
Large-Scale BGP Hijack - Ansil849
https://twitter.com/bgpmon/status/1246842916502302723
======
booi
It’s crazy to me that the fundamental protocol running the entire internet is
essentially based on the honor system... it is not working out well

~~~
Icathian
Border Gateway Protocol is just one routing protocol, calling it "the
fundamental protocol" is stretching a point. That award probably goes to TCP.
Maybe IPv4.

~~~
mox1
I mean no BGP no global internet...just local lans and wans.

~~~
iso1210
BGP didn't start major inroads into the internet until the mid 90s.

RIP can't cope with the scale of the internet today, but to say BGP is
essential to interconnecting networks is not right

~~~
jlgaddis
Huh?

If you take away BGP, there is no Internet!

No other protocol in existence/use today can scale the way BGP has.

------
betaby
More details
[https://radar.qrator.net/blog/how_you_deal_with_route_leaks](https://radar.qrator.net/blog/how_you_deal_with_route_leaks)
and some analysis [https://www.ripe.net/ripe/mail/archives/routing-
wg/2020-Apri...](https://www.ripe.net/ripe/mail/archives/routing-
wg/2020-April/004083.html) if RPKI ROA could help
[https://blog.cloudflare.com/rpki/](https://blog.cloudflare.com/rpki/)

~~~
gruez
>The route leak was distributed quite well through Rascom (AS20764) , then
Cogent (AS174) and in a couple of minutes through Level3 (AS3356) to the
world.

Is there a reason why these can't be filtered at the ISP level? eg. Cogent
_knows_ that Rascom shouldn't be announcing those prefixes, and refusing to
route traffic to them unless there's manual verification?

~~~
mike_d
> Cogent knows that Rascom shouldn't be announcing those prefixes, and
> refusing to route traffic to them unless there's manual verification

I run a large production BGP network. With two exceptions every provider
needed a Letter of Authorization from me to send to their upstream that
authorized the announcement of my IP space (the exceptions being India where
they wanted to charge extra for filtering announcements, and Russia where they
offered to not do filtering for an extra charge).

This "manual verification" already takes place. It just doesn't apply to large
transit providers interconnecting like what happened here

~~~
kitteh
The challenge is with scale. If I'm a network who has many networks downstream
of me I might have 50 to 100 prefix changes in a month. None of my upstream
providers are going to like manually vetting all of those - and none of my
customers don't want to wait days before their announcements propagate. So
there is this sort of state you can land yourself as a "you're a big customer,
we seem to trust you".

The reality is that RPKI Origin Validation solves this (but not as path
spoofing, we need ASPA for that) and people need to publish valid ROAs.

------
krebsonsecurity
This appears to be related:
[https://twitter.com/InternetIntel/status/1247100092575813635](https://twitter.com/InternetIntel/status/1247100092575813635)

[https://www.ripe.net/support/service-
announcements/accidenta...](https://www.ripe.net/support/service-
announcements/accidental-roa-deletion)

Last week a large BGP routing leak (>20k prefixes) occurred in Russia briefly
impacted internet traffic around the world.

See the interactive 3D visualization of the incident here:
[https://map.internetintel.oracle.com/leaks#/id/20764_12389_1...](https://map.internetintel.oracle.com/leaks#/id/20764_12389_1585768500)

~~~
kitteh
It's the same event. BGPmon was just delayed by a few days.

------
annoyingnoob
This is very similar to the caller-id problem that plagues telephones. Our
networks were built for trust that no longer exists. Our protocols need to
catch up with the times.

------
peterwwillis
Oh look, another submission of a tweet. Probably won't be able to read the
tweet in the future when it gets deleted, no real context or other information
in the tweet.

It would literally be more useful if you just screenshot it and posted that,
as at least it would last longer, not to mention add detail.

~~~
0az
I don't really get the hate for tweets.

> Probably won't be able to read the tweet in the future when it gets deleted,
> no real context or other information in the tweet. I find the tweet helpful.
> I didn't know about BGPmon, for instance.

Screenshots, on the other hand... They're not accessible, and they don't
provide easy links back to the author, nor access to the tweet's reply
context. I find all of those valuable.

------
ac29
More here: [https://www.manrs.org/2020/04/not-just-another-bgp-
hijack/](https://www.manrs.org/2020/04/not-just-another-bgp-hijack/)

------
Icathian
I'm curious as to the real impact. Facebook has the means to mitigate this
quite easily. I wonder what's gained from this, if anything.

~~~
lathiat
Why do you say Facebook has the means to mitigate this quite easily? That's
not really true as I understand it.

The problem is that these announcements are made by third parties, and
accepted by fourth parties, both of which Facebook has no control over.

While it's possible for Facebook to implement some controls over what routes
THEY accept and therefor what routes Facebook sends traffic TO - it cannot
control where others send traffic. If a third party advertises Facebooks
routes to a fourth party, and they accept them, Facebook cannot do anything
directly about that. And then those fourth parties accepting the routes will
send traffic TO Facebook via the third party.

~~~
toast0
I didn't look to see how much of Facebook's ranges got hijacked. Assuming some
got hijacked and others didn't (which is usually what happened), they could
direct more traffic to ranges that weren't hijacked (assuming their DNS ranges
didn't get hijacked). For the ranges where the hijacking wasn't at the /24
level, Facebook also has plenty of staff who could adjust to advertise more
specific routes. All the big internet companies with ASNs should have that
though; but the smaller places that probably got hijacked too may not.

Disclosure: I used to work at WhatsApp, including while it was part of
Facebook. Everything in this message is armchair routing policy though.

~~~
wbl
With a leak this size that could have blown up the table and caused some
serious problems.

~~~
kitteh
Max prefix kicked in and tore down the sessions before that damage started
(it's also why it was so short).

