrmhj...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <ro...@start.ca> wrote: > > We just received a similar alert from bgpmon - part of 108.168.0.0/17 > is being advertised as /20's - although we're still listed as the origin. > We are 40788. > > > > 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > > > common point looks like LAIX ? their routeserver go crazy perhaps? or > did they change in/out prefix management information? > > > -----Original Message----- > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy > > Sent: March-26-15 10:08 AM > > To: nanog@nanog.org > > Subject: Prefix hijack by INDOSAT AS4795 / AS4761 > > > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing > > more specifics on one of our prefixes. Anyone else seeing similar or > > is it just us? > > > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > > > -- > > Randy > > > ------------------------------ > > Message: 18 > Date: Thu, 26 Mar 2015 07:46:31 -0700 > From: Randy <a...@djlab.com> > To: Christopher Morrow <morrowc.li...@gmail.com> > Cc: christopher.mor...@gmail.com, nanog list <nanog@nanog.org> > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: <78c55aee9b1853c827c78adb8527f...@mailbox.fastserv.com> > Content-Type: text/plain; charset=US-ASCII; format=flowed > > All, > > Info gathered off-list indicates this may be a couple of issues in our > case - possible routing leak by 18978 (check your tables!) and more > specifics on our prefixes from 4795 that we couldn't see before the leak > hence the apparent hijack. > > -- > ~Randy > > > ------------------------------ > > Message: 19 > Date: Thu, 26 Mar 2015 15:46:51 +0100 > From: Pierre Emeriaud <petrus...@gmail.com> > To: a...@djlab.com > Cc: nanog@nanog.org > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: > < > ca+psopyoeoaswgq1mzg+mls0zrmow35o7ytre_r5yssm8uc...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > Hi, > > > 2015-03-26 15:08 GMT+01:00 Randy <a...@djlab.com>: > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing > more > > specifics on one of our prefixes. Anyone else seeing similar or is it > just > > us? > > > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > We (as3215) are seeing almost the same path with 40633 18978 3257 > 3215, for some quite a lot of prefixes. > > Some alerts from bgpmon: > 193.251.32.0/20 271 6939 40633 18978 3257 3215 > 193.251.32.0/20 271 6939 40633 18978 3257 3215 > > We are not directly connected to 3257. Looks like 18978 deaggregated > to /20 and reannounced to 40633 (LAIX). > > > Rgds, > pierre > > > ------------------------------ > > Message: 20 > Date: Thu, 26 Mar 2015 23:48:12 +0900 > From: "Paul S." <cont...@winterei.se> > To: nanog@nanog.org > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: <55141c2c.40...@winterei.se> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Same here. These Indosat guys can't seem to catch a break =/ > > On 3/26/2015 午後 11:43, Peter Rocca wrote: > > We just received a similar alert from bgpmon - part of 108.168.0.0/17 > is being advertised as /20's - although we're still listed as the origin. > We are 40788. > > > > 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > > > -----Original Message----- > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy > > Sent: March-26-15 10:08 AM > > To: nanog@nanog.org > > Subject: Prefix hijack by INDOSAT AS4795 / AS4761 > > > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing > > more specifics on one of our prefixes. Anyone else seeing similar or > > is it just us? > > > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > > > > > ------------------------------ > > Message: 21 > Date: Thu, 26 Mar 2015 11:00:31 -0400 > From: Chuck Anderson <c...@wpi.edu> > To: nanog@nanog.org > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: <20150326150030.go9...@angus.ind.wpi.edu> > Content-Type: text/plain; charset=us-ascii > > We are AS 10326 130.215.0.0/16 and I just received a BGPmon alert as > well: > > 130.215.160.0/20 4795 4795 4761 9304 40633 18978 4436 10326 > 130.215.176.0/20 4795 4795 4761 9304 40633 18978 4436 10326 > > On Thu, Mar 26, 2015 at 10:45:09AM -0400, Christopher Morrow wrote: > > On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <ro...@start.ca> wrote: > > > We just received a similar alert from bgpmon - part of 108.168.0.0/17 > is being advertised as /20's - although we're still listed as the origin. > We are 40788. > > > > > > 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > > 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > > 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > > > > > > common point looks like LAIX ? their routeserver go crazy perhaps? or > > did they change in/out prefix management information? > > > > > -----Original Message----- > > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy > > > Sent: March-26-15 10:08 AM > > > To: nanog@nanog.org > > > Subject: Prefix hijack by INDOSAT AS4795 / AS4761 > > > > > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing > > > more specifics on one of our prefixes. Anyone else seeing similar or > > > is it just us? > > > > > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > > > > > -- > > > Randy > > > ------------------------------ > > Message: 22 > Date: Thu, 26 Mar 2015 16:02:00 +0100 > From: Christian Teuschel <christian.teusc...@ripe.net> > To: nanog@nanog.org > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: <55141f68.9060...@ripe.net> > Content-Type: text/plain; charset="windows-1252" > > Hi Randy, > > Assuming that your prefix is 198.98.180.0/22 (AS29889 - FSNET-1 - Fast > Serv Networks, LLC) none of the mentioned more specifics are currently > seen from the RIPE NCC's RIS network, see the Looking Glass widget: > > https://stat.ripe.net/198.98.180.0/23#tabId=routing > https://stat.ripe.net/198.98.182.0/23#tabId=at-a-glance > > though there has been some BGP activity going on since 11:49:42, see the > BGPlay and BGP Update Activity widget. In both cases the originating ASN > was AS29889. > > Cheers, > Christian > > On 26/03/15 15:46, Randy wrote: > > All, > > > > Info gathered off-list indicates this may be a couple of issues in our > > case - possible routing leak by 18978 (check your tables!) and more > > specifics on our prefixes from 4795 that we couldn't see before the leak > > hence the apparent hijack. > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: christian_teuschel.vcf > Type: text/x-vcard > Size: 342 bytes > Desc: not available > URL: < > http://mailman.nanog.org/pipermail/nanog/attachments/20150326/9de6eabc/attachment-0001.vcf > > > > ------------------------------ > > Message: 23 > Date: Thu, 26 Mar 2015 08:53:37 -0700 > From: Andree Toonk <andree+na...@toonk.nl> > To: Peter Rocca <ro...@start.ca> > Cc: "nanog@nanog.org" <nanog@nanog.org> > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: <55142b81.9000...@toonk.nl> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi List, > > this morning our BGPmon system picked up many new more specific > announcements by a variety of Origin ASns, the interesting part is that > the majority of them were classified as BGP Man In The middle attacks > (MITM). > > A typical alert would look like: > > ==================================================================== > Possible BGP MITM attack (Code: 21) > ==================================================================== > Your prefix: 23.20.0.0/15: > Prefix Description: acxiom-online.com --- Amazon EC2 IAD prefix > Update time: 2015-03-26 11:27 (UTC) > Detected by #peers: 24 > Detected prefix: 23.21.112.0/20 > Announced by: AS14618 (AMAZON-AES - Amazon.com, Inc.,US) > Upstream AS: AS3257 (TINET-BACKBONE Tinet SpA,DE) > ASpath: 4608 24130 7545 6939 40633 18978 3257 14618 > > All alerts have the following part of the AS Path is common: > 40633 1897 > > We're still looking into the details of this particular cases, but > based on past experience it's likely that it is not in fact 14618 AWS, > that originated this more specific (in this example), but most likely > 18978 (or 40633), which leaked it to AS40633 Los Angeles Internet > exchange, where others picked it up and propagated it to their customers. > > In the past we've seen similar issues caused by BGP traffic optimizers. > These devices introduce new more specifics (try to keep the ASpath in > tact) for Traffic engineering purposes, and then folks leak those. A > good write up of a previous example can be found here: > http://www.bgpmon.net/accidentally-stealing-the-internet/ > > A quick scan show that this affected over 5000 prefixes and about 145 > Autonomous systems. All of these appear to be more specific prefixes > (which is the scary part). > > Cheers, > Andree > > PS. It appears this is not related to INDOSAT, they just happen to be > one of the peers that picked this up. > > > .-- My secret spy satellite informs me that at 2015-03-26 7:43 AM Peter > Rocca wrote: > > We just received a similar alert from bgpmon - part of 108.168.0.0/17 > is being advertised as /20's - although we're still listed as the origin. > We are 40788. > > > > 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > > > -----Original Message----- > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy > > Sent: March-26-15 10:08 AM > > To: nanog@nanog.org > > Subject: Prefix hijack by INDOSAT AS4795 / AS4761 > > > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing > > more specifics on one of our prefixes. Anyone else seeing similar or > > is it just us? > > > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > > > > ------------------------------ > > Message: 24 > Date: Thu, 26 Mar 2015 16:00:13 +0000 > From: Peter Rocca <ro...@start.ca> > To: Andree Toonk <andree+na...@toonk.nl> > Cc: "nanog@nanog.org" <nanog@nanog.org> > Subject: RE: Prefix hijack by INDOSAT AS4795 / AS4761 > Message-ID: <df223256e7294e619cf09b8697de7f28@APP02.start.local> > Content-Type: text/plain; charset="us-ascii" > > +1 > > The summary below aligns with our analysis as well. > > We've reached out to AS18978 to determine the status of the leak but at > this time we're not seeing any operational impact. > > -----Original Message----- > From: Andree Toonk [mailto:andree+na...@toonk.nl] > Sent: March-26-15 11:54 AM > To: Peter Rocca > Cc: nanog@nanog.org > Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 > > Hi List, > > this morning our BGPmon system picked up many new more specific > announcements by a variety of Origin ASns, the interesting part is that the > majority of them were classified as BGP Man In The middle attacks (MITM). > > A typical alert would look like: > > ==================================================================== > Possible BGP MITM attack (Code: 21) > ==================================================================== > Your prefix: 23.20.0.0/15: > Prefix Description: acxiom-online.com --- Amazon EC2 IAD prefix > Update time: 2015-03-26 11:27 (UTC) > Detected by #peers: 24 > Detected prefix: 23.21.112.0/20 > Announced by: AS14618 (AMAZON-AES - Amazon.com, Inc.,US) > Upstream AS: AS3257 (TINET-BACKBONE Tinet SpA,DE) > ASpath: 4608 24130 7545 6939 40633 18978 3257 14618 > > All alerts have the following part of the AS Path is common: > 40633 1897 > > We're still looking into the details of this particular cases, but based > on past experience it's likely that it is not in fact 14618 AWS, that > originated this more specific (in this example), but most likely > 18978 (or 40633), which leaked it to AS40633 Los Angeles Internet > exchange, where others picked it up and propagated it to their customers. > > In the past we've seen similar issues caused by BGP traffic optimizers. > These devices introduce new more specifics (try to keep the ASpath in > tact) for Traffic engineering purposes, and then folks leak those. A good > write up of a previous example can be found here: > http://www.bgpmon.net/accidentally-stealing-the-internet/ > > A quick scan show that this affected over 5000 prefixes and about 145 > Autonomous systems. All of these appear to be more specific prefixes (which > is the scary part). > > Cheers, > Andree > > PS. It appears this is not related to INDOSAT, they just happen to be one > of the peers that picked this up. > > > .-- My secret spy satellite informs me that at 2015-03-26 7:43 AM Peter > Rocca wrote: > > We just received a similar alert from bgpmon - part of 108.168.0.0/17 > is being advertised as /20's - although we're still listed as the origin. > We are 40788. > > > > 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 > > > > -----Original Message----- > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy > > Sent: March-26-15 10:08 AM > > To: nanog@nanog.org > > Subject: Prefix hijack by INDOSAT AS4795 / AS4761 > > > > On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing > > more specifics on one of our prefixes. Anyone else seeing similar or > > is it just us? > > > > 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 > > > > > ------------------------------ > > Message: 25 > Date: Thu, 26 Mar 2015 12:09:10 -0400 > From: Shawn L <sha...@up.net> > To: nanog <nanog@nanog.org> > Subject: Charter Engineer > Message-ID: > <CACTmXQVgzXydseLNrAcCZtt+sXS1_LSrGqJca=+ > ep9gs2kc...@mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > Could a Charter engineer with familiarity with Michigan contact me > off-list? We have a mutual client who's having issues communicating > between sites. > > Thanks > > > ------------------------------ > > Message: 26 > Date: Thu, 26 Mar 2015 09:14:25 -0700 > From: Randy <a...@djlab.com> > To: Peter Rocca <ro...@start.ca> > Cc: nanog@nanog.org > Subject: RE: More specifics from AS18978 [was: Prefix hijack by > INDOSAT AS4795 / AS4761] > Message-ID: <fd455d84899cd5dfe3a4ff9169add...@mailbox.fastserv.com> > Content-Type: text/plain; charset=US-ASCII; format=flowed > > On 03/26/2015 9:00 am, Peter Rocca wrote: > > +1 > > > > The summary below aligns with our analysis as well. > > > > We've reached out to AS18978 to determine the status of the leak but > > at this time we're not seeing any operational impact. > > +2, after the morning coffee sunk in and helpful off list replies I can > finally see it's probably not INDOSAT involved at all. > > FYI, the more specifics are still active: > > 2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 > 4761 > 9304 40633 18978 6939 29889 Active > 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 > 4761 > 9304 40633 18978 6939 29889 Active > > -- > ~Randy > > > End of NANOG Digest, Vol 86, Issue 27 > ************************************* >
