大杀器,互联网大面积中断,原来是路由劫持

路由劫持
自曲新闻:RT @nickjun: 2010年4月9日0时的全国性断网原因是在北京中国电信IDC机房编号AS23724的自治域15分钟内发布了大约37000段不属于他们的路由.而原本只有40段路由.从某种角度来说这就叫路由劫持

中国ISP又一次劫持了互联网
过去两周内的第二次,从中国传播出去的错误网络信息让 整个互联网出现混乱。

本周四早晨,一家叫IDC China Telecommunication的小型ISP的错误路由数据,经过中国电信的二次传播,扩散到了整个互联网,波及到了 AT&T、Level3、Deutsche Telekom、Qwest Communications和Telefonica等多个国家的大型ISP。事故始于美国东部时间上午10点,持续了大约20分钟。在此过程中,有 32,000到37,000个网络接收到了错误的数据,包括8,000个美国网络,超过8,500个中国网络,1,100个澳大利亚网络,230个法国网 络。

Chinese ISP hijacks the Internet

This
morning many BGPmon.net users received an alert regarding a possible
prefix hijack by a Chinese network. AS23724 is one of the Data Centers
operated by China Telecom, China’s largest ISP. Normally AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation
only originates about 40 prefixes, however today for about 15 minutes
they originated about ~37,000 unique prefixes that are not assigned to
them. This is what we typically call a prefix hijack.
This incident follows another concerning incident from China 2 weeks ago.

Although it seems they have leaked a whole table, only about 10% of
these prefixes propagated outside of the Chinese network. These include
prefixes for popular websites such as dell.com, cnn.com, www.amazon.de,
www.rapidshare.com and www.geocities.jp.
A large number of networks impacted this morning were actually Chinese
networks. These include some popular Chinese website such as
www.joy.cn , www.pconline.com.cn , www.huanqiu.com, www.tianya.cn and www.chinaz.com
A list of all prefixes that were announced/hijacked can be found here

The event has been detected globally by peers in The Netherland, UK,
Rusia, Italy, Sweded USA, Japan and Brazil. However not all individual
prefix ‘hijacks’ were detected globally, many only by a few peers, in
one or 2 countries, but some by more.

Some details
All announcement had part of the AS path in common. The common part in the ASpath is (note the prepend).
4134 23724 23724

Which are:
AS4134 CHINANET-BACKBONE No.31,Jin-rong Street
AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation

ASns peering with AS4134 seem to have picked this up and propagated that to their customers.
Some of these ASns include:
AS9002 RETN-AS ReTN.net Autonomous System
AS12956 TELEFONICA Telefonica Backbone Autonomous System
AS209 ASN-QWEST – Qwest Communications Company, LLC
AS3320 DTAG Deutsche Telekom AG
AS3356 LEVEL3 Level 3 Communications
AS7018 ATT-INTERNET4 – AT&T WorldNet Services

All RIS peers that detected this where behind (transit/peer) one of those ANS’s.

AS2914 NTT-COMMUNICATIONS-2914 – NTT America, Inc. customers
Looking at more routing information it seems that AS2914 saw more then
just the 10% mentioned above. So the impact for NTT America customers
might have been bigger.

Impact
28% of the RIS collectors used by BGPmon.net have detected these
events. This means that quite a number of networks were impacted by
this. The first announcement was detected at 2010-04-08 17:54:31 (UTC),
the last ‘hijack’ announcement was at 2010-04-08 18:10:14.
Most ‘alerts’ have now been cleared, they typically lasted a few minutes.

Probably more then the 51 peers mention above would have detected
the prefix, but not have chosen this as the best path. Most likely due
to the ASpath length or other policies. I believe it’s fair to assume
that the impact in China and probably Asia was far bigger then the rest
of the world.

Possible Cause
I have not spoken with engineers from AS23724, so I can only speculate.
Given the large number of prefixes and short interval I don’t believe
this is an intentional hijack.
Most likely it’s because of configuration issue, i.e. fat fingers. But again, this is just speculation.

Prefix distribution
Most prefixes impacted by this were prefixes from the US and China. Below you’ll find the top countries impacted:

Country => number of prefixes hijacked by AS23724
US => 10547
CN => 10298
KR => 2857
AU => 1650
MX => 885
IN => 719
JP => 604
BR => 592
FR => 508
RU => 471
CA => 425
TH => 372
ID => 369
IT => 338
CO => 328
GB => 322
CL => 302
SE => 281
HK => 276
EC => 272
DE => 227

Example alert message

====================================================================
Possible Prefix Hijack (Code: 10)
====================================================================
Your prefix: 203.190.56.0/21:
Prefix Description: www.infoseek.co.jp
Update time: 2010-04-08 16:09 (UTC)
Detected by #peers: 4
Detected prefix: 203.190.56.0/21
Announced by: AS23724 (CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation)
Upstream AS: AS4134 (CHINANET-BACKBONE No.31,Jin-rong Street)
ASpath: 8331 9002 9002 4134 23724 23724
Alert details: http://bgpmon.net/alerts.php?details&alert_id=6617721
Mark as false alert: http://bgpmon.net/fp.php?aid=6617721

镜像链接:谷歌镜像 | 亚马逊镜像

分类: 科技, 网络 标签: , ,
  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.