Bangladesh

A few weeks back I got in touch with Marc from Meghalaya. He offered to host RIPE Atlas probe at Shillong and that’s an excellent location which isn’t there on RIPE Atlas coverage network yet. It took around 5 days for the probe to reach Shillong from Haryana. I think probably this probe is the one at the most beautiful place in India. :) Now that probe is connected, I thought to look into routing which is super exciting for far from places like Shillong. Marc has a BSNL FTTH connection & mentioned about not-so-good latency. Let’s trace to 1st IP of the corresponding /24 pool on which probe is hosted:

India has a slum problem as many of us know. Slums are a serious problem and there’s just no easy way to fix them. One cannot just push thousands and thousands of people out while at the same time quality of life in slums is terrible. One thing which happens a lot in India is the fact that Govt. does nothing when slums are getting established and once they are established situation gets out of control.    

Earlier this month I got an opportunity to be part of IXP workshop in Kolkata. It was a 3-day event organised by ISOC Kolkata and supported by APNIC. There was also a workshop on DNSSEC and Champika Wijayatunga (from ICANN) was the instructor along with Anand Raje. It was a nice event and I come to know of other interesting projects ISOC Kolkata is doing like Indian IETF capacity building program apart from the IXP they are running in Kolkata. Mr Anupam Aggarwal and Anand showed the IX and it looks very good. I think it’s the first and only IX I know in India which is a real IX with proper policy. It’s an IX by a non-for-profit group, allows anyone to connect, a real layer 2 IX and welcomes anyone including ISPs, content players and root DNS servers. Presently IIFON-IX in Kolkata has few member ISPs besides the L root from ICANN and one of Verisign gTLD nodes (which host zones for .com, .net etc). I also saw a rack with some of Akamai CDN servers. This brings decent content right there. IX’es play an extremely important part of current internet infrastructure ecosystem. It’s very likely that content of this blog is travelling from my server to your browser from an Internet Exchange. :)  

Yesterday Google’s Bangladeshi website google.com.bd was hacked and this happened via DNS. It was reported on the bdNOG mailing list at morning in a thread started by Mr Omar Ali.

This clearly shows how authoritative DNS for “com.bd.” (which is same as bd. btw) was poisoned and was reflecting attackers authoritative DNS. Later Mr Farhad Ahmed posted a screenshot of google.com.bd showing hackers page:

Later Mr Sumon Ahmed mentioned that it happened because web frontend of .bd was compromised. This was an interesting hijack as attacker attacked the key infrastructure of the registry instead of Google or Facebook servers. It’s also a warm reminder of the way DNS depends on the hierarchal structure by design and at this stage, we need to focus on DNSSEC to add on the security to the current system.   Lately .bd domain faced issues multiple time this year. I hope it will have a good stable time in the upcoming year. In terms of stability it is being backed by PCH anycast infrastructure but PCH’s DNS servers are just published in NS records of it’s existing auth servers, but not on the parent zone (which is root zone). Thus the point of failure remains and is yet to be fixed.

Bangladesh’s .bd ccTLD faced another outage. As I mentioned in one of the previous posts - .bd domain seems to be primarily on BTCL (AS17494).  Zone delegation of .bd is still pending with PCH and while PCH is mentioned in NS records of the authoritative DNS servers but delegation is pending in the root DNS servers as per reply from Kabindra from PCH on the bdNOG mailing list during the last outage.

Day before yesterday i.e on 18th August 2016 Bangladesh’s TLD .bd went had an outage. It was originally reported by Jasim Alam on bdNOG mailing list.

dig btcl.com.bd @8.8.8.8
; <<>> DiG 9.10.4-P2 <<>> btcl.com.bd @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8114
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;btcl.com.bd.                   IN      A
;; Query time: 76 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 18 14:24:25 Bangladesh Standard Time 2016
;; MSG SIZE  rcvd: 40

His message shows that DNS resolution of BTCL (Bangladesh Telecommunications Company Ltd) was failing. Later Alok Das that it was the power problem resulting in outage. Let’s look ask one of 13 root DNS server about NS records on who has the delegation for .bd.

Last week while travelling to London from Delhi IGI airport I was standing in immigration queue. One of fellow passenger (likely from Bihar as per my guess from his accent) came right behind me. He was bit afraid and asked me in low voice if those (immigration) gates would get him to his flight for Dubai. I smiled and told him that it’s common passage for everyone travelling to just anywhere and explained to him about his gate by looking at his boarding pass. By this time he appeared less worried and stood silently behind me. After few mins as queue proceeded a group of 4 travellers (again of similar profile) proceeded to immigration desk and I heard multiple immigration officers screaming/shouting on them for coming to their desk without boarding pass. I even heard a loud noise.

Last month India & Bangladesh went into an agreement for power and bandwidth. India stated export of an additional 100MW of power to Bangladesh while Bangladesh started a 10Gbps link to Indian state of Tripura. (News article on this here)

Tripura is an Indian state having its boundaries with Bangladesh as you can see in above map. Coming to routing side of things setup is that BSNL (AS9829) is buying IP transit from Bangladesh Submarine Cable Co. Ltd (BSCCL) at $1.2 million / year. This means a cost of around $10/Mbps/month or 662Rs/Mbps/month. It’s hard to say if it’s good or bad since other link from BSNL is via it’s other links. But yes it’s good to see a layer 3 connectivity in terms of IP transit relationship rather then leasing dark fiber or L1 waves as they would have caused bit inefficient routing in the area. In order to do this BSNL has setup a “gateway node” at Agartala. I think it would be pretty much a node with approvals under ILD from doT and extremely likely a LIM device for lawful interception.   Months before it actually came up, Dyn research tweeted about this visible routing relationship.  

This week I presented in bdNOG 4 on “Misused top ASNs”. It was a study we at Hurricane Electric did to see how many times AS1, AS2 and AS3 appeared in global routing table between 2010 and 2015. This highlights cases where AS1, AS2 or AS3 appeared as a result of wrong prepend.  

My presentation is embedded below:

Overall bdNOG 4 had been a great experience. It’s good to see a nice NOG community actively sharing technical know-how, sharing experiences, and much more. I must say that is something I greatly miss in India. More on bdNOG conference later on.