1. Home
  2. Cisco Systems
  3. bringing the internet down redistributing rogue BGP routes

bringing the internet down redistributing rogue BGP routes

I was just looking at following scenario:

Some one or an rogue organisation builts up an ISP, which is multihomed over the globe with its locations, in all continents with the same AS number. Now, these bad guys would redistribute all other networks which would not even belong to them, i think you could cause a lot of trouble? All AS'es if not directly connected to each other would reroute to my rouge ISP, resulting traffic to end up in my AS --> in a blackhole. Of couse this would be a temporary condition, until found out by the other ISPs until they blocked the rogue AS. But i think this would cause some serious damage or?

cheers colin

Reply to
Colin Cant
Loading thread data ...

Attacker can be located anywhere... just read about recent youtube hijacking. Interesting links:

formatting link
formatting link

Reply to
Slawomir Kawala

well, i guess this proves that it is possible! Wow! This opens a new kind of market in the ISP world then right? ;-) terryfying but true. Nowadays a lot of stuff is done by IP, i don't wanna imagine what all could go wrong... But as an ISP how do i secure myself of such attacks? how do i alert my self if my routes are starting to get hijacked by a rogue AS? The youtube guys where rather fast..

"Slawomir Kawala" schrieb im Newsbeitrag news:g13tdv$qib$ snipped-for-privacy@mx1.>> But i think this would cause some serious damage or?

Reply to
Colin Cant

Well, first of all - it should never happen ;) IMHO this accident has shown that low-qualified network engineers work with BGP. In the youtube case PCCW Global should filter out 'wrong' prefixes received from Pakistan Telecom.

I'm afraid that you as a potential victim can't do much... You will see that sth wrong is going on when suddenly you notice much less traffic than usually, probably also your customers will call ;) You can use one of many (world-wide located) lg (looging glasses) to check if your prefixes are advertised correctly. As a reaction for an incident you can do same thing as youtube engineers did - advertise more specific routes... but keep in mind that many ISP filter out prefixes with netmask longer than /24 and it is one of good practices (smaller routing table, lesser memory/cpu usage).

Some interesting docs about (not only) BGP security you can find here:

formatting link

Reply to
Slawomir Kawala

Well, of course, that was a prefix to much advertised!! uups! but think about, political or organisations who "accidentially" DoS a competitor's network range. this might come up in future, in combination of youre juristical location of the ISP, with local laws of the country, which are not as fare, as to punish such actions. this could provide us with some fun on the backbones..

well, you notice you got no traffic, and no customers anymore for some time.. how would you like to look at looking glasses with the routes of youre reverse path looking somewhere else? so you as an ISP need to have a Backup DSL of a diffrent ISP to check who hijacked youre networks and lookup the looking glasses.. ;-) What if the rogue ISP advertises /24's , rather a specific route.. in the internet usually nobody is going to accept e even longer match!

Reply to
Colin Cant

I doubt that this would be a sustainable business model.

[more hyperbole deleted.]

I recommend looking at RIPE's RIS (Routing Information Service), in particular their MyASN tools, which include alerts about unexpected announcements of your prefixes. RIS collects routes from around the world (especially Europe :-) in very closoe to real-time. I'm not sure how timely the MyASN alerts really are though.

There are also commercial services that will monitor your routes, (Renesys).

That's right.

Reply to
Simon Leinen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.