North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Kenyan Route Hijack

  • From: Danny McPherson
  • Date: Sat Mar 15 14:03:45 2008


[more accurate subject line]


On Mar 14, 2008, at 1:33 PM, Felix Bako wrote:


Hello,
There is a routing loop while accesing my network 194.9.82.0/24 from some networks on the Internet.


| This is a test done from lg.above.net looking glass.

1 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0 msec
2 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label 78 Exp 0] 0 msec 0 msec 0 msec
3 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 8 msec 8 msec 0 msec
4 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label 80 Exp 0] 0 msec 4 msec 0 msec
5 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0 msec
6 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label 78 Exp 0] 0 msec 0 msec 4 msec
7 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 64 msec 0 msec 4 msec
8 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) [MPLS: Label 80 Exp 0] 0 msec 4 msec 0 msec
9 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 4 msec 0 msec 0 msec
10 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) [MPLS: Label 78 Exp 0] 0 msec 4 msec 0 msec
11 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 4 msec 0 msec 4 msec|

According to RIPE BGP play data looks to me like AS 6461 (Abovenet) began announcing 194.9.82.0/24 about 10 hours ago, pulling traffic away from AS 39615 and triggering your reachability problems (Note times are UTC):

# 1/361 2008-03-15 03:05:27 Path Change from 29636 6461 2914 8513 25228 36915
rrc01 195.66.224.132 to 29636 2914 6461
# 2/361 2008-03-15 03:05:27 Route Announcement 20485 2914 6461
rrc01 195.66.224.212
....


About 17 minutes later AS 6461 they withdrew the route announcement:

# 41/361  2008-03-15 03:22:56   Route Withdrawal ( 4777 2497 2914 6461 )
   rrc06  202.249.2.20
....

And another 12 minutes or so later they began announcing it
again:

# 42/361 2008-03-15 03:35:26 Path Change from 29636 6461 2914 8513 25228 36915
rrc01 195.66.224.132 to 29636 2914 6461
...


Seemed to be a bunch more instability with this prefix around 5:53:

# 66/361  2008-03-15 05:53:40   Route Announcement   25462 6461
   rrc07  194.68.123.157
...

And then some withdraws around 7:43:

# 183/361 2008-03-15 07:43:48 Path Change from 8468 6453 6461
rrc01 195.66.224.151 to 8468 3491 25228 25228 25228 25228 25228 36915
...


With considerable oscillation for around 40 minutes between the legit
path via AS 36915 and the path via AS 6461.

And the latest was this transition from AS 6461 back to the 36915 path
about 2 hours ago, but only by a few ASNs, I suspect because those ASNs
explicitly modified policy (either preference or filtering) to de_prefer the
AS 6461 path. This is illustrated pretty nicely with BGP play:


# 335/361 2008-03-15 14:59:43 Route Withdrawal ( 1916 3549 6461 )
rrc15 200.219.130.4
# 361/361 2008-03-15 15:00:27 Path Change from 13645 3356 6461
rrc11 198.32.160.150 to 13645 3491 25228 25228 25228 25228 25228 36915


BGP Play applet here:

http://www.ris.ripe.net/bgplay/applet.html?

Although most folks are definitely still preferring the AS 6461
path.

An interesting bit is that the current announcement on routeviews
directly from AS 6461 has Community 6461:5999 attached:
...
  6461
    64.125.0.137 from 64.125.0.137 (64.125.0.137)
      Origin IGP, metric 0, localpref 100, valid, external, best
      Community: 6461:5999
...

According to this, that community is used for "internal prefixes":

http://onesc.net/communities/as6461/

"6461:5999 internal prefix"

A "sh ip bgp community 6461:5999" currently yields 130 prefixes
with Origin AS of 6461 and that community.  Nothing more specific
than a /24, although many many adjacent prefixes that would
presumably be aggregated normally are announced as well.

The closest adjacent prefix to 194.9.82/24 they're announcing
is 194.9.40/24, which is one of their prefixes:

*> 194.9.40.0       64.125.0.137             0             0 6461 i
*> 194.9.82.0       64.125.0.137             0             0 6461 i

Unfortunately, the AS6461 forwarding loops still exists, and most
ASNs still appear to be preferring their path over yours per BGP
AS path route selection rules:

---
[email protected]% date
Sat Mar 15 11:55:27 MDT 2008
...
14 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 188.278 ms 172.714 ms 174.984 ms
15 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) 176.234 ms 174.013 ms 174.109 ms
16 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 173.230 ms 172.892 ms 174.765 ms
17 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) 174.721 ms 175.256 ms 174.738 ms
18 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 174.437 ms 220.815 ms 180.961 ms
19 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) 177.564 ms 181.966 ms 174.771 ms
20 ten-gige-2-2.mpr2.ams2.nl.above.net (64.125.26.70) 176.028 ms 174.269 ms 174.365 ms
21 ten-gige-2-2.mpr1.ams2.nl.above.net (64.125.26.69) 175.626 ms 175.381 ms 175.831 ms
22 ge-1-2-0.mpr1.ams1.nl.above.net (64.125.26.74) 174.046 ms 174.841 ms 174.388 ms
23 ten-gige-1-1.mpr1.ams2.nl.above.net (64.125.26.73) 174.861 ms 174.857 ms 175.475 ms
...


My recommendation, stay on the phone with Abovenet (via your
upstream, and their upstream if necessary) until you see a withdraw
for the route on routeviews from AS 6461:

telnet route-views.routeviews.org
sh ip bgp 194.9.82.0/24

-danny