[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BGP Hijack/Sickness with AS4637


Just to clear up a few things. We are not running any route optimization 
software (ever). The reason we "refused" to help is because we were not 
going to contact our transit providers NOC regarding other parties 
routes, even if we did they wouldn't be of assistance.

We are purely passing on the routes we receive from our transit 
providers to our customers. We are not modifying the routes in any way 
shape or form.

We incest routes from a lot of transit providers and send most of the 
data to route views (As do a number of our customers) which is why this 
route was seen from us.

I have completed a soft clear on our BGP session towards AS4637 and the 
route still exists. Sorry we can't be of assistance in this case but 
this is fully out of our control.

xxxx at re0-cr1.ty8.ty.jp> show route detail

vrf-international.inet.0: 696465 destinations, 1194388 routes (696461 
active, 0 holddown, 4 hidden) (1 entry, 1 announced)
         *BGP    Preference: 170/-101
                 Next hop type: Router, Next hop index: 790
                 Address: 0xff29810
                 Next-hop reference count: 1279932
                 Next hop: via ae0.401, selected
                 Session Id: 0x181
                 State: <Active Ext>
                 Peer AS:  4637
                 Age: 2w4d 11:08:17
                 Validation State: unverified
                 Task: BGP_4637.
                 Announcement bits (4): 1-KRT 2-BGP Route Target 
5-BGP_RT_Background 6-Resolve tree 6
                 AS path: 4637 3257 29909 16532 16532 16532 16532 I
                 Communities: 4637:32031 4637:32314 4637:32504 4637:60952
                 Localpref: 100
                 Router ID:

ColoAU (AS63956)

Colocation Australia Pty Ltd <http://coloau.com.au>


Brad Hooper / Network Architect
brad at coloau.com.au <mailto:brad at coloau.com.au>/ +61 7 3106 3810

Colocation Australia Pty Ltd

Facebook <https://facebook.com/coloau> Twitter 
<https://twitter.com/coloau> skype <skype:coloau-brad?call>

On 01/06/18 06:36, Job Snijders wrote:
> On Thu, May 31, 2018 at 02:40:06PM +0000, Job Snijders wrote:
>> Upon further inspection, it seems more likely that the bgp optimiser is
>> in ColoAU's network. Given the scale of AS 4637, if it were deployed
>> inside Telstra I'd expect more problem reports. AS 4637 may actually
>> just be an innocent bystander.
>> It is interesting to note that the /23 only appears on their Sydney
>> based routers on https://lg.coloau.com.au/
>> Is ColoAU's refusal to cooperate a matter of misunderstanding? Perhaps
>> you should just straight up ask whether they use any type of "network
>> optimisation" appliance.
> I found a few more interesting routes inside ColoAU's looking glass:
> - AS_PATH 63956 4637 3257 29909 16532 16532 16532 16532
>                  (should be originated by AS 17, Purdue
>                  University)
> - AS path: 135069 9439
> 				(does not exist in the DFZ, a peering lan prefix? a typo?)
> - AS path: 2764 1221 36692
> 				(does not exist in the DFZ, a peering lan prefix? a typo?)
> ColoAU propagated the above routes to their transit customers, so the
> and announcements definitely count as BGP
> hijacks with fabricated an AS_PATH.
> Kind regards,
> Job