Network hijacking: Wrong BGP announcements screwing up traffic
Yesterday I came across a very interesting case of network hijacking of an ISP from wrong BGP announcements by another network. This issue was reported to NANOG mailing list.
Issue was reported by Kevin, Senior Engineer at Altus Communications (AS11325). Problem was that SBJ Media LLC (AS33611) was making a /24 block announcement for specific slices of Altus - 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 which are allocated to Altus Communications (as per ARIN whois).
Good news for now is problem seems on it’s way to fix, and route servers of AT&T and Hurricane Electric are showing right path for /24 blocks.Just now Kevin updated NANOG saying:
I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :)
We’re still not out of the woods, announcing /24s and working with upper tier carriers to filter out our lists. However, I just got this response_ _from Phoenix NAP and found it funny. The “thief” is a former customer,_whom we terminated their agreement with. They then forged an LOA, submitted it to CWIE.net and Phoenix NAP and resumed using space above and beyond their terminated agreement.
This one is very interesting case and shows even today there’s no guarantee of correct routing on the Internet. So many autonomous systems out there but still at the end of day routing somehow works!
What an ISP can do in such cases? (what I myself learned from looking at such cases so far):
- Small chunks like /24 are given more priority over /20, thus if someone hijacks /24 out of your /20 block then you can (should) also start announcing /24 to make sure hijacker does not get any additional benefit by announcing small specific route.
- Pick out upstream ISP’s of attacker’s autonomous system & eventually get announced prefixes filtered out at the source itself.
- Pick your upstream ISP’s and eventually request them for prefix filtering.
This whole incidence reminds me of YouTube blackout in 2008 by Pakistan Telecom. Other then prefix filtering by big ISP’s one can’t really do much if such wrong announcement continues.
With hope that your ISP’s network is not “stealing” others IP’s time for me to go out for morning walk in village!
Special thanks to John Schneider from Iowa Network Services for his inputs & answering my questions! :)