Full Path Incidents & Bogons
Qrator Labs Radar team is proud to announce the significant change in detection of routing incidents. Previously we were able to give information only about ‘abnormal’ subpath, due to limits of our previous model representation. We put a lot of effort to design and deploy our new model that is capable of processing hundreds of full view BGP sessions in real time which includes compressing data, analyzing compressed representation and full AS_PATH reconstruction for detected incidents. This change substantially increased our opportunities to detect accepted route leaks. Also, with this new functionality, we decided to add in our security section information about bogon routes.
There are two types of bogon routes: prefix and path bogons. The first type occurs when your network leaks or accepts private or reserved addresses. It’s common practice to use these address ranges for network infrastructure, and a leak of these addresses makes the network vulnerable to DDoS attacks. On another hand, if network accepts such routes, it may redirect internal service traffic through external links thus resulting in broken control plane and outage. Our data demonstrated a significant difference in the number of incidents between IPv4 and IPv6: in IPv4 there nearly 500 prefixes from private ranges that are announced and accepted by different ISPs, in IPv6 there are less than a dozen of such rogue advertisements.
The second type of bogons, bogon paths, is a route that has private AS number in its AS_PATH attribute. For a decade such mistakes were just ignored, while there were able to create significant network issues if ISP uses private AS numbers inside its infrastructure and, at the same time, accepts routes with bogon path from external links. That may result in availability problems for both networks, especially in the event of BGP confederations. Recently (regarding networking) several large ISPs, including NTT, declared that they would drop all routes with private ASNs in the AS_PATH. Still, today more than 8 thousand prefixes experience direct network issues due to this anomaly.