Doug MadoryJul 15

Just to clear up some misinfo circulating, a BGP hijack was not the cause of
Cloudflare DNS going down today.

At 21:51 UTC, Cloudflare (AS13335) withdrew both 1.1.1.0/24 and 1.0.0.0/24 for an unknown reason.

I suspect AS4755 was always announcing 1.1.1.0/24, when CF went away, it leaked a bit (i.e. "%2").

https://infosec.exchange/@GossiTheDog@cyberplace.social/114854023690856642

Infosec Exchange

Show threadJohn KristoffJul 15
@dougmadory 1.1.1.0/24 and 1.0.0.0/24 have had valid ROAs. If networks accepted announcements from another origin, that's kind of on them. They would have been rejected by anyone doing #RPKI ROV.
Show threadDoug MadoryJul 15

Yeah, there are ROAs for 1.1.1.0/24 and 1.0.0.0/24, however, 6453 accepted 1.1.1.0/24 from 4755 and passed it on so they aren't validating routes from 4755.

It didn't go too far. It was only the absence of 13335 that allowed it to propagate at all.

Show threadMax ResingJul 15

@dougmadory - Just wondering, what could cause Tata to actually announce the 1.1.1.0/24?

BGP.tools reveals that there are actually paths where 4755 or 6453 is the second-last hop to 13335.

For instance: 3320, 6453, 13335

Is it that Tata hosts instances for Quad 1, and failure response mechanisms ensure the prefix is still announced? Somewhat as a resiliency effort?

Show threadDoug Madory
@resingm my guess is that 4755 always announces 1.1.1.0/24 for some internal routing and it never propagates anywhere because of 1) 13335’s huge peering base, and 2) RPKI ROV enforcement.

1.1.1.0/24 is used internally in a lot of places. There are local hijacks happening all the time for that range.

Since there is a ROA (and the fact that 13335 originates it) the hijacks don't go very far.
The main problem was AS13335 withdrawing 1.1.1.0/24 and 1.0.0.0/24.

Only 13335 could take down these routes.
Jul 15 at 10:34amWeb