[HELP] BGP Prefix Hijjack

246 views
Skip to first unread message

Donny Achmadi

unread,
Aug 10, 2016, 12:36:02 AM8/10/16
to IDNOG
Dear Kawan2 IDNOG,

Mau tanya, 2 hari ini saya dapat alert Prefix BGP saya di announced oleh ASN "5" (Symbolics, Inc.)
Saya cek di bgp.he.net ternyata bener, beberapa subnet saya di advertise mereka


dan anehnya, di list peer IPv4 mereka, ada BGP peering ke ASN saya AS 38788, padahal di semua BGP Router saya tidak ada peer ke AS 5.


Mohon bantuan dan masukkannya, apa yang saya harus lakukan terkait kasus ini ? 
karena saya bingung, di router tidak terlihat koneksi bgp peer ke AS5, tapi di global as-path AS 5 terdeteksi ada di belakang AS 38788 :(

dan langkah preventif apa yang bisa saya lakukan supaya prefix saya tidak bisa di hijack seperti ini ?

Terima kasih.
Donny Achmadi

danang

unread,
Aug 10, 2016, 1:03:25 AM8/10/16
to id...@googlegroups.com
dear Om Donny

paling enak konfirm dulu ke MoneyGram ke ne...@moneygram.com.

regards


danang
--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups "IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idnog+un...@googlegroups.com.
To post to this group, send email to id...@googlegroups.com.
Visit this group at https://groups.google.com/group/idnog.
For more options, visit https://groups.google.com/d/optout.

gato arie

unread,
Aug 10, 2016, 1:03:25 AM8/10/16
to id...@googlegroups.com
cek lagi bro,
mungkin di network anda ada yang pakai AS5
dan secara tidak sengaja ikut ter-advertise.


--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups "IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idnog+unsubscribe@googlegroups.com.

danang

unread,
Aug 10, 2016, 1:07:08 AM8/10/16
to id...@googlegroups.com
eh maaf salah itu bukan dari moneygramnya tapi dari symbolics gan...@princap.com

-------- Original Message --------
From:Donny Achmadi
Sent:Wed, 10 Aug 2016 11:06:05 +0700
To:IDNOG
Subject:[IDNOG] [HELP] BGP Prefix Hijjack

--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups "IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idnog+un...@googlegroups.com.

Donny Achmadi

unread,
Aug 10, 2016, 1:11:28 AM8/10/16
to IDNOG
Om Arie,

Udah dicek ke semua router, gak ada satupun yang peer ke AS5 om,
aneh bener nih, gak ada koneksi tapi bisa ngaku2 ada dibelakang :(


Pada Rabu, 10 Agustus 2016 12.03.25 UTC+7, ariegatot menulis:
cek lagi bro,
mungkin di network anda ada yang pakai AS5
dan secara tidak sengaja ikut ter-advertise.

2016-08-10 11:06 GMT+07:00 Donny Achmadi <donn...@gmail.com>:
Dear Kawan2 IDNOG,

Mau tanya, 2 hari ini saya dapat alert Prefix BGP saya di announced oleh ASN "5" (Symbolics, Inc.)
Saya cek di bgp.he.net ternyata bener, beberapa subnet saya di advertise mereka


dan anehnya, di list peer IPv4 mereka, ada BGP peering ke ASN saya AS 38788, padahal di semua BGP Router saya tidak ada peer ke AS 5.


Mohon bantuan dan masukkannya, apa yang saya harus lakukan terkait kasus ini ? 
karena saya bingung, di router tidak terlihat koneksi bgp peer ke AS5, tapi di global as-path AS 5 terdeteksi ada di belakang AS 38788 :(

dan langkah preventif apa yang bisa saya lakukan supaya prefix saya tidak bisa di hijack seperti ini ?

Terima kasih.
Donny Achmadi

--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups "IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idnog+un...@googlegroups.com.

Donny Achmadi

unread,
Aug 10, 2016, 1:13:25 AM8/10/16
to IDNOG, danan...@hts.net.id
Om Danang,

oke om, terima kasih infonya.
saya coba confirm dulu.

Donny Achmadi

unread,
Aug 10, 2016, 1:27:41 AM8/10/16
to IDNOG, danan...@hts.net.id
coba report ke mereka, eh malah "The email account that you tried to reach does not exist", 
bingung harus report kemana lagi sayah :(

                   The mail system

 

<gan...@princap.com>: host aspmx.l.google.com[74.125.200.26] said: 550-5.1.1

    The email account that you tried to reach does not exist. Please try

    550-5.1.1 double-checking the recipient's email address for typos or

    550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1


saktie change

unread,
Aug 10, 2016, 2:24:50 AM8/10/16
to id...@googlegroups.com

filter prefix sendiri dari luar, sama lapor upstream paling :)


--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups "IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idnog+unsubscribe@googlegroups.com.

danang

unread,
Aug 10, 2016, 2:31:04 AM8/10/16
to id...@googlegroups.com
kalau ke arin gimana om? kemungkinan sisa2 dari symbolics jaman dulu kayaknya... yg punya domain tertua di dunia... mungkin dah meninggal yang urus, POC unreachable 2006 kata Arin


-------- Original Message --------
From:Donny Achmadi

Budiwijaya

unread,
Aug 10, 2016, 4:19:24 AM8/10/16
to id...@googlegroups.com
Mas Donny,

Coba cek di route-map-nya, kemungkinan ada salah prepend pakai ASN 5.

Terima kasih
Budiwijaya


2016-08-10 11:06 GMT+07:00 Donny Achmadi <donn...@gmail.com>:

Donny Achmadi

unread,
Aug 10, 2016, 5:21:12 AM8/10/16
to IDNOG
Mas Budi,

Terima kasih mas atas sarannya.
Alhamdulillaah, akhirnya ketemu ini dia bener penyebabnya, ada ASN 5 nyangkut di prepend route-map nya :D

haduh, dari tadi ketawa geli gara-gara ini :v 

again, Thank you mas :)

**CASE CLOSED**

Affan Basalamah

unread,
Aug 10, 2016, 5:24:09 AM8/10/16
to id...@googlegroups.com
Ya begitulah, mas Budi save the day again, ini nampaknya gara-gara sudah khatam baca-baca buku Cisco Press - BGP Design & Implementation hehehe



-affan

Budiwijaya

unread,
Aug 10, 2016, 5:49:41 AM8/10/16
to id...@googlegroups.com
Alhamdulillah.
Ya begitulah mas. Been there done that.

@Cak Affan, Suwun bukune. Rung khatam kie. Lagi memperdalam. wkwkwk.

I Nyoman Tusta B

unread,
Aug 10, 2016, 6:08:53 AM8/10/16
to id...@googlegroups.com
Ini mungkin ada yang rancu antara prepend 5x ( last-as ) dengan yang pakai ASN untuk prepend ?
:-)

Br,
I Nyoman Tusta B



> To post to this group, send email to id...@googlegroups.com.
> Visit this group at https://groups.google.com/group/idnog.
> For more options, visit https://groups.google.com/d/optout.

--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups "IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idnog+unsubscribe@googlegroups.com.
To post to this group, send an email to id...@googlegroups.com.

Wita Laksono

unread,
Aug 10, 2016, 10:57:04 PM8/10/16
to IDNOG
Ambassador Atlas RIPE yang satu ini memang luar biasa. Nda cuma jago routing bgp, tapi jago juga hiking ke Bromo dini hari :)

See you again soon Cak Bud...in shaa Allah ;)


> To post to this group, send email to id...@googlegroups.com.
> Visit this group at https://groups.google.com/group/idnog.
> For more options, visit https://groups.google.com/d/optout.

--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups "IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idnog+unsubscribe@googlegroups.com.
To post to this group, send an email to id...@googlegroups.com.

gato arie

unread,
Aug 11, 2016, 5:02:13 AM8/11/16
to id...@googlegroups.com
Dear Mas Donny,

Gimana caranya biar bisa dapat alert kalau Prefix BGP kita di announce oleh pihak lain?
pakai system apa buat monitoringnya ?
mungkin bisa di share.

Regards,
ArieGatot

2016-08-10 11:06 GMT+07:00 Donny Achmadi <donn...@gmail.com>:

--

Donny Achmadi

unread,
Aug 11, 2016, 5:14:37 AM8/11/16
to IDNOG
Dear Mas Arie,

Saya pakai BGPMON.net mas,
ini untuk monitor prefix2 BGP yang kita punya.
cuma saya pakai yang berbayar. dan pricingnya tergantung dari jumlah prefix yang mau kita monitor.

contoh report kemarin yang saya dapat itu begini nih mas:

You received this email because you are subscribed to BGPmon.net.

For more details about these updates please visit:

https://portal.bgpmon.net/myalerts.php

 

====================================================================

Possible Prefix Hijack (Code: 10)

====================================================================

Your prefix:          43.230.4.0/24:

Update time:          2016-08-10 08:51 (UTC)

Detected by #peers:   14

Detected prefix:      43.230.4.0/24

Announced by:         AS5 (Symbolics, Inc.)

Upstream AS:          AS38788 (PT Indonesian Cloud)

ASpath:               13124 1299 17451 38788 5

Alert details:        https://portal.bgpmon.net/alerts.php?details&alert_id=62740382

Mark as false alert:  https://portal.bgpmon.net/fp.php?aid=62740382

 

====================================================================

Possible Prefix Hijack (Code: 10)

====================================================================

Your prefix:          43.231.128.0/23:

Update time:          2016-08-10 08:51 (UTC)

Detected by #peers:   12

Detected prefix:      43.231.128.0/23

Announced by:         AS5 (Symbolics, Inc.)

Upstream AS:          AS38788 (PT Indonesian Cloud)

ASpath:               43996 17451 38788 5

Alert details:        https://portal.bgpmon.net/alerts.php?details&alert_id=62740383

Mark as false alert:  https://portal.bgpmon.net/fp.php?aid=62740383

 

 

--------------------------------------------------------------

 *for questions regarding the change code or other question, please see:

https://portal.bgpmon.net/faq.php

 

 

Latest BGPmon news: http://bgpmon.net/blog/

  * Large hijack affects reachability of high traffic destinations

  * Country wide outage in Azerbaijan

  * Large scale BGP hijack out of India

To unsubscribe from this group and stop receiving emails from it, send an email to idnog+un...@googlegroups.com.

Lia Hestina

unread,
Aug 11, 2016, 5:45:07 AM8/11/16
to id...@googlegroups.com
Dear mas Arie,

Ini ada saran dari kolega di RIPEstat untuk menggunakan API call RIPEstat.
ganti 193.0.0.0/21 dengan prefix-2 samean ingin monitor, lalu bikin script untuk mengartikan json result yg samean dapatkan.

Sukses!
Lia


To unsubscribe from this group and stop receiving emails from it, send an email to idnog+un...@googlegroups.com.

Budiwijaya

unread,
Aug 11, 2016, 5:46:38 AM8/11/16
to id...@googlegroups.com
Kantor saya juga pake bgpmon, bisa free kayaknya, tapi cuma < 5 prefix.
Ada juga alternatif: http://cyclops.cs.ucla.edu/

Terima kasih
Budiwijaya

Budiwijaya

unread,
Aug 11, 2016, 5:56:20 AM8/11/16
to id...@googlegroups.com
Thanks mbak Lia!

Aku tadi coba cari2 tools di Atlas apa ya yg bisa monitor beginian.
Barusan liat hasil json-nya, sepertinya yg bisa dimonitor bagian ini:

"last_seen": {
"origin": "3333",
"prefix": "193.0.0.0/21",
"time": "2016-08-11T08:00:00"
}

Tinggal compare bagian origin dengan AS yg asli.

Terima kasih
Budiwijaya

Lia Hestina

unread,
Aug 11, 2016, 6:11:19 AM8/11/16
to id...@googlegroups.com
Sama-sama mas :)

Ini ada tambahan lagi dari kolega kalo melewati routing yang tadi itu updatenya setiap 8 jam.
Kalo lewat lookingglass (juga servis dari RIPEstat) bisa ditentukan sendiri, seperti tiap 5 atau 10 menit.

Silahkan implemen API call ini ke: 
Lalu bikin script untuk check tiap X menit seperti yg samean inginkan, lalu proses resultnya.

Makasih,
Lia

To post to this group, send an email to id...@googlegroups.com.

Donny Achmadi

unread,
Aug 11, 2016, 6:13:32 AM8/11/16
to id...@googlegroups.com
Wah, keren nih toolsnya.
ngoprek2 lagi.

terima kasih mba Lia :)


To post to this group, send email to id...@googlegroups.com.
Visit this group at https://groups.google.com/group/idnog.
For more options, visit https://groups.google.com/d/optout.



--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups
"IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an

To post to this group, send email to id...@googlegroups.com.
Visit this group at https://groups.google.com/group/idnog.
For more options, visit https://groups.google.com/d/optout.


--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups
"IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an

To post to this group, send email to id...@googlegroups.com.
Visit this group at https://groups.google.com/group/idnog.
For more options, visit https://groups.google.com/d/optout.

--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups "IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idnog+unsubscribe@googlegroups.com.
To post to this group, send an email to id...@googlegroups.com.
Visit this group at https://groups.google.com/group/idnog.
For more options, visit https://groups.google.com/d/optout.

--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to a topic in the Google Groups "IDNOG" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/idnog/1d1MBr_Lnm0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to idnog+unsubscribe@googlegroups.com.
To post to this group, send email to id...@googlegroups.com.
Visit this group at https://groups.google.com/group/idnog.
For more options, visit https://groups.google.com/d/optout.



--
Warm Regards,

Donny Achmadi
Moslem Engineer | mobile: +62899-878-2359 | about.me/donnyachmadi

Diky Mulyana

unread,
Aug 11, 2016, 6:27:36 AM8/11/16
to id...@googlegroups.com
mantap sharingnya, trims all.


To post to this group, send email to id...@googlegroups.com.
Visit this group at https://groups.google.com/group/idnog.
For more options, visit https://groups.google.com/d/optout.



--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups
"IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an

To post to this group, send email to id...@googlegroups.com.
Visit this group at https://groups.google.com/group/idnog.
For more options, visit https://groups.google.com/d/optout.


--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups
"IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an

To post to this group, send email to id...@googlegroups.com.
Visit this group at https://groups.google.com/group/idnog.
For more options, visit https://groups.google.com/d/optout.

--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups "IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idnog+unsubscribe@googlegroups.com.

To post to this group, send an email to id...@googlegroups.com.
Visit this group at https://groups.google.com/group/idnog.
For more options, visit https://groups.google.com/d/optout.

--
Web: http://www.idnog.or.id
Facebook: https://www.facebook.com/idnog
Linkedin: http://www.linkedin.com/groups/IDNOG-6657303
---
You received this message because you are subscribed to the Google Groups "IDNOG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to idnog+unsubscribe@googlegroups.com.

Budiwijaya

unread,
Aug 13, 2016, 8:49:23 AM8/13/16
to id...@googlegroups.com
Wah kelewatan email ini.
Jadi, hiking ini gara2 Cak Wita nih.
Okay ditunggu cak, APNIC goes to bromo 2016.

Terimakasih
Budiwijaya
>> To post to this group, send an email to id...@googlegroups.com.
>> Visit this group at https://groups.google.com/group/idnog.
>> For more options, visit https://groups.google.com/d/optout.
>
>
Reply all
Reply to author
Forward
0 new messages