BGPMon on BGP Table Leak by Companhia de Telecomunicacoes do Brasil Central

Last month I posted BGPMon.net Watches BGP Announcements for Free. I said:

I created an account at BGPMon.net and decided to watch for route advertisements for Autonomous System (AS) 80, which corresponds to the 3.0.0.0/8 network my company operates. The idea is that if anyone decides to advertise more specific routes for portions of that net block, and the data provided to BGPMon.net by the Réseaux IP Européens (RIPE) Routing Information Service (RIS) notices the advertisements, I will get an email.

Well, that started happening last night:


You Receive this email because you are subscribed to BGPmon.net.
For more details about these updates please visit:
http://bgpmon.net/showupdates.php

====================
Possible Prefix Hijack (Code: 11)
1 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2008-11-11 01:55 (UTC)
3.0.0.0/8
Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central)
Transit AS: 27664 (CTBC Multimídia)
ASpath: 27664 16735

I got four more updates, the last at 2008-11-11 02:59 (UTC).

These alerts indicated that AS16735 (Companhia de Telecomunicacoes do Brasil Central) was advertising routes for my company's 3.0.0.0/8 netblock. That's not good.

When I saw that I initially assumed we were the only ones affected. Early today I read Prefix hijack by AS16735 on the BGPMon blog stating the following:

Between 01:55 UTC and 02:15 267947 distinct prefixes were originated from AS16735 (Companhia de Telecomunicacoes do Brasil Central), hence a full table ‘leak’. After that more updates were detected. The last hijack update originated by AS16735 was received at 03:07 UTC. So the ‘hijack’ was there for about 75 minutes As far as I can see the only RIS collector who saw this hijack was the one in Sao Paulo, Brazil (PTTMetro-SP), there it was seen by a few RIS peers.

This means that Companhia de Telecomunicacoes do Brasil Central advertised routes for the whole Internet. It was a mistake; no one does that on purpose.

The NANOG mailing list has a thread on this event if you want to see what others reported.

A look at the RIPE AS Dashboard for AS 27664, a transit AS, shows the spike in BGP updates per minute caused by this event.



Unfortunately, I do not see one for AS 16735, the culprit here. Good work BGPMon!


Richard Bejtlich is teaching in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Comments

Anonymous said…
This is pretty cool stuff and makes the life of network administrators a bit easier ;)

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4