Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Massive spike in BGP traffic - Possible BGP poisoning?

Published: 2012-06-28
Last Updated: 2012-06-28 11:03:40 UTC
by Chris Mohan (Version: 1)
4 comment(s)

Reader Yin wrote in after noticing a huge spike in unsolicited border gateway protocol (BGP) traffic. This same spike in BGP connections has also been noted on DShield's sensors [1].  Thankfully he provided a packet capture which contained numerous BGP OPEN [2] messages.

 Here is a snippet of the BGP packet with the relevant details:

These messages all originated from the same system, based in Korea.

The Korean system IP is part of: 

 AS Number          : AS9848

 AS Name            : SEJONGTELECOM-AS


From my understanding of BGP, this system is attempting to pass itself off as AS 65333, a private ASN [3] and poison the router with false details.

Whether misconfiguration or a malicious act is unknown at this point. Most, if not all routers should have basic protections in place to protect against this type of event having an effect [4].

Please let us know if you're seeing the same thing, can added anything further or if my analysis needs correcting.

UPDATE: Thank you to Reader Job for the clarification on private ASNs  






Chris Mohan --- Internet Storm Center Handler on Duty

4 comment(s)
Diary Archives