Strange IPv6 bogon Announcements
This Friday a number of BGPmon.net users have received an alert message informing them that their AS was announcing a new IPv6 prefix.
I too got an alert email and was surprised to when I saw the prefix that was detected, as the prefix detected was an ‘invalid’ IPv6 prefix.
This is the message I received:
==================================================================== New prefix for AS271 (Code: 60) ==================================================================== Detected new prefix: f006:9000::/24 Update time: 2010-06-11 19:18 (UTC) Detected by #peers: 4 Announced by: AS271 (BCNET-AS - BCnet) Upstream AS: AS13768 (PEER1 - Peer 1 Network Inc.) ASpath: 1280 174 3257 13768 271 Alert details: http://bgpmon.net/alerts.php?details&alert_id=9019544 Add to my prefixes: http://bgpmon.net/fp.php?aid=9019544
Looking at this message it seemed odd, although the prefix was very strange, the ASpaths seemed to make perfect sense. After some more digging I noticed that many other BGPmon.net users had also received an alert like this.
BGPmon.net keeps a list of bogon announcements, in this list you can seen many of the detected bogon announcements of yesterdat.
This list can be found here:
Looking at the large number of AS numbers, I found it hard to believe that all these ASn’s are actually announcing these prefixes. This would mean that about 100 networks at the same time decided to announce a bogon prefix, this is very unlikely so there must be something else.
Assuming that these prefixes are not originated by what seems to be the origin AS (based on ASpath), this would mean that the announcements are originated by another AS, which seems to spoof (AS prepends) the ASpath with these AS numbers.
From what I can quickly see these ‘strange’ announcements are seen with at least about 100 different origin ASn’s.
Initially I though this was an issue with the BGPmon.net software, but after reviewing the data at the RIPE RIS website I see the same results.
These are some of examples of observed bogon prefixes:
And many more
The announcements are detected by the following RIS peers at the AMS-IX – Amsterdam, Netherlands, MIX – Milan Internet Exchange and the PAIX – Palo Alto, United States.
|AS1280||ISC-AS1280 Internet Systems Consortium, Inc.|
|AS12637||SEEWEB Seeweb Srl|
|AS24875||NL-ISPSERVICES ISP Services BV|
|AS34695||E4A-AS E4A s.r.l.|
Who announced this?
As the administrator of one these ASns I don’t believe these announcement really come from origin the AS as defined in the ASpath, i.e. the AS on the right hand side of the ASpath.
Looking more closely at all the ASpaths of all these bogon announcements, they all have 2 ASns in common,
Which are Cogent (174) & Tiscali (3257), so we should probably focus on those two.
All of these RIS peers above have a IPv6 relationship with Tiscali AS3257. It’s fair to assume that they also have an IPv6 peering with AS174 (Cogent) as that’s how they learned these announcements.
Because the RIS peers that detected this have a peering with both Cogent as well as Tiscali, it’s surprising that non of them reported a shorter path directly via AS3257. Instead the paths went through AS174 and then to AS3257.
Another observation is that AS3257 is a RIS peer, and as a result one of the peers that BGPmon.net uses to analyze data. However non of the bogon updates we’re detected by AS3257 (or more specifically, non were sent to the RIS collecter from AS3257).
Assuming that AS3257 never saw these updates, that would indicate that that is part of the spoofed AS path and makes 174 the source of these announcements.
Another possibly useful clue is that updates contain two AS174 communities.
174:21100 which according the the whois data means: peer route learned in EU
174:22005 no explanation available
What does this mean
Please note that the above are assumptions, as I have not had contact with either Tiscali or Cogent I can only report on the observations described earlier.
I have no idea what the purpose of these announcements were. In the past we’ve see ‘spoofed’ AS paths as part of a research project. But they have also been used in BGP man in the middle attacks.
Maybe one of you have an idea?