Re: BGPMON Alert Questions

On Thu, Apr 10, 2014 at 9:26 AM, Mark Tinka wrote: > On Thursday, April 10, 2014 12:30:51 PM Randy Bush wrote: > > > as folk start to roll out rejection of invalids, we might > > think about how we report problems with folk registering > > inadequate roas, covering their customers, covering > > t

Re: BGPMON Alert Questions

On Thursday, April 10, 2014 12:30:51 PM Randy Bush wrote: > as folk start to roll out rejection of invalids, we might > think about how we report problems with folk registering > inadequate roas, covering their customers, covering > their deaggs (maybe deaggs get what they deserve), etc. > if the

Re: BGPMON Alert Questions

as folk start to roll out rejection of invalids, we might think about how we report problems with folk registering inadequate roas, covering their customers, covering their deaggs (maybe deaggs get what they deserve), etc. if they are not clued enough to generate prudent roas, they will not be clu

Re: BGPMON Alert Questions

On Thursday, April 10, 2014 09:18:34 AM Randy Bush wrote: > in our measurements, an rpki-based origin check is > significantly faster than an acl of non-trivial length. Ultimately, at some point in the future, it is not completely unreasonable to think that some operators could attempt control

Re: BGPMON Alert Questions

> Yes, we don't validate those prefixes cause we filter them strict. in our measurements, an rpki-based origin check is significantly faster than an acl of non-trivial length. randy

Re: BGPMON Alert Questions

On Tuesday, April 08, 2014 01:20:23 PM Jac Kloots wrote: > Yes, we don't validate those prefixes cause we filter > them strict. We know from all our customers which > prefixes they use so we have prefix-filters placed on > all their connections. Good point. We do both - prefix list + AS_PATH fil

Re: BGPMON Alert Questions

Mark, On Tue, 8 Apr 2014, Mark Tinka wrote: On Tuesday, April 08, 2014 11:24:07 AM Jac Kloots wrote: We (SURFnet, AS1103) are in the same position and I wrote an article about the evaluation we did before deciding on dropping invalids (https://blog.surfnet.nl/?p=3159) Sounds great, Jac! I

Re: BGPMON Alert Questions

On Tuesday, April 08, 2014 11:24:07 AM Jac Kloots wrote: > We (SURFnet, AS1103) are in the same position and I wrote > an article about the evaluation we did before deciding > on dropping invalids (https://blog.surfnet.nl/?p=3159) Sounds great, Jac! In your report, you mention that you're not va

Re: BGPMON Alert Questions

Hi Mark, On Thu, 3 Apr 2014, Mark Tinka wrote: On Thursday, April 03, 2014 02:22:44 AM Randy Bush wrote: and, btw, how many of those whose prefixes were mis-originated had registered those prefixes in the rpki? It is probably a bit of a hammer at this stage, but we are in limited deploymen

Re: BGPMON Alert Questions

On Sunday, April 06, 2014 02:34:47 PM Sharon Goldberg wrote: > But naturally it's harder to see who has turned on origin > validation. Indeed, especially since there is no co-relation between providers issuing ROA's for their own allocations and turning on origin validation in their network. M

Re: BGPMON Alert Questions

On Sat, Apr 5, 2014 at 7:11 AM, Mark Tinka wrote: > > So do you know whether anyone has any idea about what the > top 10 global carriers are doing re: RPKI? > > Thinking? Justifying? Testing? Ignoring? > These looking glasses are helpful: http://www.labs.lacnic.net/rpkitools/looking_glass/ http:/

Re: BGPMON Alert Questions

On Friday, April 04, 2014 05:17:36 PM Sharon Goldberg wrote: > Right, we didn't include that in our analysis because we > didn't have a good sense for how many ISPs actually do > filter their downstream downstreams. So we chose to give > a conservative estimate of the impact of prefix > filtering

Re: BGPMON Alert Questions

On Friday, April 04, 2014 12:31:35 PM Benno Overeinder wrote: > With ROAs published and a small percentage (order of 5%) > of the largest ISPs doing route origin validation, this > would filter the incorrect announcement and result in > about ~98% globally correct routes in the 35000 ASes > (this

Re: BGPMON Alert Questions

On Friday, April 04, 2014 09:58:42 AM Vitkovský Adam wrote: > I wonder when (or if ever) we'll have such a discussion > about data packets, i.e. finding that someone is not > doing packet-filtering based on BGP updates is > absolutely and unacceptably shocking! Well, filtering in the data plane i

Re: BGPMON Alert Questions

On Fri, Apr 4, 2014 at 11:17 AM, Sharon Goldberg wrote> > > > Actually, since this is NANOG, might as well ask: > > Do you all view filtering your downstream's downstreams as much more > difficult than filtering only downstreams, or only stub ASes? Do you have > a sense for how many networks fil

Re: BGPMON Alert Questions

On 04/04/2014 16:17, Sharon Goldberg wrote: > we assumed that no one filters their downstreams downstreams. plenty of organisations do this. it can easily be done with irrdb AS sets. Nick

Re: BGPMON Alert Questions

On Fri, Apr 4, 2014 at 1:15 AM, Mark Tinka wrote: > On Friday, April 04, 2014 05:06:22 AM Sharon Goldberg wrote: > > > We also looked at prefix filtering and found that it has > > better partial deployment characteristics. Our analysis > > assumed that ISPs only filter routes from their *stub* >

Re: BGPMON Alert Questions

On 04/04/2014 05:06 AM, Sharon Goldberg wrote: > Finally, like Randy says, RPKI deploys quite different from BGPSEC. My > intuition says that (1) once the RPKI is fully populated with ROAs for all > originated prefixes, then (2) a partial deployment of origin validation at > a few large ISPs should

RE: BGPMON Alert Questions

> That Upstream B is simply "accepting everything" > their customer is sending to them without applying proper filters, or checking > to confirm that what their customer needs to send them should come from > them is absolutely and unacceptably shocking! I wonder when (or if ever) we'll have such a

Re: BGPMON Alert Questions

On Friday, April 04, 2014 05:06:22 AM Sharon Goldberg wrote: > We also looked at prefix filtering and found that it has > better partial deployment characteristics. Our analysis > assumed that ISPs only filter routes from their *stub* > customers. (We defined a stub an AS that does not have > its

Re: BGPMON Alert Questions

On Thu, Apr 3, 2014 at 8:50 PM, Randy Bush wrote: > > > Good point, which makes me ask: So which 5 to 10 networks, > > implementing source validation, could result in the greatest > > "coverage" or "protection" for the largest part of the Internet > > to the best of my knowledge, no one has looked

Re: BGPMON Alert Questions

> Good point, which makes me ask: So which 5 to 10 networks, > implementing source validation, could result in the greatest > "coverage" or "protection" for the largest part of the Internet to the best of my knowledge, no one has looked at this for origin validation. sharon goldberg and co-conspi

Re: BGPMON Alert Questions

>> one nice thing about origin validation is that anyone who validates >> anywhere on the internet can reject the mis-origination(s). > +1. a non-op sec person who follows nanog in read-only mode pointed out in private email that this is a subtle difference from prefix filtering. in general, i can

Re: BGPMON Alert Questions

On Thu, Apr 3, 2014 at 2:31 PM, Tony Tauber wrote: > On Thu, Apr 3, 2014 at 11:13 AM, Christopher Morrow > wrote: > I know this old saw and sales people will apply pressure to Ops if their > customers balk at the extra overhead. > The time is now to push back, hard, against that practice. > I re

Re: BGPMON Alert Questions

On Thu, Apr 3, 2014 at 11:13 AM, Christopher Morrow wrote: > On Thu, Apr 3, 2014 at 11:05 AM, Mark Tinka wrote: > > On Thursday, April 03, 2014 03:55:11 PM Christopher Morrow > > wrote: > > > >> I'm going to guess: > >> 1) who's going to pay for the filtering setup work? > > > > Well, your cus

Re: BGPMON Alert Questions

On Thursday, April 03, 2014 05:13:40 PM Christopher Morrow wrote: > I think you mean they are paying me to carry their bits > across the network... and they are paying me to do it > with minimal hassle to THEM... telling me prefixes to > add to their list is hassle. Agree - but, as an operator,

Re: BGPMON Alert Questions

On Thu, Apr 3, 2014 at 11:05 AM, Mark Tinka wrote: > On Thursday, April 03, 2014 03:55:11 PM Christopher Morrow > wrote: > >> I'm going to guess: >> 1) who's going to pay for the filtering setup work? > > Well, your customers are paying you to ensure they don't get > cut off due to your negligen

Re: BGPMON Alert Questions

On Thursday, April 03, 2014 03:55:11 PM Christopher Morrow wrote: > I'm going to guess: > 1) who's going to pay for the filtering setup work? Well, your customers are paying you to ensure they don't get cut off due to your negligence. You also don't want to become a "watch-out-for-that-one"

Re: BGPMON Alert Questions

On Thursday, April 03, 2014 02:52:16 PM Anthony Williams wrote: > Was a specific Upstream at fault or several upstream > providers? It appears they have 9 upstream links -- > http://www.cidr-report.org/cgi-bin/as-report?as=4761 There probably won't be only one provider at fault. It could be al

Re: BGPMON Alert Questions

On Thursday, April 03, 2014 02:57:31 PM Nick Hilliard wrote: > I'm currently seeing ~100 prefixes originating from 4761, > and an additional 725 transited through 4761. This > would not be difficult to handle with prefix lists, > assuming some level of automation. Indeed. I, for example, have a

Re: BGPMON Alert Questions

On Thu, Apr 3, 2014 at 9:15 AM, Mark Tinka wrote: > On Thursday, April 03, 2014 02:51:20 PM Randy Bush wrote: > >> you want revenge or to prevent the effects of recurrence? > > I'd like to consider targeted suggestions for fixes that > address the specific challenges affecting "seasoned" > upstrea

RE: BGPMON Alert Questions

Network Operators' Group Subject: Re: BGPMON Alert Questions note joels careful use of 'injected'. imiho, 'hijacked' is perjorative implying evil intent. i very much doubt that is the case here. it looks much more like an accident. could we try to be less acc

Re: BGPMON Alert Questions

On Thursday, April 03, 2014 02:51:20 PM Randy Bush wrote: > you want revenge or to prevent the effects of recurrence? I'd like to consider targeted suggestions for fixes that address the specific challenges affecting "seasoned" upstreams vs. their downstream customers. I can understand how an

Re: BGPMON Alert Questions

On 03/04/2014 13:41, Mark Tinka wrote: > "max-prefix" could have come in handy here. But this is an > old song (let alone prefix filtering or RPKI). I'm currently seeing ~100 prefixes originating from 4761, and an additional 725 transited through 4761. This would not be difficult to handle with

Re: BGPMON Alert Questions

Was a specific Upstream at fault or several upstream providers? It appears they have 9 upstream links -- http://www.cidr-report.org/cgi-bin/as-report?as=4761 On 4/3/2014 8:41 AM, Mark Tinka wrote: > I wonder who we should be going after here? Indosat or their > upstream?

Re: BGPMON Alert Questions

> I wonder who we should be going after here? Indosat or their > upstream? Probably both, since if this happened with an ISP > deeper in the Internet core, chances are they don't have > what our concept of an "upstream" is. you want revenge or to prevent the effects of recurrence? one nice thi

Re: BGPMON Alert Questions

> It is probably a bit of a hammer at this stage, but we are > in limited deployment of dropping all Invalids using RPKI. > > We shall be rolling out, network-wide, in 2014, where all > Invalids are dropped. At this stage, short of a mis- > origination, it's mostly longer prefixes of an aggregat

Re: BGPMON Alert Questions

On Thursday, April 03, 2014 02:17:07 PM Nick Hilliard wrote: > Easy enough to do by e.g. redistributing your ebgp into > your IGP and then back again, or by a variety of other > means. It happened between 05:00 and 06:00 local time, > so it's reasonable to assume that it was maintenance > gone w

Re: BGPMON Alert Questions

On Thursday, April 03, 2014 02:22:44 AM Randy Bush wrote: > and, btw, how many of those whose prefixes were > mis-originated had registered those prefixes in the > rpki? It is probably a bit of a hammer at this stage, but we are in limited deployment of dropping all Invalids using RPKI. We shal

Re: BGPMON Alert Questions

On 03/04/2014 13:09, ML wrote: > Did you get any details on what specifically went wrong? I don't recall > any switch in my routing gear to "re-originate every prefix on the planet > as my own". Easy enough to do by e.g. redistributing your ebgp into your IGP and then back again, or by a variety

Re: BGPMON Alert Questions

On 4/2/2014 11:30 PM, Barry Greene wrote: Hi Team, Confirmation from my team talking directly to Indosat - self inflected with a bad update during a maintenance window. Nothing malicious or intentional. Barry Did you get any details on what specifically went wrong? I don't recall any swit

Re: BGPMON Alert Questions

On Wednesday, April 02, 2014 08:59:58 PM Justin M. Streiner wrote: > It's pretty clear that both parties have dropped the ball > in a big way, in terms of sane BGP filtering practices. It's amazing, isn't it? I have a customer of one my upstreams (Upstream A), at the moment, who are leaking my

Re: BGPMON Alert Questions

On 3 April 2014 04:43, Randy Bush wrote: > i very much doubt this is a 7007, where bgp was redistributed into rip, > which sliced it into a jillion /24s, and then redistributed from rip > back into bgp. ​I could be wrong, but I thought AS7007 was nothing to do with RIP? http://www.merit.edu/ma

Re: BGPMON Alert Questions

On Thu, 03 Apr 2014 15:00:41 +0900, Randy Bush said: > > Bad enough that "professional" folks can goof to this extent > > luckily, you, valdis, and i never make mistakes :) You must have me confused with somebody else. I wouldn't have a world-wide reputation for getting myself out of holes I've

Re: BGPMON Alert Questions

> So we're somewhat safe until the fast food burger grills and fries > cookers advance to level-3 routing? Or Daquiri blenders get their own > ASNs? that happened in the late '90s > Bad enough that "professional" folks can goof to this extent luckily, you, valdis, and i never make mistakes :)

Re: BGPMON Alert Questions

So we're somewhat safe until the fast food burger grills and fries cookers advance to level-3 routing? Or Daquiri blenders get their own ASNs? Bad enough that "professional" folks can goof to this extent, but scarier still that the "Internet of Everything" seems to progress without bounds... Je

Re: BGPMON Alert Questions

> > We've detected 415,652 prefixes being hijacked by Indosat today. > Those who do not understand AS7007 are doomed to repeat it? i very much doubt this is a 7007, where bgp was redistributed into rip, which sliced it into a jillion /24s, and then redistributed from rip back into bgp. of course

Re: BGPMON Alert Questions

Hi Team, Confirmation from my team talking directly to Indosat - self inflected with a bad update during a maintenance window. Nothing malicious or intentional. Barry signature.asc Description: Message signed with OpenPGP using GPGMail

Re: BGPMON Alert Questions

Agreed - focus on the fix. Then take a deep breath and figure out what happened. BTW - Indosat is down hard. Cannot call into their network (cell phone). I've got my team reaching in to their buddies to help. On Apr 3, 2014, at 7:22 AM, Randy Bush wrote: > note joels careful use of 'injected

Re: BGPMON Alert Questions

On Wed, 02 Apr 2014 16:16:23 -0700, Andree Toonk said: > Quick update from BGPmon: > We've detected 415,652 prefixes being hijacked by Indosat today. Those who do not understand AS7007 are doomed to repeat it? pgpU55zVC12U9.pgp Description: PGP signature

Re: BGPMON Alert Questions

note joels careful use of 'injected'. imiho, 'hijacked' is perjorative implying evil intent. i very much doubt that is the case here. it looks much more like an accident. could we try to be less accusatory with our language. 'injected', 'mis-originated', ... would seem to descrive the situatio

Re: BGPMON Alert Questions

Quick update from BGPmon: We've detected 415,652 prefixes being hijacked by Indosat today. 8,233 of those were seen by more than 10 of our BGP collectors. When receiving a BGPmon alerts, one of the metrics to look at that will help with determining the scope and impact is the 'Detected by #peers'

Re: BGPMON Alert Questions

On 4/2/14, 11:59 AM, Justin M. Streiner wrote: > Two things need to happen: > 1. Indosat needs to clean their mess up. > 2. Indosat's upstreams need to apply some BGP clue to Indosat's > announcements. > > It's pretty clear that both parties have dropped the ball in a big way, > in terms of sane

Re: BGPMON Alert Questions

On Thu, 3 Apr 2014, Adrian Minta wrote: Already too late :( *Delivery has failed to these recipients or groups:* indriana.triyunianingt...@indosat.com The recipient's mailbox is full and can't accept messages now. Please try resending this messa

Re: BGPMON Alert Questions

On Wed, 2 Apr 2014, Laszlo Hanyecz wrote: They're just leaking every route right? Is it possible to poison the AS paths you announce with their own AS to get them to let go of your prefixes until it's fixed? Would that work, or some other trick that can be done without their cooperation? Keep

Re: BGPMON Alert Questions

Already too late :( *Delivery has failed to these recipients or groups:* indriana.triyunianingt...@indosat.com The recipient's mailbox is full and can't accept messages now. Please try resending this message later, or contact the recipient directl

Re: BGPMON Alert Questions

Same here. AS path is 18356 38794 4651 4761. Did anybody had any contact with AS 4761? Regards, Peter > Op 2 apr. 2014 om 22:57 heeft Curtis Doty het volgende > geschreven: > >> On Wed, Apr 2, 2014 at 1:24 PM, Blake Dunlap wrote: >> >> Is this malicious or did someone redistribute all of b

Re: BGPMON Alert Questions

They're just leaking every route right? Is it possible to poison the AS paths you announce with their own AS to get them to let go of your prefixes until it's fixed? Would that work, or some other trick that can be done without their cooperation? Thanks, Laszlo

Re: BGPMON Alert Questions

Got this response from HE We are not in the as-path of the routes listed below. It seems we accepted some of them from a route server. I'm not seeing them in the table at this time. -- Rob Mosher Senior Network and Software Engineer Hurricane Electric / AS6939 On Wed, Apr 2, 2014 at 2:51 PM,

Re: BGPMON Alert Questions

Thanks, also emailed support@ noc@. Didn't receive any bounce emails.. e...@zerofail.com AS40191 On Apr 2, 2014 5:06 PM, Aris Lambrianidis wrote: Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley wrote: > Hi All

Re: BGPMON Alert Questions

Tried the recipients mailbox is full, but it looks like all of the bgpmon alerts have cleared. On Wed, Apr 2, 2014 at 1:40 PM, Aris Lambrianidis wrote: > Contacted ip@indosat.com about this, I urge others to do the same. > > --Aris > > > On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley >

Re: BGPMON Alert Questions

So, Just tired e-mailing to that address. "*Delivery has failed to these recipients or groups:* indriana.triyunianingt...@indosat.com The recipient's mailbox is full and can't accept messages now. Please try resending this message later, or conta

Re: BGPMON Alert Questions

Same here : Your prefix: 178.212.137.0/24: Prefix Description: Engine Networks EU Update time: 2014-04-02 20:54 (UTC) Detected by #peers: 1 Detected prefix: 178.212.137.0/24 Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID) Upstream AS:

Re: BGPMON Alert Questions

They are advertising one of /22 right now as well, Bret On 04/02/2014 04:21 PM, Bryan Tong wrote: They have advertised all of ours now. On Wed, Apr 2, 2014 at 2:16 PM, Bob Evans wrote: Yes, I too have alerts for some of our prefixes from the same offending origin 4761 On Wednesday April 2

Re: BGPMON Alert Questions

y Cc: "nanog@nanog.org" Subject: Re: BGPMON Alert Questions Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley wrote: > Hi All, > > I am a network admin for Aware Corporation AS18356 (Thailand),

Re: BGPMON Alert Questions

On Wed, Apr 2, 2014 at 1:24 PM, Blake Dunlap wrote: > Is this malicious or did someone redistribute all of bgp with bad upstream > filtering? > They perfectly re-advertized all mine. Loos like a huge mistake. And still ongoing. Although this was nice to see: ==

Re: BGPMON Alert Questions

On 4/2/14, 13:31, Bob Evans wrote: where did you get that number ? I think that was a number for CAT, AS4651. ~Seth

Re: BGPMON Alert Questions

We are getting multiple alerts for a mix of our and customers prefixes. Could someone from HE tell if they started filtering yet ? Erik Bais Verstuurd vanaf mijn iPad Op 2 apr. 2014 om 21:21 heeft Felix Aronsson het volgende geschreven: > Seeing the same here for a /21. This seems to have

Re: BGPMON Alert Questions

Contacted ip@indosat.com about this, I urge others to do the same. --Aris On Wed, Apr 2, 2014 at 9:33 PM, Andrew (Andy) Ashley wrote: > Hi All, > > I am a network admin for Aware Corporation AS18356 (Thailand), as > mentioned in the alert. > We operate a BGPMon PeerMon node on our network,

Re: BGPMON Alert Questions

I emailed hostmas...@indosat.com a little over an hour ago, and no response as yet. Anyone having luck making contact with Indosat themselves? On Wed, Apr 2, 2014 at 2:33 PM, Andrew (Andy) Ashley wrote: > Hi All, > > I am a network admin for Aware Corporation AS18356 (Thailand), as > mentioned i

Re: BGPMON Alert Questions

Same here: Possible Prefix Hijack (Code: 10) Your prefix: 132.206.0.0/16: Prefix Description: MCGILL-NET-132-206 Update time: 2014-04-02 20

RE: BGPMON Alert Questions

Three of ours just got jacked. I have tried to contact via email for update / fix of their end. -Mike -Original Message- From: Felix Aronsson [mailto:fe...@mrfriday.com] Sent: Wednesday, April 02, 2014 3:22 PM To: Joseph Jenkins Cc: nanog@nanog.org Subject: Re: BGPMON Alert Questions

Re: BGPMON Alert Questions

's hope that AS4651 can quickly apply filters. >>> >>> Frank >>> >>> -Original Message- >>> From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] >>> Sent: Wednesday, April 02, 2014 2:03 PM >>> To: Joseph Jenkins; nanog

Re: BGPMON Alert Questions

Frank > >> > >> -Original Message- > >> From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] > >> Sent: Wednesday, April 02, 2014 2:03 PM > >> To: Joseph Jenkins; nanog@nanog.org > >> Subject: RE: BGPMON Alert Questions > >>

Re: BGPMON Alert Questions

They have advertised all of ours now. On Wed, Apr 2, 2014 at 2:16 PM, Bob Evans wrote: > Yes, I too have alerts for some of our prefixes from the same offending > origin 4761 > > On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change > event for your prefix (66.201.48.0/20 slash

Re: BGPMON Alert Questions

route-views4 /64.25.208.71 has seen updates that contains large amount of prefixes at time 1396464452 (04 / 02 / 14 @ 6:47:32pm UTC) with path [20225, 6939, 4761] full prefixes list: http://pastebin.com/Eu4ePgp4 is it normal for single update to contain such large amount NLRI info? On Wed, Apr

Re: BGPMON Alert Questions

Hi All, I am a network admin for Aware Corporation AS18356 (Thailand), as mentioned in the alert. We operate a BGPMon PeerMon node on our network, which peers with the BGPMon service as a collector. It is likely that AS4761 (INDOSAT) has somehow managed to hijack these prefixes and CAT (Communica

Re: BGPMON Alert Questions

Seeing the same here for a /21. This seems to have happened before with AS4761? See http://www.bgpmon.net/hijack-by-as4761-indosat-a-quick-report/from january 2011. On Wed, Apr 2, 2014 at 8:51 PM, Joseph Jenkins wrote: > So I setup BGPMON for my prefixes and got an alert about someone in > Thail

Re: BGPMON Alert Questions

rs. >> >> Frank >> >> -Original Message- >> From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] >> Sent: Wednesday, April 02, 2014 2:03 PM >> To: Joseph Jenkins; nanog@nanog.org >> Subject: RE: BGPMON Alert Questions >> >> If you contact b

Re: BGPMON Alert Questions

Frank >> >> -Original Message- >> From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] >> Sent: Wednesday, April 02, 2014 2:03 PM >> To: Joseph Jenkins; nanog@nanog.org >> Subject: RE: BGPMON Alert Questions >> >> If you contact bgpmon s

Re: BGPMON Alert Questions

Yes, I too have alerts for some of our prefixes from the same offending origin 4761 On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change event for your prefix (66.201.48.0/20 slash 20 bottom of nor cal) The detected prefix: 66.201.48.0/20, was announced by AS4761 (INDOSAT-INP-AP

Re: Prefix hijack by AS4761 (was Re: BGPMON Alert Questions)

On Wed, Apr 2, 2014 at 3:41 PM, joel jaeggli wrote: > yeah you're seeing the impact of a pretty broad prefix injection > > indosat's upstream filters seem to be working for the most part. Based on the image they tweeted, I don't think they are doing much filtering; the Syrian prefix was spread

Re: BGPMON Alert Questions

" > > Let's hope that AS4651 can quickly apply filters. > > Frank > > -Original Message- > From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] > Sent: Wednesday, April 02, 2014 2:03 PM > To: Joseph Jenkins; nanog@nanog.org > Subject: RE: BGPMON A

Re: BGPMON Alert Questions

Just got the same for 5 of my prefixes. Possible Prefix Hijack (Code: 10) Your prefix: 192.225.232.0/21: Prefix Description: ARIN direct allocation U

Re: Prefix hijack by AS4761 (was Re: BGPMON Alert Questions)

yeah you're seeing the impact of a pretty broad prefix injection indosat's upstream filters seem to be working for the most part. On 4/2/14, 12:10 PM, Stephen Fulton wrote: > I'm seeing the same hijack of prefixes by multiple networks under my > watch, at 18:40 UTC and 19:06 UTC. > > -- Stephen

RE: BGPMON Alert Questions

--Original Message- From: Vlade Ristevski [mailto:vrist...@ramapo.edu] Sent: 02 April 2014 20:05 To: nanog@nanog.org Subject: Re: BGPMON Alert Questions I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: > I received a similar notification abo

Re: BGPMON Alert Questions

I can confirm that indosat appears to be hijacking many prefixes. HE 6939 is one of the networks picking it up and distributing it further. Here's an example for a Syrian prefix: http://portal.bgpmon.net/data/indosat-hijack.png

Re: BGPMON Alert Questions

... and same here. Indosat looks now to have developed a solid experience in BGP prefix hijack mess (last time was in 2011). Olivier > On 4/2/14, 11:51, Joseph Jenkins wrote: >> So I setup BGPMON for my prefixes and got an alert about someone in >> Thailand announcing my prefix. Everything loo

RE: BGPMON Alert Questions

om] Sent: Wednesday, April 02, 2014 2:03 PM To: Joseph Jenkins; nanog@nanog.org Subject: RE: BGPMON Alert Questions If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me spe

RE: BGPMON Alert Questions

PM To: nanog@nanog.org Subject: Re: BGPMON Alert Questions On 4/2/14, 11:51, Joseph Jenkins wrote: > So I setup BGPMON for my prefixes and got an alert about someone in > Thailand announcing my prefix. Everything looks fine to me and I've > checked a bunch of different Looking Gla

Re: BGPMON Alert Questions

On 4/2/14, 8:51 PM, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacti

Prefix hijack by AS4761 (was Re: BGPMON Alert Questions)

I'm seeing the same hijack of prefixes by multiple networks under my watch, at 18:40 UTC and 19:06 UTC. -- Stephen On 2014-04-02 2:51 PM, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I

RE: BGPMON Alert Questions

arson [mailto:thorhallur.halfdanar...@advania.is] Sent: Wednesday, April 02, 2014 2:59 PM To: Joseph Jenkins Cc: nanog@nanog.org Subject: Re: BGPMON Alert Questions I have received those for two prefixes so far. Same origin+transit Br, Tolli

Re: BGPMON Alert Questions

On 02/04/14 11:51, Joseph Jenkins wrote: > So I setup BGPMON for my prefixes and got an alert about someone in > Thailand announcing my prefix. Everything looks fine to me and I've > checked a bunch of different Looking Glasses and everything announcing > correctly. > > I am assuming I should be

Re: BGPMON Alert Questions

Same alert for me on two of my prefixes. Still looking into it. On Wed, Apr 2, 2014 at 1:59 PM, Frank Bulk wrote: > I received a similar notification about one of our prefixes also a few > minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I > also couldn't hit the website

RE: BGPMON Alert Questions

Lol, and two minutes after I replied to you, I got the same alert about the same AS with two of my prefixes. -Original Message- From: Joseph Jenkins [mailto:j...@breathe-underwater.com] Sent: Wednesday, April 02, 2014 2:52 PM To: nanog@nanog.org Subject: BGPMON Alert Questions So I setu

Re: BGPMON Alert Questions

I just got the same alert for one of my prefixes one minute ago. On 4/2/2014 2:59 PM, Frank Bulk wrote: I received a similar notification about one of our prefixes also a few minutes ago. I couldn't find a looking glass for AS4761 or AS4651. But I also couldn't hit the websites for either AS,

RE: BGPMON Alert Questions

If you contact bgpmon support you may be able to get some more in-depth information. I've contacted them before with alerts like those and they were able to give me specific date, time, ASN and interface information about the peering points that received the announcements; that might help make you

Re: BGPMON Alert Questions

On 4/2/14, 11:51, Joseph Jenkins wrote: So I setup BGPMON for my prefixes and got an alert about someone in Thailand announcing my prefix. Everything looks fine to me and I've checked a bunch of different Looking Glasses and everything announcing correctly. I am assuming I should be contacting

RE: BGPMON Alert Questions

I just got the same thing. Possible Prefix Hijack (Code: 10) Your prefix: 173.44.32.0/19: Prefix Description: AS8100 Update time: 2014-04-

  1   2   >