nanog mailing list archives
Re: Anomalies with AS13214 ?
From: Russell Heilling <chewtoy () s8n net>
Date: Tue, 28 Jul 2009 11:50:02 +0100
2009/5/11 Ricardo Oliveira <rveloso () cs ucla edu>:
Hi all, First, thanks for using Cyclops, and thanks for all the Cyclops users that drop me a message about this. It seems some router in AS13214 decided to originate all the prefixes and send them to AS48285 in the Caymans, all the ASPATHs are 48285 13214. The first announcement was on 2009-05-11 11:03:11 UTC and last on 2009-05-11 12:16:32 UTC, there were 266,289 prefixes leaked (they were withdrawn afterwards)
It looks like AS13214 are misbehaving again... We have just started receiving cyclops alerts indicating that AS13214 is announcing our prefixes again: Alert ID: 4927389 Alert type: origin change Monitored ASN,prefix: 78.154.96.0/19 Offending attribute: 78.154.96.0/19-13214 Date: 2009-07-28 08:30:56 UTC Duration: 00:00:01 (hh:mm:ss) No. monitors: 1 (http://cyclops.cs.ucla.edu/view_monitors.html?aid=4927389) Announced prefix: 78.154.96.0/19 Announced ASPATH: 48285 13214 BGP message: http://cyclops.cs.ucla.edu/show_myalert.html?aid=4927389 I guess ROBTEX didn't implement ingress filters after the last episode...
As indicated in the Cyclops alerts, only a single monitor(AS48285) in route-views4 detected this leak. I checked on other neighbors of AS13214 and they seem fine, so it seems it was only a single router issue. This incident shows the advantage of having a wide set of peers for detection, it seems Cyclops was the only tool to detect this incident. Given the amount of banks and financial institutions in the Caymans, i would otherwise have raised a red flag, but it seems this case was an unintentional misconfig by AS13214. Would appreciate any further comment on the tool, and happy cyclopying! --Ricardo the Cyclops guy http://cyclops.cs.ucla.edu On May 11, 2009, at 8:30 AM, Jay Hennigan wrote:We're getting cyclops[1] alerts that AS13214 is advertising itself as origin for all of our prefixes. Their anomaly report shows thousands of prefixes originating there. Anyone else seeing evidence of this or being affected? [1] http://cyclops.cs.ucla.edu/ -- Jay Hennigan - CCIE #7880 - Network Engineering - jay () impulse net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
-- Russell Heilling http://perlmonkey.blogspot.com "The amazing ability of the bee to adapt herself often helps the beekeeper to overcome the results of his ignorance." - Brother Adam
Current thread:
- Re: Anomalies with AS13214 ? Russell Heilling (Jul 28)
- Re: Anomalies with AS13214 ? Mikael Abrahamsson (Jul 28)
- Re: Anomalies with AS13214 ? Stephane Bortzmeyer (Jul 28)
- Re: Anomalies with AS13214 ? Stephane Bortzmeyer (Jul 28)
- Re: Anomalies with AS13214 ? Stephane Bortzmeyer (Jul 28)
- Re: Anomalies with AS13214 ? sjk (Jul 28)
- Re: Anomalies with AS13214 ? Kyle McLerren (Jul 28)
- <Possible follow-ups>
- Re: Anomalies with AS13214 ? Nathan Ward (Jul 28)
- Re: Anomalies with AS13214 ? Mans Nilsson (Jul 28)
- Re: Anomalies with AS13214 ? Sharlon R. Carty (Jul 28)
- Re: Anomalies with AS13214 ? Stephane Bortzmeyer (Jul 28)