On July 30, we detected a BGP hijack by AS10990. This incident has been described in great detail in this MANRS blog, rightly highlighting shortcomings in our attempts to mitigate the propagation of the illicit announcements. As hopefully evident by our initiatives in routing security, we do take pride in providing a robust process and implementation to protect our customers and peers from such events. In that spirit, we’d like to apologize for our part in this incident as well as transparently describe how this could occur and the actions we take to prevent something similar from happening again.
Policies for customers and peers of AS1299 are maintained by the fully automated BGP Filter Server, briefly described in the earlier RPKI post here. This is true for all IRR based protection mechanisms and includes prefix filters, AS filters peer-locking and so forth.
As visible in the replay of this event, the announcement originated from AS10990 came via downstream AS7219. The fact that these prefixes had no signed ROAs and would’ve been dropped by RPKI is by no means an excuse for other mechanisms not rendering in the same result.
Tracing back the logs of the beforementioned BGP Filter Server, it becomes obvious that for this particular downstream the operator had chosen to apply AS filtering but no prefix filtering. Using this option is against the guidelines and only exist for legacy reasons. As such, the concrete action we admittedly should have taken earlier but will do immediately is removing this choice completely.
For transparency, here’s the IPv4 policy clearly missing a prefix filter:
Router: atl-b24.telia.net Policy: AS7219:AS-TULIX Updates during this week: 2 Updates during this month: 2 Latest update: 2020-07-30 10:30 Previous generated: 2020-07-30 10:27 route-policy V4_1299_7219_FILTER_IN # Autogenerated V4 AS AS7219 2020-07-30 10:27 AS7219 if validation-state is invalid and destination in V4_RPKI_RANGE then drop endif if as-path in AUTO_1299_7219_AS_FILTER_IN then pass else drop endif end-policy ! as-path-set AUTO_1299_7219_AS_FILTER_IN # Autogenerated V4 AS AS7219 2020-07-30 10:27 AS7219 ios-regex '_(7219|10990|21840|22427|36820|63136)$' end-set
Subscribe to our blog and keep up-to-date on news, insights and happenings.
As a subscriber, you will receive:
✔ Monthly newsletter summarizing news and events
✔ Invitations to events and webinars hosted by our technology gurus
✔ Notification each time there is a new blog