Curious if anyone can make sense of this alert from QRator. Are they suggesting OPTBIT is advertising MICE's /24? I've seen this come and go since Sunday night at 10:09 pm Central. Frank From: Radar by Qrator <no-reply@qrator.net> Sent: Monday, March 30, 2020 2:49 AM Subject: [BGP ALERT] [HIGH] <AS18883> Created Hijacks Time: 30.03.2020 07:42:00 UTC Created Hijacks New IPv4 incidents: Target Prefix Target ASN Affected prefix Affected ASN Severity Propagation 206.108.255.0/24<https://radar.qrator.net/as18883/graph#206.108.255.0/24> 18883 (FIBERNET-NETWORK-OPERATIONS-CENTER)<https://radar.qrator.net/as18883> 206.108.255.0/24<https://radar.qrator.net/as53740/graph#206.108.255.0/24> 53740 (OPTBIT)<https://radar.qrator.net/as53740> High 1 AS Names involved in the incident: AS18883 (FIBERNET-NETWORK-OPERATIONS-CENTER), AS53740 (OPTBIT) Active IPv4 incident count: 16 Radar by Qrator<https://radar.qrator.net>
Frank, That's really interesting. I'm sending QRator an unfiltered BGP feed and that might be triggering the error(?). I'll try to filter my feed to QRator to deny the MICE prefix and see if that fixes it. Open to suggestions as well. Abhi ________________________________ From: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> on behalf of Frank Bulk <fbulk@MYPREMIERONLINE.COM> Sent: Monday, March 30, 2020 5:11 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET <MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: [MICE-DISCUSS] BGP alerts about AS 53740 (OPTBIT) Curious if anyone can make sense of this alert from QRator. Are they suggesting OPTBIT is advertising MICE’s /24? I’ve seen this come and go since Sunday night at 10:09 pm Central. Frank From: Radar by Qrator <no-reply@qrator.net> Sent: Monday, March 30, 2020 2:49 AM Subject: [BGP ALERT] [HIGH] <AS18883> Created Hijacks Time: 30.03.2020 07:42:00 UTC Created Hijacks New IPv4 incidents: Target Prefix Target ASN Affected prefix Affected ASN Severity Propagation 206.108.255.0/24<https://radar.qrator.net/as18883/graph#206.108.255.0/24> 18883 (FIBERNET-NETWORK-OPERATIONS-CENTER)<https://radar.qrator.net/as18883> 206.108.255.0/24<https://radar.qrator.net/as53740/graph#206.108.255.0/24> 53740 (OPTBIT)<https://radar.qrator.net/as53740> High 1 AS Names involved in the incident: AS18883 (FIBERNET-NETWORK-OPERATIONS-CENTER), AS53740 (OPTBIT) Active IPv4 incident count: 16 Radar by Qrator<https://radar.qrator.net> ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Abhi, It is not as much a question about filtering prefixes, it is more a question of why your network would originate 206.108.255.0/24 Jeremy Lumby Minnesota VoIP 9217 17th Ave S #216 Bloomington, MN 55425 M: 612-355-7740 D: 612-392-6814 F: 952-873-7425 jlumby@mnvoip.com From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of Abhi Devireddy Sent: Monday, March 30, 2020 5:29 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: Re: [MICE-DISCUSS] BGP alerts about AS 53740 (OPTBIT) Frank, That's really interesting. I'm sending QRator an unfiltered BGP feed and that might be triggering the error(?). I'll try to filter my feed to QRator to deny the MICE prefix and see if that fixes it. Open to suggestions as well. Abhi From: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> on behalf of Frank Bulk <fbulk@MYPREMIERONLINE.COM> Sent: Monday, March 30, 2020 5:11 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET <MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: [MICE-DISCUSS] BGP alerts about AS 53740 (OPTBIT) Curious if anyone can make sense of this alert from QRator. Are they suggesting OPTBIT is advertising MICE’s /24? I’ve seen this come and go since Sunday night at 10:09 pm Central. Frank From: Radar by Qrator <no-reply@qrator.net> Sent: Monday, March 30, 2020 2:49 AM Subject: [BGP ALERT] [HIGH] <AS18883> Created Hijacks Time: 30.03.2020 07:42:00 UTC Created Hijacks New IPv4 incidents: Target PrefixTarget ASNAffected prefixAffected ASNSeverityPropagation 206.108.255.0/2418883 (FIBERNET-NETWORK-OPERATIONS-CENTER) 206.108.255.0/2453740 (OPTBIT) High 1 AS Names involved in the incident: AS18883 (FIBERNET-NETWORK-OPERATIONS-CENTER), AS53740 (OPTBIT) Active IPv4 incident count: 16 Radar by Qrator To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
And you would be right... I needed a downstream device to have that route. It's been fixed now. Sorry for the extraneous alert. I'll check that on our other session (AS3789) as well. Abhi ________________________________ From: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> on behalf of Andrew Hoyos <hoyosa@GMAIL.COM> Sent: Monday, March 30, 2020 5:52 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET <MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: Re: [MICE-DISCUSS] BGP alerts about AS 53740 (OPTBIT) One of the most common reasons we see this is from ‘redist connected’ without any sanity check or prefix filter. On Mar 30, 2020, at 5:49 PM, Jeremy Lumby <jlumby@MNVOIP.COM<mailto:jlumby@MNVOIP.COM>> wrote: Abhi, It is not as much a question about filtering prefixes, it is more a question of why your network would originate 206.108.255.0/24<https://radar.qrator.net/as53740/graph#206.108.255.0/24> Jeremy Lumby Minnesota VoIP 9217 17th Ave S #216 Bloomington, MN 55425 M: 612-355-7740 D: 612-392-6814 F: 952-873-7425 jlumby@mnvoip.com<mailto:jlumby@mnvoip.com> From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of Abhi Devireddy Sent: Monday, March 30, 2020 5:29 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET<mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: Re: [MICE-DISCUSS] BGP alerts about AS 53740 (OPTBIT) Frank, That's really interesting. I'm sending QRator an unfiltered BGP feed and that might be triggering the error(?). I'll try to filter my feed to QRator to deny the MICE prefix and see if that fixes it. Open to suggestions as well. Abhi ________________________________ From: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET<mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET>> on behalf of Frank Bulk <fbulk@MYPREMIERONLINE.COM<mailto:fbulk@MYPREMIERONLINE.COM>> Sent: Monday, March 30, 2020 5:11 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET<mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET> <MICE-DISCUSS@LISTS.IPHOUSE.NET<mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET>> Subject: [MICE-DISCUSS] BGP alerts about AS 53740 (OPTBIT) Curious if anyone can make sense of this alert from QRator. Are they suggesting OPTBIT is advertising MICE’s /24? I’ve seen this come and go since Sunday night at 10:09 pm Central. Frank From: Radar by Qrator <no-reply@qrator.net<mailto:no-reply@qrator.net>> Sent: Monday, March 30, 2020 2:49 AM Subject: [BGP ALERT] [HIGH] <AS18883> Created Hijacks Time: 30.03.2020 07:42:00 UTC Created Hijacks New IPv4 incidents: Target Prefix Target ASN Affected prefix Affected ASN Severity Propagation 206.108.255.0/24<https://radar.qrator.net/as18883/graph#206.108.255.0/24> 18883 (FIBERNET-NETWORK-OPERATIONS-CENTER)<https://radar.qrator.net/as18883> 206.108.255.0/24<https://radar.qrator.net/as53740/graph#206.108.255.0/24> 53740 (OPTBIT)<https://radar.qrator.net/as53740> High 1 AS Names involved in the incident: AS18883 (FIBERNET-NETWORK-OPERATIONS-CENTER), AS53740 (OPTBIT) Active IPv4 incident count: 16 Radar by Qrator<https://radar.qrator.net/> ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ________________________________ To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Two general schools of thought here: a.) carry the MICE prefix in your IGP (OSPF, ISIS, etc) - not BGP, if you need it to recurse next hops. While this is the ‘easy button’, it has the unintended impact of allowing things on your network to directly target MICE IPs which should be avoided - the only things we want talking to directly to MICE IP’s are other BGP speaking routers to establish BGP sessions. b.) set next-hop-self on your sessions on IXP facing router, so next hop is rewritten to the router itself towards the rest of your network. That way, you don’t need to carry the IX prefix in your IGP at all.
participants (5)
-
Abhi Devireddy -
Andrew Hoyos -
Frank Bulk -
Jeremy Lumby -
Richard Laager