Doug MadoryJul 15

Just to clear up some misinfo circulating, a BGP hijack was not the cause of
Cloudflare DNS going down today.

At 21:51 UTC, Cloudflare (AS13335) withdrew both 1.1.1.0/24 and 1.0.0.0/24 for an unknown reason.

I suspect AS4755 was always announcing 1.1.1.0/24, when CF went away, it leaked a bit (i.e. "%2").

https://infosec.exchange/@GossiTheDog@cyberplace.social/114854023690856642

Infosec Exchange

Show threaddrop(_paddi)Jul 15
@dougmadory I'm not that experienced in BGP, so please excuse the potentially stupid question, but why did TATA announcing 1.1.1.0/24 not cause issues even when Cloudflare was still announcing it?
Show threadDoug MadoryJul 15

@paddi my guess is that 4755 always announces 1.1.1.0/24 for some internal routing and it never propagates anywhere because of 1) 13335’s huge peering base, and 2) RPKI ROV enforcement.

1.1.1.0/24 is used internally in a lot of places. There are local hijacks happening all the time for that range.

Since there is a ROA (and the fact that 13335 originates it) the hijacks don't go very far.

The main problem was AS13335 withdrawing 1.1.1.0/24 and 1.0.0.0/24.

Only 13335 could take down these routes.

Show threaddrop(_paddi)
@dougmadory Thanks!
Jul 15 at 10:54amWeb