top | item 44579551

(no title)

homero | 7 months ago

Related, non-causal event: BGP origin hijack of 1.1.1.0/24 exposed by withdrawal of routes from Cloudflare. This was not a cause of the service failure, but an unrelated issue that was suddenly visible as that prefix was withdrawn by Cloudflare.

discuss

ollien|7 months ago

I'm a bit uneducated here - why was the other 1.1.1.0/24 announcement previously suppressed? Did it just express a high enough cost that no one took it on compared to the CF announcement?

whiatp|7 months ago

CF had their route covered by RPKI, which at a high level uses certs to formalize delegation of IP address space.

What caused this specific behavior is the dilemma of backwards comparability when it comes to BGP security. We area long ways off from all routes being covered by rpki, (just 56% of v4 routes according to https://rpki-monitor.antd.nist.gov/ROV ) so invalid routes tend to be treated as less preferred, not rejected by BGP speakers that support RPKI.

JdeBP|7 months ago

And because people highlighted it on social media at the time of the outage, many thought that the bogus route was the cause of the problem.

kylestanfield|7 months ago

So someone just started advertising the prefix when it was up for grabs? That’s pretty funny

woutifier|7 months ago

No they were already doing that, the global withdrawal of the legitimate route just exposed it.