Re: BGP Optimizers (Was: Validating possible BGP MITM attack)

2018-05-21 Thread Francois Devienne
Hi Job, I believe your disclaimer makes a lot of sense. From our perspective using more specifics is one of the options to make BGP follow the optimized path instead of the « natural » path. We used to be doing more specifics because with the same prefix being announced, we were simply not

Re: BGP Optimizers (Was: Validating possible BGP MITM attack)

2018-05-17 Thread Job Snijders
Dear Francois, On Thu, May 17, 2018 at 10:14:19AM +, Francois Devienne wrote: > The examples you mention confirm the issues are mainly due to poorly > configured networks where routes are leaked out although they > shouldn’t be. Adequate routers are able to filter out prefixes based > on

Re: BGP Optimizers (Was: Validating possible BGP MITM attack)

2017-09-14 Thread Colin Petrie
On 31/08/17 22:06, Job Snijders wrote:> I strongly recommend to turn off those BGP optimizers, glue the ports > shut, burn the hardware, and salt the grounds on which the BGP optimizer > sales people walked. Yes. > p.s. providing a publicly available BGP looking glasses will contribute > to

Re: BGP Optimizers (Was: Validating possible BGP MITM attack)

2017-09-01 Thread Tom Paseka via NANOG
We regularly see poorly configured "optimizers" or networks hijacking our prefixes (originating /25's, /24 of /23's etc). Thankfully, most of the time filters are in place to stop them leaking badly, but I agree, these are toxic. -Tom On Fri, Sep 1, 2017 at 6:06 AM, Job Snijders

Re: BGP Optimizers (Was: Validating possible BGP MITM attack)

2017-08-31 Thread Large Hadron Collider
s http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Mike Hammett" <na...@ics-il.net> Cc: nanog@nanog.org Sent: Thursday, August 31, 2017 8:55:46 PM Subject: Re: BGP Optimizers (Was: Validating possible BGP MITM attack) I would like to use a

Re: BGP Optimizers (Was: Validating possible BGP MITM attack)

2017-08-31 Thread Mike Hammett
http://www.midwest-ix.com - Original Message - From: "Mike Hammett" <na...@ics-il.net> Cc: nanog@nanog.org Sent: Thursday, August 31, 2017 9:02:07 PM Subject: Re: BGP Optimizers (Was: Validating possible BGP MITM attack) Actually, I do remember that one of the

Re: BGP Optimizers (Was: Validating possible BGP MITM attack)

2017-08-31 Thread Mike Hammett
://www.midwest-ix.com - Original Message - From: "Mike Hammett" <na...@ics-il.net> Cc: nanog@nanog.org Sent: Thursday, August 31, 2017 8:55:46 PM Subject: Re: BGP Optimizers (Was: Validating possible BGP MITM attack) I would like to use a BGP optimizer,

Re: BGP Optimizers (Was: Validating possible BGP MITM attack)

2017-08-31 Thread Mike Hammett
idating possible BGP MITM attack) Dear all, disclaimer: [ The following is targetted at the context where a BGP optimizer generates BGP announcement that are ordinarily not seen in the Default-Free Zone. The OP indicated they announce a /23, and were unpleasantly surprised to see

BGP Optimizers (Was: Validating possible BGP MITM attack)

2017-08-31 Thread Job Snijders
Dear all, disclaimer: [ The following is targetted at the context where a BGP optimizer generates BGP announcement that are ordinarily not seen in the Default-Free Zone. The OP indicated they announce a /23, and were unpleasantly surprised to see two unauthorized announcements

Re: Validating possible BGP MITM attack

2017-08-31 Thread Andy Litzinger
FYI - I did get a response back from BGPMon- they concur with Job: "Hi Andy, unfortunately we had a peer sending us a polluted BGP views. Most likely using a BGP optimizer that is making up new paths. We've reached out to 131477 and dropped the session with them. This was most likely 131477

Re: Validating possible BGP MITM attack

2017-08-31 Thread Andy Litzinger
Hi Steve and Job, Same here- I didn't actually see my prefixes leaked anywhere I could check, but I couldn't check near China where BGPmon's probe was complaining. So I was glad it didn't seem to be spreading, but still concerned that there may have been a large area (China) where my traffic

Re: Validating possible BGP MITM attack

2017-08-31 Thread Christopher Morrow
On Thu, Aug 31, 2017 at 1:23 PM, Steve Feldman wrote: > Interesting. We also got similar BGPMon alerts about disaggregated > portions of couple of our prefixes. I didn't see any of the bad prefixes in > route-views, though. > > The AS paths in the alerts started with

Re: Validating possible BGP MITM attack

2017-08-31 Thread Steve Feldman
Interesting. We also got similar BGPMon alerts about disaggregated portions of couple of our prefixes. I didn't see any of the bad prefixes in route-views, though. The AS paths in the alerts started with "131477 38478 ..." and looked valid after that. Job's suggestion would explain that.

Re: Validating possible BGP MITM attack

2017-08-31 Thread Job Snijders
Hi Andy, It smells like someone in 38478 or 131477 is using Noction or some other BGP "optimizer" that injects hijacks for the purpose of traffic engineering. :-( Kind regards, Job On Thu, 31 Aug 2017 at 19:38, Andy Litzinger wrote: > Hello, > we use

Validating possible BGP MITM attack

2017-08-31 Thread Andy Litzinger
Hello, we use BGPMon.net to monitor our BGP announcements. This morning we received two possible BGP MITM alerts for two of our prefixes detected by a single BGPMon probe located in China. I've reached out to BGPMon to see how much credence I should give to an alert from a single probe