[tor-relays] Strange BGP activity with my node

Rabbi Rob Thomas robt at cymru.com
Wed May 9 18:45:01 UTC 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Trevor,

> I just a notification from my data center that someone is trying
> to hijack the IP of my exit node. Seems like the sort of thing
> someone might do when trying to attack Tor. I'm in a very remote
> area with limited access but any suggestions on actions I should
> take?
> 
> 
> ====================================================================
>
> 
Possible Prefix Hijack (Code: 10)
> ====================================================================
>
> 
Your prefix:          204.17.32.0/19 <http://204.17.32.0/19>:
> Prefix Description:   GBLX-US-BGP Update time:          2018-05-09
> 12:11 (UTC) Detected by #peers:   1 Detected prefix:
> 204.17.56.42/32 <http://204.17.56.42/32> Announced by:
> AS200005 (Asavie Technologies Limited) Upstream AS:
> AS200005 (Asavie Technologies Limited) ASpath:               200005
> 
I took a look through our BGP data and peering routers, and I didn't
see the /32 being announced.  I'm not saying it didn't happen, but
rather it may not have carried very far.  /32 prefix announcements
rarely propagate very far.  There are still a great many filters in
place that restrict announcements more specific than /24 (or /21, or
/19, or ...).

It may be the case that this /32 prefix is a null route that leaked
out, which we've seen happen somewhat frequently.  The most notorious
example was an attempted, and unwittingly leaked, null route in
Pakistan (/24s, IIRC) that impacted YouTube.

It appears Asavie does a bit of security and networking work, so
possibly this is attributable to that?

Be well,
Rabbi Rob.
- -- 
Rabbi Rob Thomas                                           Team Cymru
   "It is easy to believe in freedom of speech for those with whom we
    agree." - Leo McKern

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAlrzQasACgkQQ+hhYvqF
8o0OUw//Z230dJMUxxYlBWuopk2C0/zWmAMSaHBSHLugfEaG+wx1c1qLkPj/Sxtu
aNV3u/GFl3GMtfcFSci4T7VGd5Q97QMctbjfdaKLtjodoNXh7341OsATqpToAq4X
F7aU5TXQSayyW3iGA5HBeVJJ8RlG0wZX5Ute15iwOrpeKb0NfqGoC6pfdJVvxyt0
xyM3USg+9jWIA+11xgyw9T4Phs4sWvdlRAqLRXfUkvFok5sNLRXEx1jKhcOz9Wt6
M79Q7GUZbddijhjfJ5waZletscXa2ZjsvwESLqRotux2oK8WjVwb1JKvVo+zEcL+
pbF35jehoR1ROBqJclS465y08gugmnkTldhxRWyf24gvytYKi33qPtNNZ5Yn0gsv
7LU2qbQVectJURue8ULLD8iap3C2Gt8CYg6DBBnEYQejKpcpiCzTw+v+t+vlswgq
13jPrC2MpwjzrhCwNSgcfoFWGeERlsgovNyONcDOfozyn570zpjZrQBpogsCt0z1
g13kS0jAQ1KutDt7HFv8k2mw3pHi/DvLbpv9CsVwAFzY2dTwjc5Mr0n4L7yQI2Yd
VY9pjOeXnDk+K+b+fiIh9TzofvxKgVVzjZlqTwGlx1fKkfxnc/gZK1XSE9GMqAER
4jSvYWxqi83X4T6BW17OAeaUW1SiDIbkWe7uziWmqeNyDsmlcVo=
=SZWZ
-----END PGP SIGNATURE-----

More information about the tor-relays mailing list