How to prevent screwing up Internet with BGP?

yzTyzT Member Posts: 365 ■■■□□□□□□□
Indonesia Hijacks the World - Renesys

That was an incident that happened earlier this month where 2/3 of Internet traffic was redirected to Indosat's networks.

I've been asked how could I prevent such a mess, but I have no idea.

Comments

  • ccnxjrccnxjr Member Posts: 304 ■■■□□□□□□□
    BGP route filtering Bro!
    Do you haz it?!

    :P

    Having spent time in Juniper-verse, basically you screen advertised routes before exporting them to your route table.
    Likewise, many ISPs will also set up filtering just in case someone fat fingers a netmask and claims to own far more networks than they really do or , *heaven forbid* 0.0.0.0/0 !!!!!!!!!!!!

    Usually this happens prior to turning up the BGP link.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    As an end user company you should never be able to cause this. Your ISP should have filters on them that prevent their customers causing major issues like this. In the same way you would by default filter out advertising prvt IP address ranged.

    However my simple way is to have a prefix-list applied to all out bound BGP that only lets me advertise any of my public IP addresses. This means even if i do accidentally miss type a network command and try to advertise an incorrect block I will never advertise a route that does not belong to me.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • LuieLuie Member Posts: 33 ■■□□□□□□□□
    DevilWAH wrote: »
    As an end user company you should never be able to cause this. Your ISP should have filters on them that prevent their customers causing major issues like this.

    Absolutely, you have to tell us what routes you are going to send because we filter the inbound prefixes. We absolutely will not accept a route from a customer if they haven't advised us...just as our interexchanges won't accept them from us without documentation ahead of time. The incident in the article was either an incredibly major mistake, or a huge breach of procedures.

    And yes, you should definitely filter your outbound prefixes as well, because mistakes can be made on either side and it's just added protection.

    Source: Analyst at large US provider
  • Dieg0MDieg0M Member Posts: 861
    It's important to have strict inbound and outbound filtering, especially if you own a public AS and don't want to be transient for the rest of the internet.
    Follow my CCDE journey at www.routingnull0.com
  • pevangelpevangel Member Posts: 342
    This reminds me of a feature on Pan-OS called "Remove and Prepend". You can remove the whole AS path and replace it with your own AS. I saw the feature when I was trying to figure out how to do as-override.
Sign In or Register to comment.