Reply to post:

'Suspicious' BGP event routed big traffic sites through Russia

Jellied Eel Silver badge

It's been a while since I was on the sharp-end of BGP, but there are/were some issues with that. It wasn't so much a router limitation given the route filters would be generated off the router. Not sure if Cisco/Juniper include tools to try and do that automagically now though. But the biggest challenge is assuming there's a reliable route object registered to build filters from. In RIPE-land, or anyone but ARIN, that was vaguely doable. In ARIN-space, often route objects didn't exist, especially for retail users. They often had no idea what a route object was, or how to go about creating one.

But for route filtering to work, it really needs to be applied at the upstream, so-

aut-num: AS39523

as-name: DV-LINK-AS

org: ORG-VII2-RIPE

sponsoring-org: ORG-ATS13-RIPE

Megafon

import: from AS31133 accept ANY

export: to AS31133 announce AS39523

Vimpelcom

import: from AS3216 accept ANY

export: to AS3216 announce AS39523

So Megafon's one of DV-LINK's upstreams/transit provider, and has a corresponding entry in it's AS object rather than a more specific to only accept DV-LINK's assigned address space. That's the first line of defence against advertising bogus routes from your downstreams. The report doesn't mention the specific routes that were advertised, but if those don't have route objects defined, auto-rule building wouldn't work.

DV-LINK looks like a Russian ISP though, so this may just have been some fat-fingering rather than anything malicious.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021