Most routers would crash and the internet would stop long before we ever got to 12 million routes.
The article mentionned that some networks within the /19, in this incident, were critical. So yes, I believe that every businesses should advertise /24 for their highly critical infra. They can advertise /19, /20 and so on for the less important networks. No need to use /24 for everything.
Sorry for the quick-fire snark.
Didn’t Pakistan advertise a /28 at one point that blackholed YouTube?
Good times. (/s)
24-19 = 5 bits. 2^5 = 32
TransTelecom (AS 20485) in Russia, China Telecom (AS 4809) in China and MainOne (AS 37282), a small ISP in Nigeria.
I don't know what qualifies as big ISP but I am certain MainOne with a 14,000 kilometre submarine fibre optic cable may not be one to be classified as a small one.
The Main One Cable is a submarine communications cable stretching from Portugal to South Africa with landings along the route in various west African countries.
Pot, meet kettle. Seriously, how is this even worth a mention? The US invented wholesale internet surveillance.
edit: Why the downvotes with no response despite my comment being entirely relevant? If anyone would like to explain/counter I would be curious to hear their reasoning
You may not like the Chinese or foreign governments, but hacker news isn't a place to express that bigotry.
That doesn't mean the US isn't performing the same level of surveillance/tracking, just that they aren't publicly picking up dissenters. In reality, if they were really worried, they'd hit you with a gag order and charge you in the FISA courts so you can't go public
That's why they invented it, right? To make sure the political status quo does not change. That includes political systems in the US, UK, China and Russia.
Curious what Google traffic might still be unencrypted now.
Two billion people living in an autocracy ... if Google still believed in Don’t Be Evil, this would not be acceptable.
It just goes to show the power of branding and how much people attach to it.
edit/minor correction: I guess they'd have control over peering agreements for initial hops for Google Fiber users, but that wouldn't have resolved the issue in this case, either, unless they stopped peering with other huge providers like NTT. Even then, it'd only help their subscribers.
Lots of people live in China.
China doesn't need anyone to play along to prevent their population from accessing the global internet. Right now, at least the rest of the world can access Chinese websites. A blanket ban on peering with Chinese ISPs would really bifurcate the internet. I'd count that as "playing along".
To answer your question, most large companies have been subject to cyber espionage by the chinese military for several years. This accounts for the speed at which China built its manufacturing base in strategically important industries and its ability to rapidly copy products and the required tooling for their manufacture.
The Mandiant report I linked to above focused on tracking the activities of a single but prolific APT group responsible for hacks in 150 major companies worldwide for 7 years since 2006, and that they believe is actually a team of cyber espionage professionals from within the Chinese military.
Also just for fun: Anyone here drive a Range Rover Evoke? Heres China's version:
So the result is that you have to somewhat trust who you are peering with, and who they are peering with, etc. to the other end of the traffic.
A bad actor can make lots of chaos.
Somewhere, a BGP route was misconfigured to send data somewhere else.
What would happen if a BGP route was terminating at China, and the bad actor who made it happen, decided that they are not going to fix it and just leave it.
How would the rest of the BGP network deal with it?
Given the audience, it wasn't the PR managers finest hour this week. What happens in BGP land is discussed publically on the NÀNOG mailing list, and they are the friendliest crowd ever.
I've read them go out of their way to solve issues that just needed Goodwill to do in a couple of minutes, keeping the back channels open even between companies whose rivalry would dictate that they'd talk to each other only via their law firms.
1K@@ will probably be laughed at in the list
No where was this more obvious than Malaysia which is their neighbor... but still crazy to see giant brand new office parks that look abandoned.
To your point, it doesn’t at all surprise me about Nigeria because I saw it in ZA.
China seems to have a world wide plan for the next century.
If it's not a government project, it could also be capital flight. I think it's one of the main drivers of real estate price expansion around the world. There's concern in China that things could collapse in the next 10 to 20 years. Many people seem to think that losing most of your real estate investment is better than losing ALL of your money.
If their government doesn't collapse first.
"Strange snafu misroutes domestic US Internet traffic through China Telecom"
> China Telecom, the large international communications carrier with close ties to the Chinese government, misdirected big chunks of Internet traffic through a roundabout path that threatened the security and integrity of data passing between various providers’ backbones for two and a half years, a security expert said Monday. It remained unclear if the highly circuitous paths were intentional hijackings of the Internet’s Border Gateway Protocol or were caused by accidental mishandling.
It's just a BGP hijack. Get over it.
As BGP nodes come online, they establish connections with "nearby" existing BGP nodes, saying what version and how frequently they'll check in, and what their AS number is (a unique identifier)
Once communications have been established, then they can start to report any network routes they know about.
"I'm AS 123456, and I am the originator for 22.214.171.124/0" (i.e. they're responsible for it), "Also, I can reach 126.96.36.199/8 with a cost of 6" (A fair number of hops away on the network).
Any neighbouring BGP peers update their routing table:
"AS 123456 is responsible for 188.8.131.52/8, and I can reach it with a cost of 1, and I can also reach 184.108.40.206/8 with a cost of 7 via AS 123456". If there's a cheaper route to a network address, no changes will happen.
Routing changes can propagate quite quickly across the internet. The routing protocol is nice and lightweight, and updates are happening with reasonable frequency, as network connections come and go.
The idea is that should damage occur to the network fabric, the network will automatically update and route around it, without need for any intervention.
It's entirely built on trust, though. You have to trust that AS 123456 is indeed actually responsible for 220.127.116.11/8.
If you get two parties indicating responsibility for a network range, it's possible to end up with routing loops etc, as things get in to a mess.
What is legitimate behaviour, though, is for, say, AS 123456 to be the originator for 18.104.22.168/8, and another AS be the originator for 22.214.171.124/24 (i.e just 254 addresses under that space). That's not an unusual situation, and it won't cause routing issues, because more specific is taken as a priority over less specific, rough analogy: "In general mail for General Electric, should be sent here, but if it's for the electronics product division, send it straight to them"
There have been different attempts to put filtering in place, provide authentication "Yes, AS 123456 is allowed to be responsible for 126.96.36.199/0" and the like, but nothing has really taken off.
With different data snooping/data protection policies in various countries, it would also be useful if you could order your traffic to avoid certain countries.
You would still want full connectivity, but when things went wrong I could lose connectivity to a Nigerian ISP without critical business risk, but losing access to Google sucks. You could largely accomplish this by prefixing the hell out of everything except the “special” connection, and ensuring DDoS and other security filtering could drop the entire normal network if needed without affecting internal or special.
As succinctly as I can put it, this is exactly the opposite sentiment of Net Neutrality.
Leaking a route would imply you’re advertising the route to a peer that you’ve otherwise not intended to, either due to a misconfiguration or by not configuring things at all.
OP showing off their tools contributes to the article, so I don't mind
Is this yet another marketing ploy where you post something with purposely-misleading title in order to attract traffic? I don't like the fact that word "thousandeyes" got stuck in my head, nor do I like the fact that I got clickbaited. This one is going to my list of "just like every other site since 2015, don't click".
Why? BGP has always been insecure and repeating that fact doesn't make it any less so.
why would somebody paint you stupid upon reading your totally spot-on observation? Even in case of not agreeing.
Other keywords, yes, those are important for SEO. But repeating your unique company name, not so much.