netsec-sig - Re: [Security-WG] [NTAC] Perverse Routing
Subject: Internet2 Network Security SIG
List archive
- From: Bill Owens <>
- To: David Farmer <>, NTAC <>, "" <>, "" <>
- Cc: Jeff Harrington <>
- Subject: Re: [Security-WG] [NTAC] Perverse Routing
- Date: Sat, 28 Dec 2019 20:12:00 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nysernet.org; dmarc=pass action=none header.from=nysernet.org; dkim=pass header.d=nysernet.org; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6l9CL3jLogJQDpNTy/uzF90C4077aXhmbqMXuDgpLtE=; b=LuwHiLooyWxm3ottyRjbtpElgv/Jy1c3r2UfUfBdTbcu02pOI/p7pgURnRlmnU/eg/1SvaJ+C9FOr8aHjtnlpMvKnjdVfB0dDw8Vv8IrdjQs4y4T3hP/oeWLREL8KLsI5EfnTAdo1+ojjoMz0cIWZP70OeE0MiIPWo433q/7vgtX/JAYucF2Bqzq8LHDtXMGGoQNIN9/4eSpQ2mOa0TDM3HB9ufpr1WIX7DSZ+lavBZHd7fv8rF+9YlUtbM+42XuD6jy34rOaGCd1S+KX5D6pbINbJtbIgiBSOkU3S+viWuHeB3GrgVuiZ0EOpiLzwVubmEDDudGUvKjDeWq8/+X3Q==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e3MnYkviO0rpGGdIx+fPFppIBS7+Fr15CUVA8vWNuEXCfPU/saCNUsPcxwWnCJb2HShQDzJ94dGWrfoVhKilm2seXUC/IgPVwLPw2AdME2ODTI7V95que9HjUQcNy2C+mvoG39jaZ4+JXmIX/FQwiqE/OGC4w3tMtXQdrEJrLCbWBRQCRrDx01SOhRwRJKTZ4bzLhsjZXiTEAzjotvOCrq/UbtxxJxAQ/MbvoItE91kHM8vVe82s5uoSpkQ0IVT+I8xR1cPvSCWAngJSPjY6BOIxH85P+2aYIVMvZzRs1BUDtPUk4tzOjz9UaIwYzDb49EAjRWGjDht2cKhluDJwng==
*> 170.158.66.0/23 146.57.255.241 1379 202 0 11537 3754 46158 46158 46158 46158 46158 46887 3356 6453 55002 i
This is an interesting test case for our filters, which have obviously failed. The end-user is AS46158 and has, shall we say interesting BGP policies, and is also plagued by almost-continuous DDoS attacks. I think what’s happening here is they’ve heard their
own prefix coming from the DDoS scrubber, and arriving back in their table from one of their ISPs. Our filters limit them to their own IP block but otherwise give them a lot of flexibility about how they advertise to us, in part so they can deal with these
problems. Obviously we didn’t anticipate them readvertising their own prefix from another origin AS. We’ll have a conversation on Monday and figure out what kind of filter we need to establish to let them continue tweaking their routing as needed but prevent
this kind of oops.
Bill.
- [Security-WG] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Chris Robb, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Jeff Bartig, 12/30/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/30/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Jeff Bartig, 12/30/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Bill Owens, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Michael H Lambert, 12/29/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/29/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Michael H Lambert, 12/29/2019
- Re: [Security-WG] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] Perverse Routing, David Farmer, 12/29/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Chris Robb, 12/28/2019
Archive powered by MHonArc 2.6.19.