BGP leak in Italy

Posted by Andree Toonk - October 10, 2009 - Hijack - No Comments
Friday morning around 07:22:08 UTC AS9035 (Wind Telecomunicazioni) started to announce approximately 85.000 prefixes with an invalid origin AS. The origin AS was set to AS9035 while these prefixes did not belong to AS9035. The impact was local to a number of Italian providers, all Telecom Italia customers. The incident was resolved in about ~2 minutes after the first announcement. Many of you have received alert messages for this event, informing you of the 'possible hijack'.  I would like to take a bit of time explaining how to interpreted these message so it's easy to determine the impact of such an event. The first thing to look for is the number of peers that detected this prefix. In this case the event was detected by 2 peers, this gives you an indication that this event did not have a significant widespread impact. The next thing to do is to login to BGPmon and check the details of this alert, a direct link to this the detailed info page is now included in the email messages. Here you'll quickly see again the number of peers that detected this as well as the geographic location of these peers. In this case both peers were located in Italy, indicating that it's a fairly local event.  The global impact is also visible on the world map, making it easy to determine the geographical impact. alert-details The same detailed info page also shows the BGP messages that are relevant for this alert. This will give you some more detailed information about the exact BGP announcements. In case the alarm is cleared you will see the exact time this happened. An alarm is cleared when the peer that detected this alert saw  a new valid update for this prefix or a withdrawal. It will also display the exact duration of the event per peer. BGPmon notification time BGPmon alert messages are normally sent out a few minutes (<5min average) after we received the updates from the RIPE RIS collectors. Yesterday, some of you, received the alert messages later then usual.  I apologize for this and am currently working on a solution for this in order to prevent the delay in notification in cases of 'mass hijacks/leaks' like we saw yesterday.  A significant part of the solution is  to upgrade some of the hardware components of the server.   If you or your company would like to support this project, please consider making a donation. For more information please see this page.

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *