Re: OT: China telecom operator denies hijacking Internet

not long ago, may be last year Youtube was down for a couple of hours
because Pakistan Telecom were advertising their Address Block.

Looks like the lessons are not well learnt.

-Vijay Shekhar
CCIE(sec)#17589/CISSP/RHCE.
http://au.linkedin.com/in/vshekhar

Quoting Jack Router <pan.router_at_gmail.com>:

> How do we actually know that China hijacked traffic and not an ISP caused
> the error ? In my lab I can easily make a mistake by prepending as-path to a
> wrong route and/or sending it to a wrong neighbor. Can something like that
> happen on much larger scale ?
>
> On 18 November 2010 20:29, Tom Kacprzynski <tom.kac_at_gmail.com> wrote:
>
>> I think the problem doing prefix-list for carriers is that you don't know
>> who they will be used by for transit. So a European network could advertise
>> their Provider Independent network through China Telecom and you would not
>> be able to count all of their clients using them for transit or other
>> carriers with these filters. I don't think the issue is as simple as
>> filtering when dealing with transit provider and not end users. I think we
>> should be talking about how Secure BGP should play a role in Internet
>> security.
>>
>> My two cents.
>>
>> Now back to DHCP Servers lab for ccie.
>>
>> On Thu, Nov 18, 2010 at 7:15 PM, Joseph L. Brunner
>> <joe_at_affirmedsystems.com>wrote:
>>
>> > The carriers should write very simple prefix lists that they will only do
>> >
>> > ip prefix-list china-nets seq 5 permit 61.0.0.0/8 le 24
>> > ip prefix-list china-nets seq 10 permit 202.0.0.0/8 le 24
>> >
>> >
>> > etc. for all the china netblocks when peering with them, so they can't
>> > announce ANYTHING they dont own.
>> >
>> > PERIOD.
>> >
>> > If i can't get to EVERYTHING else though ANOTHER carrier it would better
>> to
>> > have it down than go through china
>> >
>> > ________________________________________
>> > From: nobody_at_groupstudy.com [nobody_at_groupstudy.com] On Behalf Of Ahmed
>> > Elhoussiny [aelhoussiny_at_gmail.com]
>> > Sent: Thursday, November 18, 2010 7:52 PM
>> > To: --Hammer--
>> > Cc: Ronnie Angello; Cisco certification
>> > Subject: Re: OT: China telecom operator denies hijacking Internet
>> traffic
>> >
>> > Its just an example for how BGP attributes/communities, filters can
>> easily
>> > affect the whole internet.
>> >
>> >
>> > On Fri, Nov 19, 2010 at 12:37 AM, --Hammer-- <bhmccie_at_gmail.com> wrote:
>> >
>> > > Why complying with the groupstudy posting rules is important....
>> > >
>> > >
>> > >
>> > > --Hammer
>> > >
>> > > "I was a normal American nerd."
>> > > -Jack Herer
>> > >
>> > > -----Original Message-----
>> > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of
>> > > Ronnie Angello
>> > > Sent: Thursday, November 18, 2010 4:29 PM
>> > > To: Ahmed Elhoussiny
>> > > Cc: Cisco certification
>> > > Subject: Re: OT: China telecom operator denies hijacking Internet
>> traffic
>> > >
>> > > Why route filtering is important... :)
>> > >
>> > > On Thu, Nov 18, 2010 at 5:20 PM, Ahmed Elhoussiny
>> > > <aelhoussiny_at_gmail.com>wrote:
>> > >
>> > > > Dears, just sharing some news, BGP & International Gateways
>> > > >
>> > > > *For 18 minutes, about 15 percent of all web traffic was redirected
>> > > through
>> > > > China, including traffic to and from the sites of the U.S. Army,
>> Navy,
>> > > > Marine Corps, Air Force, the office of the Secretary of Defense, the
>> > > Senate
>> > > > and NASA, according to a report delivered to Congress by the
>> U.S.-China
>> > > > Economic and Security Review Commission.*
>> > > >
>> > > > *The report says that the irregular routing could have allowed the
>> > > > surveillance of users or sites, the disruption or diversion of
>> > > > communications and the compromising of supposedly secure encrypted
>> > > > sessions.
>> > > > *
>> > > >
>> > > > *The report alleges that the diversion was caused when China Telecom
>> > > > briefly
>> > > > offered a false electronic notification to internet traffic on the
>> web,
>> > > > causing some traffic to mistakenly conclude that the quickest way to
>> > > reach
>> > > > its destination was to travel through the company's servers in
>> China.*
>> > > >
>> > > > *
>> > > >
>> > > >
>> > >
>> > >
>> >
>> http://edition.cnn.com/2010/US/11/17/websites.chinese.servers/index.html?hpt
>> > > =T1<
>> >
>> http://edition.cnn.com/2010/US/11/17/websites.chinese.servers/index.html?hpt%0A=T1
>> > >
>> > > > *
>> > > >
>> > > > * *
>> > > >
>> > > >
>> > > >
>> > > > *Solution: filters that deny BGP updates about your prefixes that
>> is
>> > > > originated from your country, including some bgp reg_exp, accepting
>> > only
>> > > > this prefixes from trusted BGP (e or i)sources*
>> > > >
>> > > > *
>> > > > A new update about this from Network World magazine:*
>> > > >
>> > > > The incident could have been an
>> > > > accident<
>> > > >
>> > >
>> > >
>> >
>> http://www.pcworld.com/article/193849/a_chinese_isp_momentarily_hijacks_the_
>> > > internet.html<
>> >
>> http://www.pcworld.com/article/193849/a_chinese_isp_momentarily_hijacks_the_%0Ainternet.html
>> > >
>> > > > >that
>> > > > stems from a weakness of the Border Gateway Protocol (BGP), which is
>> > > > used to help route traffic and connect the Internet together.
>> > > >
>> > > > BGP data is sent from small service providers like IDC China
>> > > > Telecommunication and then shared with larger providers. Small
>> > providers
>> > > > generally direct Internet traffic to about 30 routes. For some
>> reason,
>> > on
>> > > > April 8 IDC China Telecommunication began directing to tens of
>> > thousands
>> > > of
>> > > > networks. The bad information was then accepted by larger Internet
>> > > > providers
>> > > > like China Telecom, which then propagated the data.
>> > > >
>> > > > * *
>> > > >
>> > > > *
>> > > >
>> > > >
>> > >
>> > >
>> >
>> http://www.networkworld.com/news/2010/111810-china-telecom-operator-denies-h
>> > > ijacking.html?hpg1=bn<
>> >
>> http://www.networkworld.com/news/2010/111810-china-telecom-operator-denies-h%0Aijacking.html?hpg1=bn
>> > >
>> > > > *
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > >
>> > > > Thanks & B.regards
>> > > > Ahmed Elhoussiny,2x CCIE# 21988 (R&S-SP)
>> > > > Network Consultant & Cisco Academy Instructor
>> > > >
>> > > >
>> > > > Blogs and organic groups at http://www.ccie.net
>> > > >
>> > > >
>> _______________________________________________________________________
>> > > > Subscription information may be found at:
>> > > > http://www.groupstudy.com/list/CCIELab.html
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > >
>> > >
>> > > --
>> > > Ronald Angello
>> > > Senior Network Architect
>> > > CCIE 17846
>> > > CCDP, CCIP, CCNP
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > > _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> >
>> > Thanks & B.regards
>> > Ahmed Elhoussiny,2x CCIE# 21988 (R&S-SP)
>> > Network Consultant & Cisco Academy Instructor
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 19 2010 - 00:48:29 ART