[tor-relays] Strange BGP activity with my node
Rabbi Rob Thomas
robt at cymru.com
Wed May 9 18:45:01 UTC 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Trevor,
> I just a notification from my data center that someone is trying
> to hijack the IP of my exit node. Seems like the sort of thing
> someone might do when trying to attack Tor. I'm in a very remote
> area with limited access but any suggestions on actions I should
> take?
>
>
> ====================================================================
>
>
Possible Prefix Hijack (Code: 10)
> ====================================================================
>
>
Your prefix: 204.17.32.0/19 <http://204.17.32.0/19>:
> Prefix Description: GBLX-US-BGP Update time: 2018-05-09
> 12:11 (UTC) Detected by #peers: 1 Detected prefix:
> 204.17.56.42/32 <http://204.17.56.42/32> Announced by:
> AS200005 (Asavie Technologies Limited) Upstream AS:
> AS200005 (Asavie Technologies Limited) ASpath: 200005
>
I took a look through our BGP data and peering routers, and I didn't
see the /32 being announced. I'm not saying it didn't happen, but
rather it may not have carried very far. /32 prefix announcements
rarely propagate very far. There are still a great many filters in
place that restrict announcements more specific than /24 (or /21, or
/19, or ...).
It may be the case that this /32 prefix is a null route that leaked
out, which we've seen happen somewhat frequently. The most notorious
example was an attempted, and unwittingly leaked, null route in
Pakistan (/24s, IIRC) that impacted YouTube.
It appears Asavie does a bit of security and networking work, so
possibly this is attributable to that?
Be well,
Rabbi Rob.
- --
Rabbi Rob Thomas Team Cymru
"It is easy to believe in freedom of speech for those with whom we
agree." - Leo McKern
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAlrzQasACgkQQ+hhYvqF
8o0OUw//Z230dJMUxxYlBWuopk2C0/zWmAMSaHBSHLugfEaG+wx1c1qLkPj/Sxtu
aNV3u/GFl3GMtfcFSci4T7VGd5Q97QMctbjfdaKLtjodoNXh7341OsATqpToAq4X
F7aU5TXQSayyW3iGA5HBeVJJ8RlG0wZX5Ute15iwOrpeKb0NfqGoC6pfdJVvxyt0
xyM3USg+9jWIA+11xgyw9T4Phs4sWvdlRAqLRXfUkvFok5sNLRXEx1jKhcOz9Wt6
M79Q7GUZbddijhjfJ5waZletscXa2ZjsvwESLqRotux2oK8WjVwb1JKvVo+zEcL+
pbF35jehoR1ROBqJclS465y08gugmnkTldhxRWyf24gvytYKi33qPtNNZ5Yn0gsv
7LU2qbQVectJURue8ULLD8iap3C2Gt8CYg6DBBnEYQejKpcpiCzTw+v+t+vlswgq
13jPrC2MpwjzrhCwNSgcfoFWGeERlsgovNyONcDOfozyn570zpjZrQBpogsCt0z1
g13kS0jAQ1KutDt7HFv8k2mw3pHi/DvLbpv9CsVwAFzY2dTwjc5Mr0n4L7yQI2Yd
VY9pjOeXnDk+K+b+fiIh9TzofvxKgVVzjZlqTwGlx1fKkfxnc/gZK1XSE9GMqAER
4jSvYWxqi83X4T6BW17OAeaUW1SiDIbkWe7uziWmqeNyDsmlcVo=
=SZWZ
-----END PGP SIGNATURE-----
More information about the tor-relays
mailing list