Re: Kenyan Route Hijack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- "Bill Stewart" <nonobviousgmail.com> wrote:

>I've seen two popular reasons for doing it accidentally
>- Fat fingers when configuring IP addresses by hand
>- Using old routing protocols such as IGRP or RIP and
autosummarizing
>routes, 
>  usually done by a customer of an ISP that doesn't
bother filtering
> carefully. 
>  This doesn't give you a /24 address by accident,
>  but it lets you take two /24 subnets of a Class B or
Class A
>  and turn them into an advertisement for the whole
network.

Also: I have seen instances where a static route points to a
next
hop that (inadvertently) may be
"redistribute-static" injected into
BGP. This happens occasionally due to ad hoc configurations,
back-
hole null routing, etc.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFH3LBoq1pz9mNUZTMRAm8qAJwLWej/LjWQo8svLbgmOhe3kOOMCwCg
7XZ/
V8/XCEkVEu0h2MAndAIpZ5g=
=jQfu
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspo
t.com/

Paul,

>  Also: I have seen instances where a static route
points to a next
>  hop that (inadvertently) may be
"redistribute-static" injected into
>  BGP. This happens occasionally due to ad hoc
configurations, back-
>  hole null routing, etc.

And why would an ISP locally try to blackhole traffic bound
to some
other legitimate address space? Wouldnt this result in this
service
provider's customers to lose connectivity to whatever
websites fall
behind the IP address block in question? Or is that the
intention?

If its done intentionally then it would only make sense if
theres a
DOS attack coming from that address block, or if theres
something
"blasphemous" put up there. If none of these, then
why locally
blackhole traffic?

Thanks,
Glen

On Sun, Mar 16, 2008 at 2:07 AM, Glen Kent <glen.kentgmail.com> wrote:
>
>  Paul,
>
>
>  >  Also: I have seen instances where a static route
points to a next
>  >  hop that (inadvertently) may be
"redistribute-static" injected into
>  >  BGP. This happens occasionally due to ad hoc
configurations, back-
>  >  hole null routing, etc.
>
>  And why would an ISP locally try to blackhole traffic
bound to some
>  other legitimate address space? Wouldnt this result in
this service

I think it was Abovenet that blackholed a /24 of (I want to
say MAPS,
but that's not right) an anti-spam-RBL sometime pre-1999?

>  provider's customers to lose connectivity to whatever
websites fall
>  behind the IP address block in question? Or is that
the intention?
>

perhaps they had a significant number of complaints about
the address
block and no reaction from the owner(s)? or the address
block (or
hosts in it) were scanning their infrastucture, or dos'ing
it or???
There are a whole host of reasons one might conjecture. In
ALL cases
you'd never put in a /24 but a pair of /25 so that you
didn't become
the best path for the rest of the internets...

>  If its done intentionally then it would only make
sense if theres a
>  DOS attack coming from that address block, or if
theres something

dos attack mitigation works best on destinations, not
sources...
urpf-loose aside a filter would have solved that form of
problem
quicker.

>  "blasphemous" put up there. If none of
these, then why locally
>  blackhole traffic?
>

once upon a time we had a noc person null route a
210.x.x.0/24 block
because someone used their email address in the 'from' for a
spam
run... a swift 'discussion' ensued and they learned there
was a better
solution to their problem. (swift after the owners of the ip
space got
a little irrate :( )

-Chris

Kameron Gasso wrote:
> Christopher Morrow wrote:
>> I think it was Abovenet that blackholed a /24 of (I
want to say MAPS,
>> but that's not right) an anti-spam-RBL sometime
pre-1999?
> 
> If I'm not mistaken, that was ORBS.

Correct.  A particularly interesting case, since ORBS'
transit provider 
was also a transit customer of Above.net.  Said transit
provider would 
announce their /16s, of which ORBS sat in a /24 or two of,
and have 
their traffic blackholed.

IIRC they punched /24s via their other transit providers to
partly 
resolve the issue.

But the rest of the story - let's not go there.

On Mon, 17 Mar 2008, Alastair Johnson wrote:

> Correct.  A particularly interesting case, since ORBS'
transit provider was 
> also a transit customer of Above.net.  Said transit
provider would announce 
> their /16s, of which ORBS sat in a /24 or two of, and
have their traffic 
> blackholed.
>
> IIRC they punched /24s via their other transit
providers to partly resolve 
> the issue.
>
> But the rest of the story - let's not go there.

Why not?  We _used_ to be an Above.net OC3 customer.  Back
around 2003, we 
ran into issues with Above.net deciding for us which parts
of the internet 
should be accessible.  We got customer complaints that
certain web sites 
were unreachable through us, but worked fine on other
internet services. 
I eventually got Above.net to give me a list of the several
dozen /24's 
they were null routing.

This was particularly annoying because they had nothing
setup to notify 
customers of these null routes or allow us to choose not to
send them 
traffic they'd null route.  To me, this seemed rather
inappropriate 
behavior for a transit provider.

------------------------------------------------------------
----------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org
/~jlewis/pgp for PGP public key_________