Re: BGP Hijack/Sickness with AS4637

Alain Hebert Thu, 31 May 2018 07:32:07 -0700

    Thanks for the ideas and the hint.  Good read.


    Will do.

PS: Still curious how, beside some RIB/FIB failure, how our ASended up there.


-----
Alain Hebert                                aheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 05/31/18 10:15, Job Snijders wrote:

On Thu, May 31, 2018 at 09:49:47AM -0400, Alain Hebert wrote:

Well bad news on the ColoAU front, they refused to cooperate.

We'll pushback thru our GTT accounts...  But I'm running out of ideas.

If anyone has any good ideas how to proceed at this point feel free to
share =D.

This feels like a BGP "optimiser" at work inside AS 4637.

>From the https://lg.coloau.com.au/ looking glass:

BGP 'show route'
     18.29.238.0/23  *[BGP/170] 1w0d 18:49:44, localpref 90, from 103.97.52.2
                     AS path: 4637 3257 29909 16532 16532 16532 16532 I, 
validation-state: unverified

However, a data-plane traceroute:

     AS path: 4637 -> 174 ->  ...

     traceroute to 18.29.238.1 (18.29.238.1), 30 hops max, 40 byte packets
      1  103.52.116.49 (103.52.116.49)  114.573 ms  113.965 ms  117.141 ms
          MPLS Label=691873 CoS=0 TTL=1 S=0
          MPLS Label=17 CoS=0 TTL=1 S=1
      2  202.127.69.34 (202.127.69.34)  113.768 ms  113.763 ms  113.731 ms
      3  202.84.148.113 (202.84.148.113) [AS  4637]  114.759 ms  117.956 ms  
115.796 ms
      4  202.84.141.13 (202.84.141.13) [AS  4637]  181.873 ms 202.84.141.169 
(202.84.141.169) [AS  4637]  181.618 ms  182.688 ms
      5  202.84.253.82 (202.84.253.82) [AS  4637]  181.949 ms 202.40.149.226 
(202.40.149.226) [AS  4637]  183.194 ms 202.84.253.82 (202.84.253.82) [AS  
4637]  201.282 ms
      6  154.54.10.133 (154.54.10.133) [AS  174]  181.055 ms  181.100 ms  
181.065 ms
      7  154.54.27.117 (154.54.27.117) [AS  174]  175.410 ms  182.956 ms 
154.54.3.69 (154.54.3.69) [AS  174]  175.176 ms
      8  154.54.45.161 (154.54.45.161) [AS  174]  212.531 ms 154.54.44.85 
(154.54.44.85) [AS  174]  202.470 ms  187.361 ms
      9  154.54.42.78 (154.54.42.78) [AS  174]  195.585 ms  195.812 ms 
154.54.42.66 (154.54.42.66) [AS  174]  211.713 ms
     10  154.54.30.161 (154.54.30.161) [AS  174]  235.896 ms  216.173 ms  
211.246 ms
     11  154.54.28.129 (154.54.28.129) [AS  174]  233.516 ms  225.413 ms  
225.551 ms
     12  154.54.24.221 (154.54.24.221) [AS  174]  236.432 ms  236.701 ms  
236.595 ms
     13  154.54.40.109 (154.54.40.109) [AS  174]  273.564 ms  279.452 ms  
248.212 ms
     14  154.54.46.33 (154.54.46.33) [AS  174]  248.098 ms  247.802 ms  248.084 
ms
     15  * * *

Discongruity between RIB and FIB like this, and the hijack being a
more-specific of a /16, is a typical sign of BGP 'optimisers'.

I recommend you reach out to AUSNOG and APOPS and hope someone there
knows someone at Telstra Hong Kong.

More thoughts on BGP optimisers: http://seclists.org/nanog/2017/Aug/318

Kind regards,

Job

Re: BGP Hijack/Sickness with AS4637

Reply via email to