Shutting down the BGP Hijack Factory
It started with a lengthy email to the NANOG mailing list on 25 June 2018: independent security researcher Ronald Guilmette detailed the suspicious routing activities of a company called Bitcanal, whom he referred to as a “Hijack Factory.” In his post, Ronald detailed some of the Portuguese company’s most recent BGP hijacks and asked the question: why Bitcanal’s transit providers continue to carry its BGP hijacked routes on to the global internet?
This email kicked off a discussion that led to a concerted effort to kick this bad actor, who has hijacked with impunity for many years, off the internet.
Transit Providers
When presented with the most recent evidence of hijacks, transit providers GTT and Cogent, to their credit, immediately disconnected Bitcanal as a customer. With the loss of international transit, Bitcanal briefly reconnected via Belgian telecom BICS before being disconnected once they were informed of their new customer’s reputation.
The following graphic illustrates a BGP hijack by Bitcanal via Cogent before Cogent disconnected them. Bitcanal’s announcement of 101.124.128.0/18 (Beijing Jingdong 360 Degree E-commerce) was a more-specific hijack of 101.124.0.0/16, normally announced by AS131486 (Beijing Jingdong 360 Degree E-commerce). Continue reading
Hong Kong-Based Citic Telecom Rolls SD-WAN Product Across Europe
The managed service provider plans to expand its SD-WAN service to central Asia and Russia.
AT&T Beefs Up Security With AlienVault Acquisition
AT&T says it will continue to invest in the Open Threat Exchange, an open threat intelligence community started by AlienVault.
IBM’s Latest All-Flash Storage Array ‘Is All About Software’
The new FlashSystem 9100 supports NVMe now and will support NVMe over Fabrics (NVMe-oF) and storage class memory (SCM) in the future.
Arista Introduces Cognitive Cloud Networking for the Campus – Arista
As predicted, Arista starts work on the Campus …..
Red Hat’s James Talks About the Importance of Open Source Innovation
Open source gives telecom providers more control that will be key for deploying 5G and MEC, says James.
Looking to Meet, Podcast and Video in San Francisco/Silicon Valley next week
I’m travelling to Silicon Valley next week for Network Field Day 18 and Google Next the following week. I have extended my stay with a couple of free days . Get in touch if you would like to meet. Hoping to podcast, some video and some fun. Looking for people who listen to Packet Pushers who just want […]
Rough Guide to IETF 102: Internet Infrastructure Resilience
As usual, in this post I’ll focus on important work the IETF is doing that helps improve the security and resilience of the Internet infrastructure.
At IETF 102 there are a lot of new ideas being brought to the community in the form of Internet Drafts aimed at improving the security and resilience of the Internet infrastructure, and I’d like to introduce some of them to you. But keep in mind – an Internet Draft does not indicate IETF endorsement, is not a standard, and may not result in any further work at the IETF.
So, let us look at what is happening in the domain of BGP, the routing protocol that connects the Internet.
Route leaks
There has been slow progress in the work on mitigating route leaks in the IDR Working Group (WG). One of the reasons for the slowness was that the group was considering two proposals addressing the route leak problem and both are IDR WG documents: “Methods for Detection and Mitigation of BGP Route Leaks”, and “Route Leak Prevention using Roles in Update and Open Messages”. Plus, there is a third submission “Route Leak Detection and Filtering using Roles Continue reading
Redirecting DNS Requests to Umbrella with ASA
As networks begin leveraging intelligent DNS products, there is often a need to do some magic at the Internet edge to redirect to the target provider. Some products actually have this capability embedded. Even though the ASA doesn’t specifically have a defined configuration to do this, we can achieve the same outcome with a few simple NAT rules.
An initial thought would be to build a NAT policy as follows
//define the objects object network obj_any subnet 0.0.0.0 0.0.0.0 object network Umbrella1 host 208.67.220.220 object network Umbrella2 host 208.67.222.222 object service UDP-53 service udp destination eq domain //define the nat rules nat (any,outside) source dynamic any interface destination static obj_any Umbrella1 service UDP-53 UDP-53 nat (any,outside) source dynamic any interface destination static obj_any Umbrella2 service UDP-53 UDP-53
This will sort of work. However, there are two words of caution I would share with this approach. First, DNS sometimes leverages TCP. Second, the last NAT rule will never be used. In this case, even requests to 208.67.222.222 would match the first rule and be re-written to the destination 208.67.220.220.
My recommendation would be Continue reading
Redirecting DNS Requests to Umbrella with ASA
As networks begin leveraging intelligent DNS products, there is often a need to do some magic at the Internet edge to redirect to the target provider. Some products actually have this capability embedded. Even though the ASA doesn’t specifically have a defined configuration to do this, we can achieve the same outcome with a few simple NAT rules.
An initial thought would be to build a NAT policy as follows
//define the objects object network obj_any subnet 0.0.0.0 0.0.0.0 object network Umbrella1 host 208.67.220.220 object network Umbrella2 host 208.67.222.222 object service UDP-53 service udp destination eq domain //define the nat rules nat (any,outside) source dynamic any interface destination static obj_any Umbrella1 service UDP-53 UDP-53 nat (any,outside) source dynamic any interface destination static obj_any Umbrella2 service UDP-53 UDP-53
This will sort of work. However, there are two words of caution I would share with this approach. First, DNS sometimes leverages TCP. Second, the last NAT rule will never be used. In this case, even requests to 208.67.222.222 would match the first rule and be re-written to the destination 208.67.220.220.
My recommendation would be Continue reading
Comments on Vendor Optics – Listen Here
I recently listened to Packet Pushers show 395 recently. It is a great discussion on optical networking. One thing I wanted to make everyone aware of was a series of comments on the varying quality of optics and some justification around the premium prices often found on vendor branded optics. While the entire episode is worth a listen, the discussion around vendor optics begins at about 35:20 into the recording.
I work for a vendor and it is doubtful that people would view my opinion as unbiased. I encourage everyone to take a listen below and form their own opinions.
If you are a tech guy or girl, the Packet Pushers Podcast is a perfect addition to the podcatcher.
.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.
Comments on Vendor Optics – Listen Here
I recently listened to Packet Pushers show 395 recently. It is a great discussion on optical networking. One thing I wanted to make everyone aware of was a series of comments on the varying quality of optics and some justification around the premium prices often found on vendor branded optics. While the entire episode is worth a listen, the discussion around vendor optics begins at about 35:20 into the recording.
I work for a vendor and it is doubtful that people would view my opinion as unbiased. I encourage everyone to take a listen below and form their own opinions.
If you are a tech guy or girl, the Packet Pushers Podcast is a perfect addition to the podcatcher.
.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.