Re: prefix hijack by ASN 8997
On Mon, Sep 22, 2008 at 22:13, Jim Popovitch <[EMAIL PROTECTED]> wrote: > On Mon, Sep 22, 2008 at 21:06, Scott Weeks <[EMAIL PROTECTED]> wrote: >> >> I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and >> another of our >> prefixes) by ASN 8997 ("OJSC North-West Telecom" in Russia) in using ASN 3267 >> (Russian Federal University Network) to advertise our space to ASN 3277 >> (Regional >> University and Scientific Network (RUSNet) of North-Western and >> Saint-Petersburg >> Area of Russia). > > Yep, saw this for 69.61.0.0/17 GlobalCompass (my upstream) this AM: > > SEQUENCE_NUMBER: 1222091638 > TYPE: last-hop > BGP-UPDATE-TIME: 1222075864 > PHAS-DETECT-TIME: 1222091637 > PHAS-NOTIFY-TIME: 1222091637 > PREFIX: 69.61.0.0/17 > SET: 3561,3267,3356,3491 > GAINED: 3267 <- Russian Federal University Network > LOST: > > SEQUENCE_NUMBER: 1222091638 > TYPE: origin > BGP-UPDATE-TIME: 1222075864 > PHAS-DETECT-TIME: 1222091637 > PHAS-NOTIFY-TIME: 1222091637 > PREFIX: 69.61.0.0/17 > SET: 8997,22653 > GAINED: 8997 <- OJSC North-West Telecom, St.-Petersburg, Russia > LOST: > > SEQUENCE_NUMBER: 1222096125 > TYPE: origin > BGP-UPDATE-TIME: 1222076569 > PHAS-DETECT-TIME: 1222092415 > PHAS-NOTIFY-TIME: 1222096124 > PREFIX: 69.61.0.0/17 > SET: 22653 <- GlobalCrossing Small typo on my part above... 22653 is GlobalCompass, not GlobalCrossing as I mistakenly typed above. -Jim P.
Re: prefix hijack by ASN 8997
Scott Weeks wrote: -- [EMAIL PROTECTED] wrote: -- From: Marshall Eubanks <[EMAIL PROTECTED]> So, do you think this was lots of little tests / hijacks / mistakes ? Or did it just not propagate very far ? - According to Andree Toonk (and someone confirmed privately) ASN 8997 leaked a full table to ASN 3267 (who didn't filter!). The only upstream of ASN 3267 I saw in bgplay was ASN 174 (Cogent) who seems to have filtered, but I can't confirm. So I guess that the impact would've only been to the peers downstream of ASN 3267. scott - Andree Toonk <[EMAIL PROTECTED]> Not a false positive, It actually was detected by the RIS box in Moscow (rrc13). Strange that it's not visible in RIS search website, but it's definitely in the raw data files. Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a full table, i.e. : -- I did some analysis of updates on routeviews. The only routeviews peer I saw leaking the routes was AS3277 (out of 42 peers). There were roughly 117,000 prefixes with origin AS8997 with the path going through AS3267 to AS3277. The initial announcements were seen at 09:29:32 UTC and updates with the correct path were seen starting at about 09:36:42 UTC (last ones seen at 09:43:42). -Larry
Re: prefix hijack by ASN 8997
Note that my bgp was through Cogent - my guess is they did filter. Marshall On Sep 23, 2008, at 11:54 AM, Scott Weeks wrote: -- [EMAIL PROTECTED] wrote: -- From: Marshall Eubanks <[EMAIL PROTECTED]> So, do you think this was lots of little tests / hijacks / mistakes ? Or did it just not propagate very far ? - According to Andree Toonk (and someone confirmed privately) ASN 8997 leaked a full table to ASN 3267 (who didn't filter!). The only upstream of ASN 3267 I saw in bgplay was ASN 174 (Cogent) who seems to have filtered, but I can't confirm. So I guess that the impact would've only been to the peers downstream of ASN 3267. scott - Andree Toonk <[EMAIL PROTECTED]> Not a false positive, It actually was detected by the RIS box in Moscow (rrc13). Strange that it's not visible in RIS search website, but it's definitely in the raw data files. Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a full table, i.e. : --
Re: prefix hijack by ASN 8997
-- [EMAIL PROTECTED] wrote: -- From: Marshall Eubanks <[EMAIL PROTECTED]> So, do you think this was lots of little tests / hijacks / mistakes ? Or did it just not propagate very far ? - According to Andree Toonk (and someone confirmed privately) ASN 8997 leaked a full table to ASN 3267 (who didn't filter!). The only upstream of ASN 3267 I saw in bgplay was ASN 174 (Cogent) who seems to have filtered, but I can't confirm. So I guess that the impact would've only been to the peers downstream of ASN 3267. scott - Andree Toonk <[EMAIL PROTECTED]> Not a false positive, It actually was detected by the RIS box in Moscow (rrc13). Strange that it's not visible in RIS search website, but it's definitely in the raw data files. Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a full table, i.e. : --
Re: prefix hijack by ASN 8997
On Sep 23, 2008, at 8:15 AM, Scott Weeks wrote: --- [EMAIL PROTECTED] wrote: From: Marshall Eubanks <[EMAIL PROTECTED]> : You didn't specify the time zone you are in, : so I looked at +- 1 day around it. If the : hijack lasted 6 hours, we should have seen it. My apologies, I just used the time zone the tool (bgplay.routeviews.org/bgplay) was using when I said: 22/9/2008 9:00:00 and 22/9/2008 15:00:00 I'm sure it was in GMT. Seeing the many responses, we now know something happened and it was only about 15 minutes in duration. These two times are separated by 6 hours exactly (0500 and 1100 EDT). There is a positive report at 1330 Moscow time or 0930 UTC or 0530 EDT. There is a positive report "a few minutes" before 0122 UTC - say 0115 There is a positive report at 1222091563 which I cannot interpret. (1222 UTC ?) We have my negative reports at 0607 EDT and 1207 EDT, etc., or 1007 UTC and 1607 UTC, etc. So (all times UTC) 0407 no 0900 yes 0930 yes 1007 no 1500 yes 1607 no 2207 no 0115 yes 0407 no So, do you think this was lots of little tests / hijacks / mistakes ? Or did it just not propagate very far ? Marshall bgplay shows the problem with the above data and I was just wondering if I was understanding the impact correctly: If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected? I was not following the rules properly: never attribute to malice that which can be explained by human error. I thought there might be some testing-of-the-water in preparation for future 'events' and I guess I was starting to be trigger happy after all the talk about the new BGP attack. scott --- [EMAIL PROTECTED] wrote: From: Marshall Eubanks <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: <[EMAIL PROTECTED]> Subject: Re: prefix hijack by ASN 8997 Date: Tue, 23 Sep 2008 07:51:36 -0400 On Sep 22, 2008, at 9:06 PM, Scott Weeks wrote: I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North- West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia). Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates: 22/9/2008 9:00:00 and 22/9/2008 15:00:00 If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent). I cannot confirm that from the monitoring program at AS 16517 : [EMAIL PROTECTED] mcast]$ grep 72.234.0.0 bgp.full.Sep_2*2008 bgp.full.Sep_21_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_21_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_21_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_21_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_23_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_23_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? You didn't specify the time zone you are in, so I looked at +- 1 day around it. If the hijack lasted 6 hours, we should have seen it. Regards Marshall If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected? scott
comparison of hijack alert systems [was]: prefix hijack by ASN 8997
On Mon, 22 Sep 2008, Scott Weeks wrote: > > I am hoping to confirm a short-duration prefix hijack --- [EMAIL PROTECTED] wrote: From: Hank Nussbacher <[EMAIL PROTECTED]> I too spotted this via PHAS for a large number of prefixes, but have not received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack: http://www.ris.ripe.net/perl-risapp/risearch.html I would have expected with so many RRC boxes that RIPE RIS would have caught it. I had thought it was a false positive from PHAS but now that you and others have seen it - I guess it is for real. It'd be very interesting to compare said systems using this event. I have not subscribed to MyASN or watchmy.net yet, so I can't do that. I do note, however, that PHAS took 4 hours and 20 minutes to email me, which is within the specs noted on their site. scott
RE: prefix hijack by ASN 8997
Agree on #2 as well. You can bet they're also reading Nanog right now to see who and how it was detected. Oh, well, on with the fight. Chuck -Original Message- From: Christian Koch [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 23, 2008 12:58 AM To: Justin Shore; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: prefix hijack by ASN 8997 At first glance this morning not seeing any data between the gain and lost alerts from phas and inability to find a route in any of the many collectors and route servers out there I had thought it was a possibly a fat finger mistake by 8997 or a false positive. After locating the data in bgplay/rviews, and noticing how many more people this occured to I'm leaning towards 2 possible scenarios: 1 - bgp misconfigurations leading to leaks (Depends on the overall scale of how many other prefixes were possibly announced) 2 - 8997 began announcing prefixes as an experiment to "test the waters" for potential real hijacks in future... 'geography' hints towards #2 Or both theories could be way off :) I'd be interested to know if Renesys collected any data that might give some better insight to this... Christian On 9/23/08, Justin Shore <[EMAIL PROTECTED]> wrote: > Looking up some of my prefixes in PHAS and BGPPlay, I too see my > prefixes being advertised by 8997 for a short time. It looks like it > happened around 1222091563 according to PHAS. > > Was this a mistake or something else? > > Justin > > > Christian Koch wrote: >> I received a phas notification about this today as well... >> >> I couldn't find any relevant data confirming the announcement of one >> of my /19 blocks, until a few minutes ago when i checked the route >> views bgplay (ripe bgplay turns up nothing) and can now see 8997 >> announcing and quickly withdrawing my prefix >> >> >> >> >> On Mon, Sep 22, 2008 at 9:06 PM, Scott Weeks <[EMAIL PROTECTED]> >> wrote: >>> >>> >>> I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 >>> (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in >>> Russia) in using ASN 3267 (Russian Federal University Network) to >>> advertise our space to ASN 3277 (Regional University and Scientific >>> Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia). >>> >>> Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put >>> in prefix 72.234.0.0/15 and select the dates: >>> >>> 22/9/2008 9:00:00 and 22/9/2008 15:00:00 >>> >>> If so, am I understanding it correctly if I say ASN 3267 saw a shorter >>> path from ASN 8997, so refused the proper announcement from ASN 36149 >>> (me) it normally hears from ASN 174 (Cogent). >>> >>> If the above two are correct, would it be correct to say only the >>> downstream customers of ASN 3267 were affected? >>> >>> scott >>> >>> >> > -- Sent from my mobile device
Re: prefix hijack by ASN 8997
--- [EMAIL PROTECTED] wrote: From: Marshall Eubanks <[EMAIL PROTECTED]> : You didn't specify the time zone you are in, : so I looked at +- 1 day around it. If the : hijack lasted 6 hours, we should have seen it. My apologies, I just used the time zone the tool (bgplay.routeviews.org/bgplay) was using when I said: 22/9/2008 9:00:00 and 22/9/2008 15:00:00 I'm sure it was in GMT. Seeing the many responses, we now know something happened and it was only about 15 minutes in duration. bgplay shows the problem with the above data and I was just wondering if I was understanding the impact correctly: > If the above two are correct, would it be > correct to say only the downstream customers > of ASN 3267 were affected? I was not following the rules properly: never attribute to malice that which can be explained by human error. I thought there might be some testing-of-the-water in preparation for future 'events' and I guess I was starting to be trigger happy after all the talk about the new BGP attack. scott --- [EMAIL PROTECTED] wrote: From: Marshall Eubanks <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: <[EMAIL PROTECTED]> Subject: Re: prefix hijack by ASN 8997 Date: Tue, 23 Sep 2008 07:51:36 -0400 On Sep 22, 2008, at 9:06 PM, Scott Weeks wrote: > > > > I am hoping to confirm a short-duration prefix hijack of > 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North- > West Telecom" in Russia) in using ASN 3267 (Russian Federal > University Network) to advertise our space to ASN 3277 (Regional > University and Scientific Network (RUSNet) of North-Western and > Saint-Petersburg Area of Russia). > > Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", > put in prefix 72.234.0.0/15 and select the dates: > > 22/9/2008 9:00:00 and 22/9/2008 15:00:00 > > If so, am I understanding it correctly if I say ASN 3267 saw a > shorter path from ASN 8997, so refused the proper announcement from > ASN 36149 (me) it normally hears from ASN 174 (Cogent). I cannot confirm that from the monitoring program at AS 16517 : [EMAIL PROTECTED] mcast]$ grep 72.234.0.0 bgp.full.Sep_2*2008 bgp.full.Sep_21_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_21_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_21_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_21_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_23_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_23_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? You didn't specify the time zone you are in, so I looked at +- 1 day around it. If the hijack lasted 6 hours, we should have seen it. Regards Marshall > > > If the above two are correct, would it be correct to say only the > downstream customers of ASN 3267 were affected? > > scott >
Re: prefix hijack by ASN 8997
On Sep 22, 2008, at 9:06 PM, Scott Weeks wrote: I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North- West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia). Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates: 22/9/2008 9:00:00 and 22/9/2008 15:00:00 If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent). I cannot confirm that from the monitoring program at AS 16517 : [EMAIL PROTECTED] mcast]$ grep 72.234.0.0 bgp.full.Sep_2*2008 bgp.full.Sep_21_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_21_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_21_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_21_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_22_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_23_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? bgp.full.Sep_23_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.1163990 0 174 209 36149 ? You didn't specify the time zone you are in, so I looked at +- 1 day around it. If the hijack lasted 6 hours, we should have seen it. Regards Marshall If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected? scott
Re: prefix hijack by ASN 8997
Hi http://www.msk-ix.ru/network/traffic.html it was 12:00 moscow local time. sorry, 13:xx TIME: 09/22/08 09:30:05 TYPE: BGP4MP/MESSAGE/Update FROM: 193.232.244.36 AS2895 TO: 193.232.244.114 AS12654 ORIGIN: IGP ASPATH: 2895 3267 8997 NEXT_HOP: 193.232.244.36 ANNOUNCE GMT+4 Kind regards, ingo flaschberger
Re: prefix hijack by ASN 8997
Hi, http://www.msk-ix.ru/network/traffic.html it was 12:00 moscow local time. Kind regards, ingo flaschberger
Re: prefix hijack by ASN 8997
Hi Hank, .-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank Nussbacher wrote: >> Looking at that raw data from both routeviews and Ripe, it looks like they >> (AS8997) 'leaked' a full table, i.e. : >> * 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 >> 3267 8997) >> * 250495 seen by routeviews (ASpath: 2895 3267 8997). >> (results of quick query: where AS-path contained '3267 8997' update type = >> advertisement). >> >> ASpath: 2895 3267 8997 > > Is that the only ASpath that leaked it? There are others - did they > filter properly and only that path failed to filter? Again: * 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997 & ASpath 2895 5431 3267 8997) * 250495 seen by routeviews (ASpath: 3277 3267 8997). Looks like those are the only ones, but this is just a quick egrep, awk, and sort on the rawdata so I might have missed something (It's getting late here, so no guarantees ;)) Cheers, Andree
Re: prefix hijack by ASN 8997
On Tue, 23 Sep 2008, Andree Toonk wrote: Not a false positive, It actually was detected by the RIS box in Moscow (rrc13). Strange that it's not visible in RIS search website, but it's definitely in the raw data files. Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a full table, i.e. : * 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997) * 250495 seen by routeviews (ASpath: 2895 3267 8997). (results of quick query: where AS-path contained '3267 8997' update type = advertisement). ASpath: 2895 3267 8997 Is that the only ASpath that leaked it? There are others - did they filter properly and only that path failed to filter? Regards, Hank
Re: prefix hijack by ASN 8997
Ahah, so my first theory was on the right track :) Thanks for sharing the info... Christian On Tue, Sep 23, 2008 at 2:33 AM, Andree Toonk <[EMAIL PROTECTED]> wrote: > Hi, > > .-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank > Nussbacher wrote: > >> I too spotted this via PHAS for a large number of prefixes, but have not >> received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack: >> http://www.ris.ripe.net/perl-risapp/risearch.html I would have expected >> with so many RRC boxes that RIPE RIS would have caught it. I had thought >> it was a false positive from PHAS but now that you and others have seen >> it - I guess it is for real. > > Not a false positive, It actually was detected by the RIS box in Moscow > (rrc13). Strange that it's not visible in RIS search website, but it's > definitely in the raw data files. > Looking at that raw data from both routeviews and Ripe, it looks like they > (AS8997) 'leaked' a full table, i.e. : > * 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 > 3267 8997) > * 250495 seen by routeviews (ASpath: 2895 3267 8997). > (results of quick query: where AS-path contained '3267 8997' update type = > advertisement). > > I'm using another prefix monitoring tool and within a few minutes it notified > me of this hijack for some of our prefixes: > <> > > Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or > Origin AS changed) > detected 1 updates for your prefix 128.189.0.0/16 AS271: > Update details: 2008-09-22 09:33 (UTC) > 128.189.0.0/16 > Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System), > Transit AS: AS3267 (RUNNET RUNNet) > ASpath: 2895 3267 8997 > > Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or > Origin AS changed) > detected 1 updates for your prefix 142.231.0.0/16 AS271: > Update details: 2008-09-22 09:34 (UTC) > 142.231.0.0/16 > Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System), > Transit AS: AS3267 (RUNNET RUNNet) > ASpath: 2895 3267 8997 > > > > Cheers, > Andree > >
Re: prefix hijack by ASN 8997
Hi, .-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank Nussbacher wrote: > I too spotted this via PHAS for a large number of prefixes, but have not > received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack: > http://www.ris.ripe.net/perl-risapp/risearch.html I would have expected > with so many RRC boxes that RIPE RIS would have caught it. I had thought > it was a false positive from PHAS but now that you and others have seen > it - I guess it is for real. Not a false positive, It actually was detected by the RIS box in Moscow (rrc13). Strange that it's not visible in RIS search website, but it's definitely in the raw data files. Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a full table, i.e. : * 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997) * 250495 seen by routeviews (ASpath: 2895 3267 8997). (results of quick query: where AS-path contained '3267 8997' update type = advertisement). I'm using another prefix monitoring tool and within a few minutes it notified me of this hijack for some of our prefixes: <> Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed) detected 1 updates for your prefix 128.189.0.0/16 AS271: Update details: 2008-09-22 09:33 (UTC) 128.189.0.0/16 Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System), Transit AS: AS3267 (RUNNET RUNNet) ASpath: 2895 3267 8997 Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed) detected 1 updates for your prefix 142.231.0.0/16 AS271: Update details: 2008-09-22 09:34 (UTC) 142.231.0.0/16 Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System), Transit AS: AS3267 (RUNNET RUNNet) ASpath: 2895 3267 8997 Cheers, Andree
Re: prefix hijack by ASN 8997
Bgplay on routeviews, not the ripe one :) Christian On 9/23/08, Hank Nussbacher <[EMAIL PROTECTED]> wrote: > On Mon, 22 Sep 2008, Christian Koch wrote: > > Strange that RIPE RIS search doesn't show it: > http://www.ris.ripe.net/perl-risapp/risearch.html > but yet you say BGPlay does show it. > > -Hank > >> I received a phas notification about this today as well... >> >> I couldn't find any relevant data confirming the announcement of one >> of my /19 blocks, until a few minutes ago when i checked the route >> views bgplay (ripe bgplay turns up nothing) and can now see 8997 >> announcing and quickly withdrawing my prefix >> >> >> >> >> On Mon, Sep 22, 2008 at 9:06 PM, Scott Weeks <[EMAIL PROTECTED]> >> wrote: >>> >>> >>> >>> I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 >>> (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in >>> Russia) in using ASN 3267 (Russian Federal University Network) to >>> advertise our space to ASN 3277 (Regional University and Scientific >>> Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia). >>> >>> Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put >>> in prefix 72.234.0.0/15 and select the dates: >>> >>> 22/9/2008 9:00:00 and 22/9/2008 15:00:00 >>> >>> If so, am I understanding it correctly if I say ASN 3267 saw a shorter >>> path from ASN 8997, so refused the proper announcement from ASN 36149 >>> (me) it normally hears from ASN 174 (Cogent). >>> >>> If the above two are correct, would it be correct to say only the >>> downstream customers of ASN 3267 were affected? >>> >>> scott >>> >>> >> > -- Sent from my mobile device
Re: prefix hijack by ASN 8997
At first glance this morning not seeing any data between the gain and lost alerts from phas and inability to find a route in any of the many collectors and route servers out there I had thought it was a possibly a fat finger mistake by 8997 or a false positive. After locating the data in bgplay/rviews, and noticing how many more people this occured to I'm leaning towards 2 possible scenarios: 1 - bgp misconfigurations leading to leaks (Depends on the overall scale of how many other prefixes were possibly announced) 2 - 8997 began announcing prefixes as an experiment to "test the waters" for potential real hijacks in future... 'geography' hints towards #2 Or both theories could be way off :) I'd be interested to know if Renesys collected any data that might give some better insight to this... Christian On 9/23/08, Justin Shore <[EMAIL PROTECTED]> wrote: > Looking up some of my prefixes in PHAS and BGPPlay, I too see my > prefixes being advertised by 8997 for a short time. It looks like it > happened around 1222091563 according to PHAS. > > Was this a mistake or something else? > > Justin > > > Christian Koch wrote: >> I received a phas notification about this today as well... >> >> I couldn't find any relevant data confirming the announcement of one >> of my /19 blocks, until a few minutes ago when i checked the route >> views bgplay (ripe bgplay turns up nothing) and can now see 8997 >> announcing and quickly withdrawing my prefix >> >> >> >> >> On Mon, Sep 22, 2008 at 9:06 PM, Scott Weeks <[EMAIL PROTECTED]> >> wrote: >>> >>> >>> I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 >>> (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in >>> Russia) in using ASN 3267 (Russian Federal University Network) to >>> advertise our space to ASN 3277 (Regional University and Scientific >>> Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia). >>> >>> Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put >>> in prefix 72.234.0.0/15 and select the dates: >>> >>> 22/9/2008 9:00:00 and 22/9/2008 15:00:00 >>> >>> If so, am I understanding it correctly if I say ASN 3267 saw a shorter >>> path from ASN 8997, so refused the proper announcement from ASN 36149 >>> (me) it normally hears from ASN 174 (Cogent). >>> >>> If the above two are correct, would it be correct to say only the >>> downstream customers of ASN 3267 were affected? >>> >>> scott >>> >>> >> > -- Sent from my mobile device
Re: prefix hijack by ASN 8997
On Mon, 22 Sep 2008, Christian Koch wrote: Strange that RIPE RIS search doesn't show it: http://www.ris.ripe.net/perl-risapp/risearch.html but yet you say BGPlay does show it. -Hank I received a phas notification about this today as well... I couldn't find any relevant data confirming the announcement of one of my /19 blocks, until a few minutes ago when i checked the route views bgplay (ripe bgplay turns up nothing) and can now see 8997 announcing and quickly withdrawing my prefix On Mon, Sep 22, 2008 at 9:06 PM, Scott Weeks <[EMAIL PROTECTED]> wrote: I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia). Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates: 22/9/2008 9:00:00 and 22/9/2008 15:00:00 If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent). If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected? scott
Re: prefix hijack by ASN 8997
On Mon, 22 Sep 2008, Scott Weeks wrote: I too spotted this via PHAS for a large number of prefixes, but have not received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack: http://www.ris.ripe.net/perl-risapp/risearch.html I would have expected with so many RRC boxes that RIPE RIS would have caught it. I had thought it was a false positive from PHAS but now that you and others have seen it - I guess it is for real. -Hank I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia). Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates: 22/9/2008 9:00:00 and 22/9/2008 15:00:00 If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent). If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected? scott
Re: prefix hijack by ASN 8997
Looking up some of my prefixes in PHAS and BGPPlay, I too see my prefixes being advertised by 8997 for a short time. It looks like it happened around 1222091563 according to PHAS. Was this a mistake or something else? Justin Christian Koch wrote: I received a phas notification about this today as well... I couldn't find any relevant data confirming the announcement of one of my /19 blocks, until a few minutes ago when i checked the route views bgplay (ripe bgplay turns up nothing) and can now see 8997 announcing and quickly withdrawing my prefix On Mon, Sep 22, 2008 at 9:06 PM, Scott Weeks <[EMAIL PROTECTED]> wrote: I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia). Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates: 22/9/2008 9:00:00 and 22/9/2008 15:00:00 If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent). If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected? scott
Re: prefix hijack by ASN 8997
On Mon, Sep 22, 2008 at 21:06, Scott Weeks <[EMAIL PROTECTED]> wrote: > > I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and > another of our > prefixes) by ASN 8997 ("OJSC North-West Telecom" in Russia) in using ASN 3267 > (Russian Federal University Network) to advertise our space to ASN 3277 > (Regional > University and Scientific Network (RUSNet) of North-Western and > Saint-Petersburg > Area of Russia). Yep, saw this for 69.61.0.0/17 GlobalCompass (my upstream) this AM: SEQUENCE_NUMBER: 1222091638 TYPE: last-hop BGP-UPDATE-TIME: 1222075864 PHAS-DETECT-TIME: 1222091637 PHAS-NOTIFY-TIME: 1222091637 PREFIX: 69.61.0.0/17 SET: 3561,3267,3356,3491 GAINED: 3267 <- Russian Federal University Network LOST: SEQUENCE_NUMBER: 1222091638 TYPE: origin BGP-UPDATE-TIME: 1222075864 PHAS-DETECT-TIME: 1222091637 PHAS-NOTIFY-TIME: 1222091637 PREFIX: 69.61.0.0/17 SET: 8997,22653 GAINED: 8997 <- OJSC North-West Telecom, St.-Petersburg, Russia LOST: SEQUENCE_NUMBER: 1222096125 TYPE: origin BGP-UPDATE-TIME: 1222076569 PHAS-DETECT-TIME: 1222092415 PHAS-NOTIFY-TIME: 1222096124 PREFIX: 69.61.0.0/17 SET: 22653 <- GlobalCrossing GAINED: LOST: 8997 -Jim P.
Re: prefix hijack by ASN 8997
about 09:30 UTC per rviews On Mon, Sep 22, 2008 at 9:31 PM, Scott Weeks <[EMAIL PROTECTED]> wrote: > > --Scott Weeks <[EMAIL PROTECTED]> wrote: --- > >> I am hoping to confirm a short-duration prefix hijack > > - > > --- [EMAIL PROTECTED] wrote: --- > From: "Christian Koch" <[EMAIL PROTECTED]> > > I couldn't find any relevant data confirming the announcement of one > of my /19 blocks, until a few minutes ago when i checked the route > views bgplay (ripe bgplay turns up nothing) and can now see 8997 > announcing and quickly withdrawing my prefix > - > > > At what time did you see it? > > scott > >
Re: prefix hijack by ASN 8997
--Scott Weeks <[EMAIL PROTECTED]> wrote: --- > I am hoping to confirm a short-duration prefix hijack - --- [EMAIL PROTECTED] wrote: --- From: "Christian Koch" <[EMAIL PROTECTED]> I couldn't find any relevant data confirming the announcement of one of my /19 blocks, until a few minutes ago when i checked the route views bgplay (ripe bgplay turns up nothing) and can now see 8997 announcing and quickly withdrawing my prefix - At what time did you see it? scott
Re: prefix hijack by ASN 8997
I received a phas notification about this today as well... I couldn't find any relevant data confirming the announcement of one of my /19 blocks, until a few minutes ago when i checked the route views bgplay (ripe bgplay turns up nothing) and can now see 8997 announcing and quickly withdrawing my prefix On Mon, Sep 22, 2008 at 9:06 PM, Scott Weeks <[EMAIL PROTECTED]> wrote: > > > > I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and > another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in Russia) in > using ASN 3267 (Russian Federal University Network) to advertise our space to > ASN 3277 (Regional University and Scientific Network (RUSNet) of > North-Western and Saint-Petersburg Area of Russia). > > Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in > prefix 72.234.0.0/15 and select the dates: > > 22/9/2008 9:00:00 and 22/9/2008 15:00:00 > > If so, am I understanding it correctly if I say ASN 3267 saw a shorter path > from ASN 8997, so refused the proper announcement from ASN 36149 (me) it > normally hears from ASN 174 (Cogent). > > If the above two are correct, would it be correct to say only the downstream > customers of ASN 3267 were affected? > > scott > >
prefix hijack by ASN 8997
I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia). Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates: 22/9/2008 9:00:00 and 22/9/2008 15:00:00 If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent). If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected? scott