[sg-ops] suspect AWS route leak from AS206776 and leak through Starhub

Sun Mar 25 12:54:39 SGT 2018

Hi,

Starhub have fixed the issue.

traceroute to 13.228.161.243 (13.228.161.243), 30 hops max, 60 byte packets
 1. 203.116.178.1                                                   0.0%
 11    0.2   0.2   0.2   0.3   0.1
 2. 203.117.190.73                                                  0.0%
 11    1.8   1.9   1.8   2.0   0.1
 3. 203.118.15.241                                                  0.0%
 11    1.8   1.9   1.6   3.3   0.5
 4. 203.118.2.30                                                    0.0%
 11    1.7   1.8   1.6   2.8   0.3
 5. an-atl-loc11.starhub.net.sg                                     0.0%
 11    2.2   2.0   1.9   2.2   0.1
 6. xe-1-0-0.br001.sgp02.ntt.com.sg                                 0.0%
 11   18.8   3.5   1.7  18.8   5.1
 7. xe-0-5-0-21.r00.sngpsi02.sg.bb.gin.ntt.net                      0.0%
 11    2.2   2.6   2.1   3.7   0.5
 8. ae-0.r21.sngpsi05.sg.bb.gin.ntt.net                             0.0%
 11    2.3   2.5   2.3   4.4   0.6
 9. ae-3.r21.sngpsi07.sg.bb.gin.ntt.net                             0.0%
 11    2.1   2.4   2.1   4.4   0.7
10. ae-2.r01.sngpsi07.sg.bb.gin.ntt.net                             0.0%
 11    2.4   2.9   2.4   5.0   0.9
11. ae-1.a01.sngpsi07.sg.bb.gin.ntt.net                             0.0%
 10    2.7   3.4   2.4   8.1   1.8
12. ae-1.amazon.sngpsi07.sg.bb.gin.ntt.net                          0.0%
 10    2.4   3.2   2.4   8.1   1.8
13. ???
14. ???
15. ???
16. ???
17. 52.93.11.38                                                     0.0%
 10    3.3   4.4   3.1  14.7   3.6
18. 52.93.8.95                                                      0.0%
 10    3.4   3.7   3.4   5.0   0.5
19. 203.83.223.31                                                   0.0%
 10    3.9   3.7   3.4   5.4   0.6
20. ???

Alan Woo

NewMedia Express Pte Ltd
Mobile: +65 98574266
Office: +65 66368873

On Sun, Mar 25, 2018 at 12:18 PM, Alan Woo Shian Loong <alan at ne.com.sg>
wrote:

> Hi,
>
> The following 2 /24 is use by AWS load balancer, and leak from AS206776
> via Starhub, application connect to the following maybe subject to MITM
> attack.
>
> 13.228.161.0/24
> 13.250.135.0/24
>
> Affected party shall be provider / network using Starhub
>
> Traceroute from Starhub
> traceroute to 13.228.161.243 (13.228.161.243), 30 hops max, 60 byte packets
>  1  203.116.178.1 (203.116.178.1)  0.198 ms  0.171 ms  0.137 ms
>  2  203.117.190.73 (203.117.190.73)  3.758 ms  3.731 ms  3.738 ms
>  3  203.118.15.237 (203.118.15.237)  1.566 ms 203.118.15.241
> (203.118.15.241)  3.600 ms 203.118.15.237 (203.118.15.237)  3.608 ms
>  4  203.118.2.26 (203.118.2.26)  3.591 ms  3.618 ms 203.118.2.30
> (203.118.2.30)  3.568 ms
>  5  anutli13.starhub.net.sg (203.118.12.42)  3.681 ms
> anutli13.starhub.net.sg (203.118.12.46)  3.563 ms  3.500 ms
>  6  histate.telepoint-sofia.nl-ix.net (193.239.118.20)  205.024 ms
>  205.113 ms  207.147 ms
>  7  * * *
>  8  * * *
>  9  * * *
> 10  * * *
>
> #show ip bgp 13.228.161.243
> BGP routing table entry for 13.228.161.0/24, version 190199360
> Paths: (1 available, best #1, table default)
>    4657 206776 38895
>
>
> Alan Woo
>
> NewMedia Express Pte Ltd
> Mobile: +65 98574266 <+65%209857%204266>
> Office: +65 66368873 <+65%206636%208873>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.sgnog.net/pipermail/sgops/attachments/20180325/420089fc/attachment.html>