[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] Strange BGP activity with my node
- To: tor-relays@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-relays] Strange BGP activity with my node
- From: Rabbi Rob Thomas <robt@xxxxxxxxx>
- Date: Wed, 9 May 2018 14:45:01 -0400
- Autocrypt: addr=robt@xxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFU1GocBEAC3NxmGE4F4YI54SramLy4TnwozP/6i2CTOHcR9PVk0+pAuPHs0/z326k/L 0i2mtt2OkNrinm4CDJKn8/U8DRiTGgjKw0EcH791wHIvlR6SdjgSnJiE5kwqgDZqKetKddeV IiBzQJ9JyUhQWaQSHHqJxFmMbBlJDVg+LSNH4Gb3mkJxtDRnFHoIc0Ni+c1GrXEtqlLSWorA H6IFGTjt4xtnV3agqvt3lSr+ktPXApNIWh5p6J9TZLhbxjx1Lr+LAsbuIx9I4eM7/m2hPevy rD9rRRH49bZX/cPpq9FP1K+WvxmUIqWqZ4ma6td1GjWYC2DMkhVQjsEa2Wmh6UkOGNuRB8Du wmGxJw6+jqs/q+4Uk2yQ1ICVWBTb62obZODnhSCXlRWKx35gXwRH0acZuKYyfWLe2DkI3VCu 75s9VOPVPTEsuuzHn27HdGTBVmuiOBy0j6I998AuZgwRZ7Zn3fAhBPcqa/ZJOVf+nbp6ZCma eYQw0mpwfJ9fd4GCdHRiwibS2eHVWcO3FEXQeXu7cAbo85FLOnOPAkVMACg1JXG+nGWC6OIV JvsK+JvfL67UPajKmXXy3Wf80KRYF4asL6yDWTUbOwBrwHpdnuD0MhaiZkmzsAIwCUEhp39B 9F616fT2qPy/qRsSdFjWed8CxAhn6D403B3D1Fl6J7nRzZ0mEQARAQABzSFSYWJiaSBSb2Ig VGhvbWFzIDxyb2J0QGN5bXJ1LmNvbT7CwXgEEwECACIFAlU1GocCGwMGCwkIBwMCBhUIAgkK CwQWAgMBAh4BAheAAAoJEEPoYWL6hfKNq48QAJcjzP8/cHLSYZtB95DTCtgIcjayI79Obg0/ kb9hq2AsHvByyF43D4B/vTHvRSf//xKhPyi5xjIWnZ4XIwLKUc3R4pp1KBX/1kI9Y52qF7jq JN31SmixbTom5kNuL3pU3kze6+Cp82mB6jzwiCjCwXh7CM71DTAqyAxY+5qlDndsoPGSwfuZ b8+FCZ9cCaMFqfCwSUAOEWpm0NQ+dRMj8INi8xcbI8xinbDASHUNGTOjZ1iBdJ1yZZrtiXyN LMnMpwbIM+mLUtB4NWqtUQyYc6e9ve2OFsONmE5OHbQICxmzehp2RV2Oy9ZXx1s70mR4ioG5 UPLio/rGNIGQLv2yqQCbEPv8LlgfOzNU14TDATFyzL3S8kjYOFpcrsgRMxY7M7J1OELlRevn f8gY64vsZgVzSIf32iLDwVvFQj0IP1inOuHRUg+axBnXEVOSQm4HTgrVZz2Z80/4f06wLFSo 7RNc4zF5xqNX7vhE7F88kYlq2ak6T2AMoAeDN29qxN6lzw4yIL97psxz2jQ6B9Hvd8Fr4w4Y D9ZViQ9LMIHXoRbNq+5PIrjVwTzXqP4n1dRD4IMzalRK2gZ9BtiGvpRASh+si5vJ31PQjTDH n6Qg/p2HKUOqRym5h2F7MD7uFtdWFAlEUBYoEj3uH/A2rWNAXkV5gWe+o10b04u0JQJTTTqx zsFNBFU1GocBEACjmZ8iKZl/oRSv9dP2YBK2Z8W71vQSoBex3hQq1inmDHMCZNDuPzqVcrbw PjjOTyWznIQqcF7HjTVknY8yh+ax2yo3TE+0ocW5bejZxUXZtNEJf/rDvOUuIpA5Rv01P4ik 4UuFQJU6RWMhuWqN6PkZqr7pdLPD6kUQ+z9AS4VCC+POkkJXOuqtNK9VMHhByPuMpB31guBh jp5hyC9Juo73FkvPNOf/4A7ZUOPAI0sDWaQAAE5cnFkXKXYcAB0ViRctjxLCWIKPKtnMYLiA lzBCk8IONec/fR4edRffdRImo/4ff8aL0FK3XygXMyJM2DmiWXGt82RsHworoYUqVEmnMjjT BE5DkAHQdzx21TfApkVQ8eNVpRBdXtBkscFSlVHeqqniszhkhwxOHDph/BAqw4mTXpg4MDN7 dTLD0wvL0Hvx6b1zvvUJVrBDhu6DefOfjMUjE5Nn3mk7vW1arYsR0RNN85Y+lDTpbJKYnP0P WOdqEtente7KqW5pzJ/mqsCQawrFI9xKaPO/l9AKNa4uE+lwIwgxAi9OfbhAa4TCTx1Ikpca NreqnjV2L0skq920hzGXXX1riAmE0ZV0Ghkn+27U5jSMQiOWSbHPQ2vwB8aid+0NdXthdiZH iRl4vbVO4W5C9HXz3gRrhVrA52o76b5pVY+R5WS1mItUnpQRWwARAQABwsFfBBgBAgAJBQJV NRqHAhsMAAoJEEPoYWL6hfKNBeIQALXA6NZI4K7p0HD6xdzl96tkZ+Gdtf4ePG8jADTW/B/z qf/v8fN0dXnFjHZXKMd5qglfPmII+/rnqFFCCM4pHF8QZTCNvx5cUfV1YL+ut7GY5a/wiYYs yT/fhjWZYHpMBPFzLJ0uC75Ka634R9C0xZfcsE60nW0AJMWdH/gxNkJU+PIeSRrP9MemZ8Q0 /G/kqbzcQg1HYTzgNM5SVMK7nhhCnHCJTN54nZuoyQjrPB9N76gn283uKmDXkrq/DV+BjWs+ Xxax31IVml9LMs40FLj7H3QKUZYH2wf32uy5DKruK+ledxqi2G003WqAPsc6b/dSm0sH+uvI hyjzWIClezm0YBIWopCkjA4+JjA5TURB+JNqjSjkeM8Xpc9Y2htlX+KR8vSueJs/N8WK2fej qrGbda6U3kRM0XLJ4aQn4+nAlGBmj8gSADOoUzXdAGx7ZBXE+SyQ06UdECl5+jHdXtMTPwSb VhkBzjcNYv3PsfOxMN0SVjFKvNPqjokfjZKiLF3RFDPXVx9UfJC3FvXY3amwvze5xuHv71yk Vx1hmSQqsooNgXA7c1SjDdkjlWmuqXOFOBKChis/cVr9GRkYYA+AbRn75kV/WLCt/oPLg37+ v41/qE7l9CZePObAN6+gwExr2y8mwfzkN7mMgwCOLIE81vWwPm1nTpL/C0Jd/qAn
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Wed, 09 May 2018 14:44:21 -0400
- In-reply-to: <CANiDOiDE7M=vsWLi=1Z4uO3dQrLynvFAPcmrOm3LuRNOxXfCBw@mail.gmail.com>
- List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
- List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
- List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
- List-post: <mailto:tor-relays@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
- Openpgp: preference=signencrypt
- References: <CANiDOiDE7M=vsWLi=1Z4uO3dQrLynvFAPcmrOm3LuRNOxXfCBw@mail.gmail.com>
- Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Trevor,
> I just a notification from my data center that someone is trying
> to hijack the IP of my exit node. Seems like the sort of thing
> someone might do when trying to attack Tor. I'm in a very remote
> area with limited access but any suggestions on actions I should
> take?
>
>
> ====================================================================
>
>
Possible Prefix Hijack (Code: 10)
> ====================================================================
>
>
Your prefix: 204.17.32.0/19 <http://204.17.32.0/19>:
> Prefix Description: GBLX-US-BGP Update time: 2018-05-09
> 12:11 (UTC) Detected by #peers: 1 Detected prefix:
> 204.17.56.42/32 <http://204.17.56.42/32> Announced by:
> AS200005 (Asavie Technologies Limited) Upstream AS:
> AS200005 (Asavie Technologies Limited) ASpath: 200005
>
I took a look through our BGP data and peering routers, and I didn't
see the /32 being announced. I'm not saying it didn't happen, but
rather it may not have carried very far. /32 prefix announcements
rarely propagate very far. There are still a great many filters in
place that restrict announcements more specific than /24 (or /21, or
/19, or ...).
It may be the case that this /32 prefix is a null route that leaked
out, which we've seen happen somewhat frequently. The most notorious
example was an attempted, and unwittingly leaked, null route in
Pakistan (/24s, IIRC) that impacted YouTube.
It appears Asavie does a bit of security and networking work, so
possibly this is attributable to that?
Be well,
Rabbi Rob.
- --
Rabbi Rob Thomas Team Cymru
"It is easy to believe in freedom of speech for those with whom we
agree." - Leo McKern
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAlrzQasACgkQQ+hhYvqF
8o0OUw//Z230dJMUxxYlBWuopk2C0/zWmAMSaHBSHLugfEaG+wx1c1qLkPj/Sxtu
aNV3u/GFl3GMtfcFSci4T7VGd5Q97QMctbjfdaKLtjodoNXh7341OsATqpToAq4X
F7aU5TXQSayyW3iGA5HBeVJJ8RlG0wZX5Ute15iwOrpeKb0NfqGoC6pfdJVvxyt0
xyM3USg+9jWIA+11xgyw9T4Phs4sWvdlRAqLRXfUkvFok5sNLRXEx1jKhcOz9Wt6
M79Q7GUZbddijhjfJ5waZletscXa2ZjsvwESLqRotux2oK8WjVwb1JKvVo+zEcL+
pbF35jehoR1ROBqJclS465y08gugmnkTldhxRWyf24gvytYKi33qPtNNZ5Yn0gsv
7LU2qbQVectJURue8ULLD8iap3C2Gt8CYg6DBBnEYQejKpcpiCzTw+v+t+vlswgq
13jPrC2MpwjzrhCwNSgcfoFWGeERlsgovNyONcDOfozyn570zpjZrQBpogsCt0z1
g13kS0jAQ1KutDt7HFv8k2mw3pHi/DvLbpv9CsVwAFzY2dTwjc5Mr0n4L7yQI2Yd
VY9pjOeXnDk+K+b+fiIh9TzofvxKgVVzjZlqTwGlx1fKkfxnc/gZK1XSE9GMqAER
4jSvYWxqi83X4T6BW17OAeaUW1SiDIbkWe7uziWmqeNyDsmlcVo=
=SZWZ
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays