nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anomalies with AS13214 ?

From: Andree Toonk <andree+nanog () toonk nl>
Date: Mon, 11 May 2009 20:29:30 +0200
.-- My secret spy satellite informs me that at Mon, 11 May 2009, Jay Hennigan wrote:


We're getting cyclops[1] alerts that AS13214 is advertising itself as  
origin for all of our prefixes.  Their anomaly report shows thousands of  
prefixes originating there.

Anyone else seeing evidence of this or being affected?


It seems it was picked up by route-views4. Non of the RIS peers seem to have seen this.

Looking at the raw bgp data from route-views4:
AS13214 leaked a full table (~266294 prefixes) with 13214  as OriginAS to AS48285 which is a routeviews4 peer.
Routeviews4 saw these announcements as: ASpath 48285 13214.

It seems to  have happend twice:
~ 11:03:45 GMT to 12:16:31 GMT (here AS48285 start announcing a valid path to routeviews again) 
then a few seconds later again:
~ 12:16:36 GMT to 12:18:14 GMT 
After that AS48285 announced ‘normal’ ASpath to routeviews again.

So looks like it wasn’t a global hijack, it was only seen by one routeview peer.  This is a very similar event as the 
one we saw on November 11 2008:
http://bgpmon.net/blog/?p=80

This again shows that it’s hard to determine if an event is a ‘real’ hijack or not. Some will say it’s 
irrelevant some want to be notified in all cases. Based on received feedback regarding the November 11 event, 
BGPmon.net implemented peer thresholds (http://bgpmon.net/blog/?p=88).

Cheers,
 Andree
Previous By Date Next
Previous By Thread Next

Current thread: