On Thu, Aug 31, 2017 at 1:23 PM, Steve Feldman <feld...@twincreeks.net> wrote:
> Interesting. We also got similar BGPMon alerts about disaggregated > portions of couple of our prefixes. I didn't see any of the bad prefixes in > route-views, though. > > The AS paths in the alerts started with "131477 38478 ..." and looked > valid after that. Job's suggestion would explain that. > > Looking back at a bunch of historical route leak incidents... they often seem to be this sort of thing :( I think I normally term them; "internap box problems" I think internap doesn't even really sell that product anymore though :( so now I'll call them 'noction problems' instead I guess. lack of outbound route filtering can be painful yo! > Steve > > > On Aug 31, 2017, at 10:01 AM, Job Snijders <j...@instituut.net> wrote: > > > > Hi Andy, > > > > It smells like someone in 38478 or 131477 is using Noction or some other > > BGP "optimizer" that injects hijacks for the purpose of traffic > > engineering. :-( > > > > Kind regards, > > > > Job > > > > On Thu, 31 Aug 2017 at 19:38, Andy Litzinger < > andy.litzinger.li...@gmail.com> > > wrote: > > > >> Hello, > >> we use BGPMon.net to monitor our BGP announcements. This morning we > >> received two possible BGP MITM alerts for two of our prefixes detected > by a > >> single BGPMon probe located in China. I've reached out to BGPMon to see > >> how much credence I should give to an alert from a single probe > location, > >> but I'm interested in community feedback as well. > >> > >> The alert detailed that one of our /23 prefixes has been broken into /24 > >> specifics and the AS Path shows a peering relationship with us that does > >> not exist: > >> 131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) 14042 > >> (me) > >> > >> We do not peer directly with PCCW Global. I'm going to reach out to > them > >> directly to see if they may have done anything by accident, but > presuming > >> they haven't and the path is spoofed, can I prove that? How can I > detect > >> if traffic is indeed swinging through that hijacked path? How worried > >> should I be and what are my options for resolving the situation? > >> > >> thanks! > >> -andy > >> > > > >
