How to prevent screwing up Internet with BGP?

Indonesia Hijacks the World - Renesys

That was an incident that happened earlier this month where 2/3 of Internet traffic was redirected to Indosat's networks.

I've been asked how could I prevent such a mess, but I have no idea.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

ccnxjr

BGP route filtering Bro!
Do you haz it?!

:P

Having spent time in Juniper-verse, basically you screen advertised routes before exporting them to your route table.
Likewise, many ISPs will also set up filtering just in case someone fat fingers a netmask and claims to own far more networks than they really do or , *heaven forbid* 0.0.0.0/0 !!!!!!!!!!!!

Usually this happens prior to turning up the BGP link.

DevilWAH

As an end user company you should never be able to cause this. Your ISP should have filters on them that prevent their customers causing major issues like this. In the same way you would by default filter out advertising prvt IP address ranged.

However my simple way is to have a prefix-list applied to all out bound BGP that only lets me advertise any of my public IP addresses. This means even if i do accidentally miss type a network command and try to advertise an incorrect block I will never advertise a route that does not belong to me.

Luie

DevilWAH wrote: »

As an end user company you should never be able to cause this. Your ISP should have filters on them that prevent their customers causing major issues like this.

Absolutely, you have to tell us what routes you are going to send because we filter the inbound prefixes. We absolutely will not accept a route from a customer if they haven't advised us...just as our interexchanges won't accept them from us without documentation ahead of time. The incident in the article was either an incredibly major mistake, or a huge breach of procedures.

And yes, you should definitely filter your outbound prefixes as well, because mistakes can be made on either side and it's just added protection.

Source: Analyst at large US provider

Dieg0M

It's important to have strict inbound and outbound filtering, especially if you own a public AS and don't want to be transient for the rest of the internet.

pevangel

This reminds me of a feature on Pan-OS called "Remove and Prepend". You can remove the whole AS path and replace it with your own AS. I saw the feature when I was trying to figure out how to do as-override.