Friday, January 02, 2009

BGPMon On Illegitimate Route Announcement

In November I posted BGPMon on BGP Table Leak by Companhia de Telecomunicacoes do Brasil Central. A lot of people saw that activity but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overall effect was negligible to nonexistent.

Yesterday I received a more personalized alert from BGPMon:

You Receive this email because you are subscribed to BGPmon.net.
For more details about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se updates please visit:
http://bgpmon.net/showupdates.php

====================
WithDraw of More Specific (Code: 23)
2 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2009-01-01 08:33 (UTC)
3.3.3.3/32
====================
Possible Prefix Hijack (Code: 11)
2 number of peer(s) detected this updates for your prefix 3.0.0.0/8:
Update details: 2009-01-01 08:31 (UTC)
3.3.3.3/32
Announced by: AS15475 (NOL)
Transit AS: 8452 (TEDATA TEDATA)
ASpath: 29073 9009 19151 4788 8452 15475

Checking WHOIS data for AS15475 shows:

% Information related to 'AS15475'

aut-num: AS15475
as-name: NOL
descr: Nile Online
descr: Giza,Egypt
descr: For any abuse complain contact abuse@nile-online.com

So, an ISP in Giza, Egypt announced a 3.3.3.3/32 route to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. That looks like some kind of test. I used to be amazed to see a /32 route appear like this in global BGP tables, but now that I know most ISPs don't filter anything I am not so surprised anymore. Previously I would have thought one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AS in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AS path would have filtered this.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

3 comments:

Matt said...

Forgive me if I'm misunderstanding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent "vulnerability", but could cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to create a "genuine" certificate be coupled with this particularly fun aspect of BGP to create a man in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 middle attack? I seem remember something similar being posited back when this flaw came to light (again?) a few months ago, and at that point, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sticking point was that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker couldn't replicate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certificate, so banks and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r people with "good" certificates were safe.

Anonymous said...

FWIW, most clueful ISPs do filter ANYTHING longer than a /24, from both customers and peers, and that's why only a very small number of networks (e.g., only rrc11 and rrc12 RIPE route servers) reported this /32 announcement. I too am surprised that this route announcement made it across 5 different ISPs. It is nice that you were alerted on this event, even while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 duration was less than 3 minutes.

Anonymous said...

At least one ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r person was notified because of a more specific (/26 in this case) that was announced by AS15475 (NOL).

It seems cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 leaked a bunch of more specifics including a number of Bogons, Such as 100.100.100.0/30 and 2.2.2.2/32
This was all just for a few minutes.