North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Kenyan Route Hijack

  • From: Christopher Morrow
  • Date: Sun Mar 16 02:45:39 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=h3Bk6WDS84Wd7CORfVNMBQ1AGh0lyj6Dk8ZZdGk/X3M=; b=VHpqAOooYXFHZUGCNOzO+J9TjcpvPxluimbtm8PEFbdUryxZytySZDHi49Q3obf6R+ylYVTTEKwi18tOkmGVee1KlsXJhFhnfRBMeJVRKXfV4haTToGUGUDJh8rYIfla6sUniUOT7svVIa4f5NRib3gLakhohmPR6yg++HD/mjM=
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=jQlo7kB1JrWAhn1pWUo2nZu5wSoV6xM9aTcZegdnbmpRsgungOnqLRkXVJgPuRrl0aVPwRxGwW/Mdu7x4DhvRCZkc6q5hcuFXrXSO/Nl+RylFRuDOAaRlzmDVNLDjX3Bm9lQA/H3BgHpC6DA+JpAFq40g2yL90km+Up4x1IbWUo=

On Sun, Mar 16, 2008 at 2:07 AM, Glen Kent <glen.kent@xxxxxxxxx> wrote:
>
>  Paul,
>
>
>  >  Also: I have seen instances where a static route points to a next
>  >  hop that (inadvertently) may be "redistribute-static" injected into
>  >  BGP. This happens occasionally due to ad hoc configurations, back-
>  >  hole null routing, etc.
>
>  And why would an ISP locally try to blackhole traffic bound to some
>  other legitimate address space? Wouldnt this result in this service

I think it was Abovenet that blackholed a /24 of (I want to say MAPS,
but that's not right) an anti-spam-RBL sometime pre-1999?

>  provider's customers to lose connectivity to whatever websites fall
>  behind the IP address block in question? Or is that the intention?
>

perhaps they had a significant number of complaints about the address
block and no reaction from the owner(s)? or the address block (or
hosts in it) were scanning their infrastucture, or dos'ing it or???
There are a whole host of reasons one might conjecture. In ALL cases
you'd never put in a /24 but a pair of /25 so that you didn't become
the best path for the rest of the internets...

>  If its done intentionally then it would only make sense if theres a
>  DOS attack coming from that address block, or if theres something

dos attack mitigation works best on destinations, not sources...
urpf-loose aside a filter would have solved that form of problem
quicker.

>  "blasphemous" put up there. If none of these, then why locally
>  blackhole traffic?
>

once upon a time we had a noc person null route a 210.x.x.0/24 block
because someone used their email address in the 'from' for a spam
run... a swift 'discussion' ensued and they learned there was a better
solution to their problem. (swift after the owners of the ip space got
a little irrate :( )

-Chris