Strange IPv6 bogon Announcements

Posted by Andree Toonk - June 11, 2010 - bogons, IPv6 - No Comments

This Friday a number of BGPmon.net users have received an alert message informing them that their AS was announcing a new IPv6 prefix.
I too got an alert email and was surprised to when I saw the prefix that was detected, as the prefix detected was an ‘invalid’ IPv6 prefix.
This is the message I received:

====================================================================
New prefix for AS271 (Code: 60)
====================================================================
Detected new prefix:  f006:9000::/24 
Update time:          2010-06-11 19:18 (UTC)
Detected by #peers:   4
Announced by:         AS271 (BCNET-AS - BCnet)
Upstream AS:          AS13768 (PEER1 - Peer 1 Network Inc.)
ASpath:               1280 174 3257 13768 271 
Alert details:        http://bgpmon.net/alerts.php?details&alert_id=9019544
Add to my prefixes:   http://bgpmon.net/fp.php?aid=9019544

Looking at this message it seemed odd, although the prefix was very strange, the ASpaths seemed to make perfect sense. After some more digging I noticed that many other BGPmon.net users had also received an alert like this.

BGPmon.net keeps a list of bogon announcements, in this list you can seen many of the detected bogon announcements of yesterdat.
This list can be found here:
http://www.bgpmon.net/showbogons.php?inet=6

Looking at the large number of AS numbers, I found it hard to believe that all these ASn’s are actually announcing these prefixes. This would mean that about 100 networks at the same time decided to announce a bogon prefix, this is very unlikely so there must be something else.

Assuming that these prefixes are not originated by what seems to be the origin AS (based on ASpath), this would mean that the announcements are originated by another AS, which seems to spoof (AS prepends) the ASpath with these AS numbers.

More details
From what I can quickly see these ‘strange’ announcements are seen with at least about 100 different origin ASn’s.

Initially I though this was an issue with the BGPmon.net software, but after reviewing the data at the RIPE RIS website I see the same results.

These are some of examples of observed bogon prefixes:
0:1f00::/24
2800::/8
4000::/8
4800::/8
5810::/12
And many more

The announcements are detected by the following RIS peers at the AMS-IX – Amsterdam, Netherlands, MIX – Milan Internet Exchange and the PAIX – Palo Alto, United States.

AS1280 ISC-AS1280 Internet Systems Consortium, Inc.
AS12637 SEEWEB Seeweb Srl
AS24875 NL-ISPSERVICES ISP Services BV
AS34695 E4A-AS E4A s.r.l.

Who announced this?
As the administrator of one these ASns I don’t believe these announcement really come from origin the AS as defined in the ASpath, i.e. the AS on the right hand side of the ASpath.
Looking more closely at all the ASpaths of all these bogon announcements, they all have 2 ASns in common,

174 3257 

Which are Cogent (174) & Tiscali (3257), so we should probably focus on those two.

Spoofed ASpath

All of these RIS peers above have a IPv6 relationship with Tiscali AS3257. It’s fair to assume that they also have an IPv6 peering with AS174 (Cogent) as that’s how they learned these announcements.

Because the RIS peers that detected this have a peering with both Cogent as well as Tiscali, it’s surprising that non of them reported a shorter path directly via AS3257. Instead the paths went through AS174 and then to AS3257.

Another observation is that AS3257 is a RIS peer, and as a result one of the peers that BGPmon.net uses to analyze data. However non of the bogon updates we’re detected by AS3257 (or more specifically, non were sent to the RIS collecter from AS3257).

Assuming that AS3257 never saw these updates, that would indicate that that is part of the spoofed AS path and makes 174 the source of these announcements.

Another possibly useful clue is that updates contain two AS174 communities.
174:21100 which according the the whois data means: peer route learned in EU
174:22005 no explanation available

What does this mean
Please note that the above are assumptions, as I have not had contact with either Tiscali or Cogent I can only report on the observations described earlier.
I have no idea what the purpose of these announcements were. In the past we’ve see ‘spoofed’ AS paths as part of a research project. But they have also been used in BGP man in the middle attacks.
Maybe one of you have an idea?

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>