Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] [NTAC] Perverse Routing

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] [NTAC] Perverse Routing


Chronological Thread 
  • From: David Farmer <>
  • To: Michael H Lambert <>
  • Cc: Bill Owens <>, Jeff Harrington <>, NTAC <>, "" <>,
  • Subject: Re: [Security-WG] [NTAC] Perverse Routing
  • Date: Sat, 28 Dec 2019 20:39:19 -0600



On Sat, Dec 28, 2019 at 20:09 Michael H Lambert <> wrote:
Bill Owens wrote on 2019-12-28 15:12:
> *> 170.158.66.0/23 146.57.255.241 1379 202 0 11537 3754 46158 46158
> 46158 46158 46158 46887 3356 6453 55002 i
>
> This is an interesting test case for our filters, which have obviously
> failed. The end-user is AS46158 and has, shall we say interesting BGP
> policies, and is also plagued by almost-continuous DDoS attacks. I think
> what’s happening here is they’ve heard their own prefix coming from the
> DDoS scrubber, and arriving back in their table from one of their ISPs.
> Our filters limit them to their own IP block but otherwise give them a
> lot of flexibility about how they advertise to us, in part so they can
> deal with these problems. Obviously we didn’t anticipate them
> readvertising their own prefix from another origin AS. We’ll have a
> conversation on Monday and figure out what kind of filter we need to
> establish to let them continue tweaking their routing as needed but
> prevent this kind of oops.

The occurrence of AS 0 in the AS_PATH is interesting.  At first glance
it would appear that neither 11537 nor 202 is handling RFC 7607
correctly.  Having said that, I'm not certain we would, either.

The 0 isn’t part of the AS Path, it is the Weight, 202 is the local pref, and 1379 is the Med.  11537 is the first ASN in the path for all the routes I provided. I think any extra white space got mushed out by the commenting by Bill.

Sorry for any confusion.


--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================



Archive powered by MHonArc 2.6.19.

Top of Page