Friday, January 02, 2009

BGPMon On Illegitimate Route Announcement

In November I posted BGPMon on BGP Table Leak by Companhia de Telecomunicacoes do Brasil Central. A lot of people saw that activity but the overall effect was negligible to nonexistent.

Yesterday I received a more personalized alert from BGPMon:

You Receive this email because you are subscribed to BGPmon.net.
For more details about these updates please visit:
http://bgpmon.net/showupdates.php

====================
WithDraw of More Specific (Code: 23)
2 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2009-01-01 08:33 (UTC)
3.3.3.3/32
====================
Possible Prefix Hijack (Code: 11)
2 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2009-01-01 08:31 (UTC)
3.3.3.3/32
Announced by: AS15475 (NOL)
Transit AS: 8452 (TEDATA TEDATA)
ASpath: 29073 9009 19151 4788 8452 15475

Checking WHOIS data for AS15475 shows:

% Information related to 'AS15475'

aut-num: AS15475
as-name: NOL
descr: Nile Online
descr: Giza,Egypt
descr: For any abuse complain contact abuse@nile-online.com

So, an ISP in Giza, Egypt announced a 3.3.3.3/32 route to the Internet. That looks like some kind of test. I used to be amazed to see a /32 route appear like this in global BGP tables, but now that I know most ISPs don't filter anything I am not so surprised anymore. Previously I would have thought one of the AS in the AS path would have filtered this.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

3 comments:

Matt said...

Forgive me if I'm misunderstanding the recent "vulnerability", but could the ability to create a "genuine" certificate be coupled with this particularly fun aspect of BGP to create a man in the middle attack? I seem remember something similar being posited back when this flaw came to light (again?) a few months ago, and at that point, the sticking point was that the attacker couldn't replicate the certificate, so banks and other people with "good" certificates were safe.

danny McPherson said...

FWIW, most clueful ISPs do filter ANYTHING longer than a /24, from both customers and peers, and that's why only a very small number of networks (e.g., only rrc11 and rrc12 RIPE route servers) reported this /32 announcement. I too am surprised that this route announcement made it across 5 different ISPs. It is nice that you were alerted on this event, even while the duration was less than 3 minutes.

Andree Toonk said...

At least one other person was notified because of a more specific (/26 in this case) that was announced by AS15475 (NOL).

It seems they the leaked a bunch of more specifics including a number of Bogons, Such as 100.100.100.0/30 and 2.2.2.2/32
This was all just for a few minutes.