How to wipe an ISP off the Internet

jes · Sep 26, 2013

How to wipe an ISP off the Internet

IS has answered questions about earlier downtime on its ADSL network

froot · Sep 26, 2013

That's one way of killing your competition

rico112 · Sep 26, 2013

i sometimes wonder where do these headlines come from... Sensationalism...

gregmcc · Sep 26, 2013

Hardly wiped off the inherent?

MagicDude4Eva · Sep 26, 2013

Maybe a network engineer can clarify this for me: I always thought that BGP hijacking was only possible if the advertised BGP announcements were not filtered on the recipients/peers, thus allowing to divert traffic elsewhere. To me it almost sounds like IS lacked a certain level of security to protect themselves from hijacking IP-traffic.

I lack the indepth knowledge of how this works, but the way this article is written, all I need is a router and then broadcast BGP....

gregmcc · Sep 26, 2013

It was the Chinese dammit!

Jan · Sep 26, 2013

gregmcc said:
Hardly wiped off the inherent?

At the bottom of the article you'll find IS essentially saying that there is a danger of the whole network being brought down.

MagicDude4Eva said:
Maybe a network engineer can clarify this for me: I always thought that BGP hijacking was only possible if the advertised BGP announcements were not filtered on the recipients/peers, thus allowing to divert traffic elsewhere. To me it almost sounds like IS lacked a certain level of security to protect themselves from hijacking IP-traffic.

I lack the indepth knowledge of how this works, but the way this article is written, all I need is a router and then broadcast BGP....

I also thought there were safeguards, which is why IS's response was so surprising.

ponder · Sep 26, 2013

This does not seem like malicious hijacking, more like a multiple origin AS conflict due to fat finger syndrome.

MagicDude4Eva · Sep 26, 2013

Maybe MyBB or someone with more technical knowledge can post a brief (or long) description how this was possible. In simplistic terms (for the non-network-gurus like me) it would be comparable to having two servers with the same IP - I do however appreciate the fact that in the BGP world of things there should be failsafes in place to avoid a fat-finger syndrome.

daffy · Sep 26, 2013

There should be safeguards for this sort of thing. But in the majority of cases there isn't.

Its very easy to bring up a BGP peer with a provider, but fine-tuning and maintaining a list of prefixes (addresses) that should be accepted requires constant maintenance.

Here's how it should work:
1) Customer brings up BGP session with ISP. Customer Provides ISP with a list of prefixes that belong to customer.
2) ISP builds a prefix-list and applies it to the Customer's BGP session.
-) should Customer announce anything outside of the agreed prefix list (malicious or fatfingered), ISP will ignore it.
If the customer gets another block of IPs, they notify the ISP of this, and ISP updates their prefix list. ISP then needs to inform it's upstream carriers to get them to accept the new prefix too. (most of the time, multiple upstream ISPs)

Here's how it works most of the time
1) Customer brings up BGP session with ISP. Customer Provides ISP with a list of prefixes that belong to customer.
2) ISP ignores prefix list. Network Engineer is happy enough that packets are flowing, so he calls it a day.
-) should Customer announce anything outside of the agreed prefix list (malicious or fatfingered), ISP accepts it and advertises it onwards.

Johand · Sep 26, 2013

Ummm.

The talk about "safe-guards" above shows that nobody really understands what BGP is. BGP is used so routers know which networks are where on the internet. Inherently there is a trust relationship between routes advertising networks.

From what I understand it is simply a case of somebody misconfiguration the address range of the network advertised on BGP. That means other networks were not able to reach IS. It has nothing to do with IS's systems, or communication between IS and their clients.

And yes... it is possible for organizations to do this. But I would say it is a bigger version of assigning yourself a static IP address belonging to somebody else

They will not last long because everybody will cut them off!

MagicDude4Eva · Sep 26, 2013

Johand said:
Ummm.

The talk about "safe-guards" above shows that nobody really understands what BGP is. BGP is used so routers know which networks are where on the internet. Inherently there is a trust relationship between routes advertising networks.

From what I understand it is simply a case of somebody misconfiguration the address range of the network advertised on BGP. That means other networks were not able to reach IS. It has nothing to do with IS's systems, or communication between IS and their clients.

And yes... it is possible for organizations to do this. But I would say it is a bigger version of assigning yourself a static IP address belonging to somebody else They will not last long because everybody will cut them off!

That's not my understanding. I always thought (as @daffy also mentioned) that the "peering/recipient" partners of BGP notifications would filter based on prefixes.

magneto · Sep 26, 2013

bgp = i trust u , u trust me and we all happy

Wonder if they are using Cyclops for monitoring and notification.?
It will report to you if someone other than your ASN is announcing your prefix(es), or if it/they is/are coming from another ISP other than your upstream ASN Peer(s). Oh yes and its FREE

ambo · Sep 26, 2013

MagicDude4Eva said:
That's not my understanding. I always thought (as @daffy also mentioned) that the "peering/recipient" partners of BGP notifications would filter based on prefixes.

Some do... many don't. It is often becomes difficult to maintain filters when 1000's or even 100 000's of routes are being exchanged between 2 ISPs and humans are lazy.

In this case there is not a lot that IS could have done. IS do filter their network strictly but any other ISP that fails to filter correctly could be the cause of this kind of issue.

New mechanisms like RPKI have been developed to secure the routing protocols using cryptographic signatures. This however requires (once again) other networks to filter based on this data and reject the bad routes. Not yet very much of that happening.

Paul Hjul · Sep 26, 2013

MagicDude4Eva said:
Maybe MyBB or someone with more technical knowledge can post a brief (or long) description how this was possible. In simplistic terms (for the non-network-gurus like me) it would be comparable to having two servers with the same IP - I do however appreciate the fact that in the BGP world of things there should be failsafes in place to avoid a fat-finger syndrome.

the great hacker of Johannesburg is not a network guru?
say it isn't so?

just now you'll say you use Windows and didn't trade in your 486 (which boots up in a day and a half) for a Pentium

On a more serious note:
I unfortunately suspect that there is a growing shortage of network gurus

MagicDude4Eva · Sep 26, 2013

Paul Hjul said:
the great hacker of Johannesburg is not a network guru?

Hahaha - I have a Mac and manage to get through life with Google & Wikipedia. Everything else I seem to stumble into which one way or another seems to get me into unpredictable trouble ;-)

ranger · Sep 26, 2013

daffy said:
There should be safeguards for this sort of thing. But in the majority of cases there isn't.

Its very easy to bring up a BGP peer with a provider, but fine-tuning and maintaining a list of prefixes (addresses) that should be accepted requires constant maintenance.

Here's how it should work:
1) Customer brings up BGP session with ISP. Customer Provides ISP with a list of prefixes that belong to customer.
2) ISP builds a prefix-list and applies it to the Customer's BGP session.
-) should Customer announce anything outside of the agreed prefix list (malicious or fatfingered), ISP will ignore it.
If the customer gets another block of IPs, they notify the ISP of this, and ISP updates their prefix list. ISP then needs to inform it's upstream carriers to get them to accept the new prefix too. (most of the time, multiple upstream ISPs)

Here's how it works most of the time
1) Customer brings up BGP session with ISP. Customer Provides ISP with a list of prefixes that belong to customer.
2) ISP ignores prefix list. Network Engineer is happy enough that packets are flowing, so he calls it a day.
-) should Customer announce anything outside of the agreed prefix list (malicious or fatfingered), ISP accepts it and advertises it onwards.

Or:
1) ISP brings up BGP session with peering ISP. First ISP provides 2nd ISP with a list of prefixes that belong to customer.
2) 2nd ISP applies prefix list.
3)First ISP advertises new routes to all their peers, but forgets to notify all their peers of the new prefix lists, then migrates lots of traffic to the new prefixes
4)2nd ISP gets tired of paying for transit to get to peer, and removes the access list from the peering session (temporarily)
5)First ISP then makes a typo

Jab · Sep 27, 2013

I thought this was an Mweb thread

How to wipe an ISP off the Internet

jes

MyBroadband Alumnus

froot

Honorary Master

rico112

Active Member

gregmcc

Honorary Master

MagicDude4Eva

Banned

gregmcc

Honorary Master

Jan

Drifting in the black

ponder

Honorary Master

MagicDude4Eva

Banned

daffy

Expert Member

Johand

Expert Member

MagicDude4Eva

Banned

magneto

Senior Member

ambo

Expert Member

Paul Hjul

Honorary Master

MagicDude4Eva

Banned

ranger

Expert Member

Jab

Expert Member