Comment by geocar

4 days ago

> If a state actor were trying to intercept traffic (MITM), the last thing they would do is pad the AS path

That's presumptuous: A state actor would (and could trivially) pad the wrong directions to flow traffic down to pops that are not making new announcements (and thus not-implicated by cloudflare and other "journalistic" efforts).

There's also a lot between fat-fingers and deep-state: I know of some non-state actors who do this sort of thing just to fuck with ad impressions. I also doubt much usable intelligence can be gained from mere route-manipulation thing, but I do know that if it is a fat-finger, every techdude in the area was busy at that time trying to figure it out, and wasn't doing their best work twelve hours later...

> most likely a route map intended to manipulate traffic engineering for their own upstream links

...that being said, this does seem plausible: Most smaller multihomed sites I've seen (and a few big ones!) have some kind of adhoc health monitoring/rebalance function that snmp or something and does autoexpect/curl or something-else to the router to run some (probably broken) script, because even if your uplinks are symmetrical, the rest of the Internet isn't, so route-stuffing remains the best way to manipulate ingress traffic.

> Never attribute to malice that which is adequately explained by a missing export filter.

As soon as I peer with two big sites that don't peer directly with each-other, they both gotta let me forward announcements unfiltered across them. Once I have a third, I have a legitimate need to manipulate my own ingress.

The problems with the BGP are legion, and not just one thing that prevents BGP and security from sharing time in a sentence.

17 comments

geocar

mlyle 4 days ago

> A state actor would (and could trivially) pad the wrong directions

This isn't how BGP works. An AS-PATH isn't the path the traffic will follow; it's the path that this overall announcement has allegedly tranversed and is (one of many attributes) used to judge the quality of route. The next hop tells our peer where they should send the data if they like this route.

Putting more things in the AS path makes the route less attractive. Leaking a new route isn't going to magically make some other route become more preferred.

Fiveplus 4 days ago

You're spot on regarding the mechanics. It's important to reinforce that in BGP, AS-PATH length is a cost metric and not a steering wheel.
codexon 3 days ago
Actually many networks will prefer routing over a cheap AS path no matter how long it is.
- mlyle 3 days ago
  
  > > and is (one of many attributes) used to judge the quality of route
  
  2 replies →
darig 4 days ago

[dead]
geocar 4 days ago
> This isn't how BGP works
This is exactly how BGP works.
https://bgplabs.net/policy/7-prepend/
> Leaking a new route isn't going to magically make some other route become more preferred.
Not magic, but technology can look like magic when you don't understand it.
- mlyle 4 days ago
  
  > > > That's presumptuous: A state actor would (and could trivially) pad the wrong directions to flow traffic down to pops that are not making new announcements
  > > Leaking a new route isn't going to magically make some other route become more preferred.
  > Not magic, but technology can look like magic when you don't understand it.
  Please let me know of the scenario where route A is preferred, undesirable, long-path route B is advertised/leaked, and as a result traffic flows over route C.
  I've used BGP for over 25 years, so I'm really curious what you're thinking. Or if you're describing something else, you're being really unclear.
  Or if you're just describing withdrawing a route and replacing it with a really undesirable route -- sure, we do that all the time. But that doesn't match this scenario and isn't going to get flagged as a routing anomaly.
  > https://bgplabs.net/policy/7-prepend/
  You know what's really toxic? Not explaining what you mean and just sending some introductory lab documentation about what the other person has already clearly shown they understand.
  I don't even know what you mean by a lot of these things.. e.g.
  > > > As soon as I peer with two big sites that don't peer directly with each-other, they both gotta let me forward announcements unfiltered across them.
  A straightforward reading of "forward" doesn't work for this sentence. I should not take a route from peer A and send it to peer B. Peering isn't transitive. If I try, it should be filtered.
  Peering means to give your own routes (and your transit customers' routes) to someone else. Not your other peers routes.
  
  6 replies →