- NANOG - lists.nanog.org

ISP Security BOF @NANOG 39
by Danny McPherson 13 Jan '07

13 Jan '07

Folks, For some crazy reason I've agreed again to chair the ISP Security BOF at NANOG 39 in Toronto. If you've got items you'd like to discuss, like to see discussed, or would prefer not be presented, please let me know ASAP. The two agenda items for the moment are meant to be, in the very spirit of a BOF, loose panel discussions on the following topics: The root of a log: Extracting Intelligence from the Woods Botnet C&C: Extirpate or Infiltrate? If you'd be interested in sharing your views, please let me know, although RSVP is not necessary. Slides are welcome but not required. Thanks in advance, see you in Toronto! -danny

2 1

Re: Network end users to pull down 2 gigabytes a day, continuously?
by odlyzko＠dtc.umn.edu 13 Jan '07

13 Jan '07

A remark and a question: 1. 2 GB/day per user would indeed require tossing everyone's CURRENT baseline network usage metrics out the window, IF IT WERE TO BE ACHIEVED INSTANTANEOUSLY. The key question is, how quickly and widely will this application spread? Back in 1997, when I first started collecting Internet usage statistics, there were concerns that pre-fetching applications like WebWhacker (anyone remember that?) would lead to a collapse of networks and business plans. With flat rate dial access, staying connected for 24 hours per day would have (i) exhausted the modem pools, which were built on a 5-10 oversubscription ratio, and (ii) broken the aggregation and backbone networks, generating about 240 MB/day or traffic per subscriber (on a 19.2 Kbps modem, about standard then). But the average user was online just 1 hour per day, and download traffic was about 2 Kbps during that hour, leading to about 1 MB/day of traffic, and the world did not come to a halt. (And yes, I am suppressing some details, such as ISPs TOSs forbidding applications like WebWhacker, and technical measures to keep them limited.) Today, download rates per broadband subscriber range (among the few industrialized countries for which I have data or at least decent estimates) from about 60 MB in Australia to 1 GB in Hong Kong. So 2 GB/day is not that far out of range for Hong Kong (or South Korea) even today. And in a few years (which is what you always have to allow for, even Napster and Skype did not take over the world in the proverbial "Internet time" of 8 months or less), other places might catch up. 2. The question I don't understand is, why stream? In these days, when a terabyte disk for consumer PCs is about to be introduced, why bother with streaming? It is so much simpler to download (at faster than real-time rates, if possible), and play it back. Andrew > On Sat, 6 Jan 2007, Marshall Eubanks wrote: Note that 220 MB per hour (ugly units) is 489 Kbps, slightly less =20 than our current usage. > The more popular the content is, the more sources it can be pulled =20 > from > and the less redundant data we send, and that number can be as low as > 220MB per hour viewed. (Actually, I find this a tough thing to explain > to people in general; it's really counterintuitive to see that more > peers =3D=3D less bandwidth - I'm still searching for a useful = user-facing > metaphor, anyone got any ideas?). Why not just say, the more peers, the more efficient it becomes as it =20= approaches the bandwidth floor set by the chosen streaming ? Regards Marshall On Jan 6, 2007, at 9:07 AM, Colm MacCarthaigh wrote: > > On Sat, Jan 06, 2007 at 03:18:03AM -0500, Robert Boyle wrote: >> At 01:52 AM 1/6/2007, Thomas Leavitt <thomas(a)thomasleavitt.org> =20 >> wrote: >>> If this application takes off, I have to presume that everyone's >>> baseline network usage metrics can be tossed out the window... > > That's a strong possibility :-) > > I'm currently the network person for The Venice Project, and busy > building out our network, but also involved in the design and planning > work and a bunch of other things. > > I'll try and answer any questions I can, I may be a little =20 > restricted in > revealing details of forthcoming developments and so on, so please > forgive me if there's later something I can't answer, but for now I'll > try and answer any of the technicalities. Our philosophy is to pretty > open about how we work and what we do. > > We're actually working on more general purpose explanations of all =20 > this, > which we'll be putting on-line soon. I'm not from our PR dept, or a > spokesperson, just a long-time NANOG reader and ocasional poster > answering technical stuff here, so please don't just post the archive > link to digg/slashdot or whatever. > > The Venice Project will affect network operators and we're working =20 > on a > range of different things which may help out there. We've designed =20= > our > traffic to be easily categorisable (I wish we could mark a DSCP, =20 > but the > levels of access needed on some platforms are just too restrictive) =20= > and > we know how the real internet works. Already we have aggregate per-AS > usage statistics, and have some primitive network proximity =20 > clustering. > AS-level clustering is planned. > > This will reduce transit costs, but there's not much we can do for =20 > other > infrastructural, L2 or last-mile costs. We're L3 and above only. > Additionally, we predict a healthy chunk of usage will go to our "Long > tail servers", which are explained a bit here; > > http://www.vipeers.com/vipeers/2007/01/venice_project_.html > > and in the next 6 months or so, we hope to turn up at IX's and arrange > private peerings to defray the transit cost of that traffic too. > Right now, our main transit provider is BT (AS5400) who are at some > well-known IX's. > >> Interesting. Why does it send so much data? > > It's full-screen TV-quality video :-) After adding all the overhead =20= > for > p2p protocol and stream resilience we still only use a maximum of =20 > 320MB > per viewing hour. > > The more popular the content is, the more sources it can be pulled =20 > from > and the less redundant data we send, and that number can be as low as > 220MB per hour viewed. (Actually, I find this a tough thing to explain > to people in general; it's really counterintuitive to see that more > peers =3D=3D less bandwidth - I'm still searching for a useful = user-facing > metaphor, anyone got any ideas?). > > To put that in context; a 45 minute episode grabbed from a file-=20 > sharing > network will generally eat 350MB on-disk, obviously slightly more is > used after you account for even the 2% TCP/IP overhead and p2p =20 > protocol > headers. And it will usually take longer than 45 minutes to get there. > > Compressed digital telivision works out at between 900MB and 3GB an =20= > hour > viewed (raw is in the tens of gigabytes). DVD is of the same order. > YouTube works out at about 80MB to 230MB per-hour, for a mini-screen > (though I'm open to correction on that, I've just multiplied the > bitrates out). > >> Is it a peer to peer type of system where it redistributes a portion >> of the stream as you are viewing it to other users? > > Yes, though not neccessarily as you are viewing it. A proportion of =20= > what > you have viewed previously is cached and can be made available to =20 > other > peers. > > --=20 > Colm MacC=E1rthaigh Public Key: colm=20 > +pgp(a)stdlib.net

22 45

Weekly Routing Table Report
by Routing Analysis Role Account 12 Jan '07

12 Jan '07

This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-stats(a)lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith <pfs(a)cisco.com>. Routing Table Report 04:00 +10GMT Sat 13 Jan, 2007 Analysis Summary ---------------- BGP routing table entries examined: 207335 Prefixes after maximum aggregation: 112275 Deaggregation factor: 1.85 Unique aggregates announced to Internet: 101123 Total ASes present in the Internet Routing Table: 24109 Origin-only ASes present in the Internet Routing Table: 21004 Origin ASes announcing only one prefix: 10167 Transit ASes present in the Internet Routing Table: 3105 Transit-only ASes present in the Internet Routing Table: 79 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 32 Max AS path prepend of ASN (20858) 18 Prefixes from unregistered ASNs in the Routing Table: 1 Unregistered ASNs in the Routing Table: 4 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 9 Number of addresses announced to Internet: 1654125772 Equivalent to 98 /8s, 151 /16s and 244 /24s Percentage of available address space announced: 44.6 Percentage of allocated address space announced: 63.3 Percentage of available address space allocated: 70.5 Total number of prefixes smaller than registry allocations: 105540 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 46064 Total APNIC prefixes after maximum aggregation: 18654 APNIC Deaggregation factor: 2.47 Prefixes being announced from the APNIC address blocks: 43622 Unique aggregates announced from the APNIC address blocks: 19166 APNIC Region origin ASes present in the Internet Routing Table: 2819 APNIC Region origin ASes announcing only one prefix: 794 APNIC Region transit ASes present in the Internet Routing Table: 421 Average APNIC Region AS path length visible: 3.7 Max APNIC Region AS path length visible: 16 Number of APNIC addresses announced to Internet: 274913376 Equivalent to 16 /8s, 98 /16s and 216 /24s Percentage of available APNIC address space announced: 86.0 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911 APNIC Address Blocks 58/7, 60/7, 121/8, 122/7, 124/7, 126/8, 202/7 210/7, 218/7, 220/7 and 222/8 ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 102243 Total ARIN prefixes after maximum aggregation: 60587 ARIN Deaggregation factor: 1.69 Prefixes being announced from the ARIN address blocks: 75424 Unique aggregates announced from the ARIN address blocks: 28773 ARIN Region origin ASes present in the Internet Routing Table: 11259 ARIN Region origin ASes announcing only one prefix: 4313 ARIN Region transit ASes present in the Internet Routing Table: 1040 Average ARIN Region AS path length visible: 3.4 Max ARIN Region AS path length visible: 21 Number of ARIN addresses announced to Internet: 312109696 Equivalent to 18 /8s, 154 /16s and 106 /24s Percentage of available ARIN address space announced: 68.9 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959 ARIN Address Blocks 24/8, 63/8, 64/5, 72/6, 76/8, 96/6, 199/8, 204/6, 208/7 and 216/8 RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 42963 Total RIPE prefixes after maximum aggregation: 28092 RIPE Deaggregation factor: 1.53 Prefixes being announced from the RIPE address blocks: 39732 Unique aggregates announced from the RIPE address blocks: 26449 RIPE Region origin ASes present in the Internet Routing Table: 9024 RIPE Region origin ASes announcing only one prefix: 4756 RIPE Region transit ASes present in the Internet Routing Table: 1449 Average RIPE Region AS path length visible: 4.0 Max RIPE Region AS path length visible: 32 Number of RIPE addresses announced to Internet: 284066980 Equivalent to 16 /8s, 238 /16s and 132 /24s Percentage of available RIPE address space announced: 77.0 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-43007 RIPE Address Blocks 62/8, 77/8, 78/7, 80/5, 88/6, 193/8, 194/7, 212/7 and 217/8 LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 13538 Total LACNIC prefixes after maximum aggregation: 3991 LACNIC Deaggregation factor: 3.39 Prefixes being announced from the LACNIC address blocks: 11624 Unique aggregates announced from the LACNIC address blocks: 7166 LACNIC Region origin ASes present in the Internet Routing Table: 756 LACNIC Region origin ASes announcing only one prefix: 251 LACNIC Region transit ASes present in the Internet Routing Table: 132 Average LACNIC Region AS path length visible: 4.1 Max LACNIC Region AS path length visible: 20 Number of LACNIC addresses announced to Internet: 36115200 Equivalent to 2 /8s, 39 /16s and 19 /24s Percentage of available LACNIC address space announced: 53.8 LACNIC AS Blocks 26592-26623, 27648-28671, plus ERX transfers LACNIC Address Blocks 189/8, 190/8, 200/7 AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 2526 Total AfriNIC prefixes after maximum aggregation: 951 AfriNIC Deaggregation factor: 2.66 Prefixes being announced from the AfriNIC address blocks: 1769 Unique aggregates announced from the AfriNIC address blocks: 1132 AfriNIC Region origin ASes present in the Internet Routing Table: 172 AfriNIC Region origin ASes announcing only one prefix: 53 AfriNIC Region transit ASes present in the Internet Routing Table: 31 Average AfriNIC Region AS path length visible: 3.6 Max AfriNIC Region AS path length visible: 15 Number of AfriNIC addresses announced to Internet: 5344768 Equivalent to 0 /8s, 81 /16s and 142 /24s Percentage of available AfriNIC address space announced: 15.9 AfriNIC AS Blocks 36864-37887 & ERX transfers AfriNIC Address Blocks 41/8, 196/8 APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4134 1265 8645 264 CHINANET-BACKBONE 4755 1046 384 68 Videsh Sanchar Nigam Ltd. Aut 9583 1025 99 66 Sify Limited 9498 919 467 65 BHARTI BT INTERNET LTD. 23577 771 34 700 KRNIC 4766 761 4946 312 Korea Telecom (KIX) 1221 574 1698 445 Telstra Pty Ltd 17488 567 35 22 Hathway IP Over Cable Interne 7545 562 126 74 TPG Internet Pty Ltd 17676 503 10935 66 Softbank BB Corp. 18101 499 87 27 Reliance Infocom Ltd Internet 9443 442 111 74 Primus Telecommunications 4812 436 759 69 China Telecom (Shanghai) 9942 436 85 131 COMindico Australia 17974 365 129 12 PT TELEKOMUNIKASI INDONESIA 4802 360 86 150 Wantree Development 17557 355 35 169 Pakistan Telecom 17849 353 33 93 Telecommunications Technology 2907 332 1749 309 SINET Japan 4837 331 3943 144 chinanet IDC center beijing n ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 7018 1537 6161 998 AT&T WorldNet Services 2386 1106 585 733 AT&T Data Communications Serv 4323 1065 821 300 Time Warner Telecom 6197 1022 639 500 BellSouth Network Solutions, 18566 984 272 8 Covad Communications 701 935 6676 749 UUNET Technologies, Inc. 174 933 6789 865 Cogent Communications 11492 908 99 13 Cable One 1239 822 2730 572 Sprint 19262 804 2538 182 Verizon Global Networks 20115 776 678 415 Charter Communications 721 748 21837 290 DLA Systems Automation Center 209 721 3748 567 Qwest 22773 715 1744 41 Cox Communications, Inc. 7011 688 209 429 Citizens Utilities 852 607 1093 393 Telus Advanced Communications 5668 570 161 19 CenturyTel Internet Holdings, 19916 567 48 57 OLM LLC 6198 550 519 256 BellSouth Network Solutions, 855 536 250 73 Canadian Research Network RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 702 545 1912 424 UUNET - Commercial IP service 3301 305 1199 287 TeliaNet Sweden 3320 296 4993 247 Deutsche Telekom AG 24863 296 45 25 LINKdotNET AS number 8220 271 473 262 COLT Telecommunications 6746 265 93 243 Dynamic Network Technologies, 680 256 2042 250 DFN-IP service G-WiN 8708 234 283 221 Romania Data Systems S.A. 3215 233 2136 96 France Telecom Transpac 1257 215 1069 171 SWIPnet Swedish IP Network 3269 211 2375 74 TELECOM ITALIA 3246 209 354 196 Song Networks 30890 209 19 90 SC Kappa Invexim SRL 5416 206 13 9 BATELCO-BH 8551 196 197 24 Bezeq International 3352 176 1767 31 Ibernet, Internet Access Netw 3300 175 171 88 AUCS Communications Services 12479 175 578 6 Uni2 Autonomous System 20858 175 34 3 This AS will be used to conne 786 172 1795 172 The JANET IP Service LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 829 2015 204 UniNet S.A. de C.V. 11830 482 299 19 Instituto Costarricense de El 11172 385 104 78 Servicios Alestra S.A de C.V 16814 329 20 8 NSS, S.A. 22047 307 206 11 VTR PUNTO NET S.A. 14117 258 16 13 Telefonica del Sur S.A. 6471 256 74 31 ENTEL CHILE S.A. 7303 230 103 32 Telecom Argentina Stet-France 6147 225 182 20 Telefonica Del Peru 6503 216 170 93 AVANTEL, S.A. 11556 212 105 7 Cable-Wireless Panama 10481 181 72 8 Prima S.A. 21826 156 20 35 INTERCABLE 23216 146 19 43 RAMtelecom Telecomunicaciones 18822 145 9 10 TELEFONICA MANQUEHUE 7910 144 10 33 ANDINET ON LINE 19429 141 84 35 E.T.B. 19169 139 9 22 Telconet 14522 134 21 8 SatNet S.A. 7738 116 442 21 Telecomunicacoes da Bahia S.A AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 3741 289 868 231 The Internet Solution 8452 230 60 6 TEDATA 15475 154 84 4 Nile Online 6713 144 135 11 Itissalat Al-MAGHRIB 2018 138 309 113 Tertiary Education Network 5536 123 8 15 Internet Egypt Network 33783 109 6 4 EEPAD TISP TELECOM & INTERNET 24835 85 48 6 RAYA Telecom - Egypt 2905 84 175 73 The Internetworking Company o 2561 60 6 2 Egyptian Universities Network 15706 55 12 4 Sudatel Internet Exchange Aut 23889 55 13 15 MAURITIUS TELECOM 5713 41 294 34 Telkom SA Ltd 12455 39 6 3 Jambonet Autonomous system 33774 38 12 22 AS Number for Telecom Algeria 16637 33 21 25 Johnnic e-Ventures 33766 33 2 1 Nyala Communications Pty Ltd 8524 30 2 6 AUCEGYPT Autonomous System 15804 27 2 1 AS of The Way Out Internet So 33776 27 2 5 Starcomms Nigeria Limited Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 4134 1265 1001 CHINANET-BACKBONE 4755 1046 978 Videsh Sanchar Nigam Ltd. Aut 18566 984 976 Covad Communications 9583 1025 959 Sify Limited 11492 908 895 Cable One 9498 919 854 BHARTI BT INTERNET LTD. 4323 1065 765 Time Warner Telecom 22773 715 674 Cox Communications, Inc. 8151 829 625 UniNet S.A. de C.V. 19262 804 622 Verizon Global Networks 5668 570 551 CenturyTel Internet Holdings, 17488 567 545 Hathway IP Over Cable Interne 6197 1022 522 BellSouth Network Solutions, 19916 567 510 OLM LLC 7545 562 488 TPG Internet Pty Ltd 18101 499 472 Reliance Infocom Ltd Internet 855 536 463 Canadian Research Network 15270 497 463 PaeTec.net -a division of Pae 11830 482 463 Instituto Costarricense de El 721 748 458 DLA Systems Automation Center List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 24409 UNALLOCATED 203.119.29.0/24 9808 Guangdong Mobile Com Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 132.0.0.0/10 721 DLA Systems Automation Center 137.0.0.0/13 721 DLA Systems Automation Center 158.0.0.0/13 721 DLA Systems Automation Center 172.33.1.0/24 7018 AT&T WorldNet Services 192.0.10.0/24 9498 BHARTI BT INTERNET LTD. 192.44.0.0/24 5501 Fraunhofer Gesellschaft 192.44.0.0/19 702 UUNET - Commercial IP service 192.70.164.0/24 25689 National Research Council of 192.172.0.0/19 721 DLA Systems Automation Center Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:19 /9:10 /10:13 /11:30 /12:116 /13:228 /14:409 /15:804 /16:9100 /17:3636 /18:5933 /19:12911 /20:14500 /21:12941 /22:16483 /23:17922 /24:110644 /25:600 /26:454 /27:357 /28:72 /29:43 /30:86 /31:0 /32:24 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 18566 967 984 Covad Communications 11492 894 908 Cable One 9583 854 1025 Sify Limited 7018 832 1537 AT&T WorldNet Services 2386 829 1106 AT&T Data Communications Serv 6197 795 1022 BellSouth Network Solutions, 23577 757 771 KRNIC 7011 593 688 Citizens Utilities 9498 579 919 BHARTI BT INTERNET LTD. 4766 569 761 Korea Telecom (KIX) 19916 562 567 OLM LLC 4755 486 1046 Videsh Sanchar Nigam Ltd. Aut 15270 465 497 PaeTec.net -a division of Pae 5668 440 570 CenturyTel Internet Holdings, 855 433 536 Canadian Research Network 18101 433 499 Reliance Infocom Ltd Internet 1239 408 822 Sprint 33588 400 422 Bresnan Communications, LLC. 17488 390 567 Hathway IP Over Cable Interne 6198 389 550 BellSouth Network Solutions, Number of /24s announced per /8 block (Global) ---------------------------------------------- 4:9 8:62 9:1 12:1653 13:1 15:15 16:3 17:3 18:5 20:36 24:870 25:1 32:55 38:274 40:57 41:57 44:2 47:10 52:4 53:1 55:1 56:3 57:25 58:277 59:365 60:190 61:960 62:1060 63:1893 64:3178 65:2298 66:3085 67:693 68:642 69:1705 70:407 71:129 72:1124 74:125 75:58 76:20 80:819 81:788 82:640 83:349 84:487 85:776 86:435 87:451 88:259 89:732 90:2 91:130 97:1 121:123 122:55 123:24 124:520 125:760 128:315 129:219 130:126 131:315 132:49 133:9 134:183 135:44 136:181 137:114 138:189 139:54 140:520 141:135 142:348 143:212 144:265 145:67 146:320 147:138 148:362 149:187 150:112 151:117 152:90 153:119 154:5 155:245 156:156 157:152 158:167 159:140 160:99 161:94 162:226 163:159 164:237 165:237 166:243 167:280 168:479 169:121 170:365 171:13 172:1 189:49 190:340 192:5740 193:3622 194:2897 195:2194 196:914 198:3772 199:3280 200:4632 201:952 202:7074 203:7271 204:3954 205:2108 206:2429 207:2896 208:2380 209:3565 210:2292 211:865 212:1296 213:1423 214:388 215:39 216:4087 217:1202 218:340 219:257 220:837 221:371 222:261 End of report Report Website: http://thyme.apnic.net

1 0

i wanna be a kpn peer
by Randy Bush 12 Jan '07

12 Jan '07

route-views.oregon-ix.net>sh ip bg 203.10.63.0 BGP routing table entry for 0.0.0.0/, version 2 Paths: (1 available, best #1, table Default-IP-Routing-Table) Not advertised to any peer 286 134.222.85.45 from 134.222.85.45 (134.222.85.45) Origin IGP, localpref 100, valid, external, best Community: 286:286 286:3031 286:3809

7 8

Re: Web Honeynet Project: announcement, exploit URLs this Wednesday
by Gadi Evron 12 Jan '07

12 Jan '07

On Thu, 11 Jan 2007, Ken A wrote: > What about common tools that are already being used for this? Non are perfect (or close to) for this, but I am not discussing tools (yet), just the data. Gadi.

1 0

BGP Update Report
by cidr-report＠potaroo.net 12 Jan '07

12 Jan '07

BGP Update Report Interval: 29-Dec-06 -to- 11-Jan-07 (14 days) Observation Point: BGP Peering with AS4637 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS8220 69155 2.4% 247.0 -- COLT COLT Telecommunications 2 - AS28751 35645 1.2% 254.6 -- CAUCASUS-NET-AS Caucasus Network Tbilisi, Georgia 3 - AS701 35105 1.2% 36.7 -- UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 4 - AS2907 31361 1.1% 94.2 -- ERX-SINET-AS National Center for Science Information Systems 5 - AS702 28034 1.0% 38.8 -- AS702 MCI EMEA - Commercial IP service provider in Europe 6 - AS4804 23274 0.8% 78.4 -- MPX-AS Microplex PTY LTD 7 - AS3561 17058 0.6% 35.2 -- SAVVIS - Savvis 8 - AS306 14923 0.5% 82.0 -- DNIC - DoD Network Information Center 9 - AS5668 14082 0.5% 24.4 -- AS-5668 - CenturyTel Internet Holdings, Inc. 10 - AS705 13873 0.5% 39.8 -- UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 11 - AS9051 12886 0.5% 90.1 -- IDM Autonomous System 12 - AS9583 12181 0.4% 11.4 -- SIFY-AS-IN Sify Limited 13 - AS11830 11686 0.4% 12.7 -- Instituto Costarricense de Electricidad y Telecom. 14 - AS3301 11248 0.4% 36.1 -- TELIANET-SWEDEN TeliaNet Sweden 15 - AS6471 11087 0.4% 43.1 -- ENTEL CHILE S.A. 16 - AS4725 10813 0.4% 152.3 -- ODN JAPAN TELECOM CO.,LTD. 17 - AS6461 10778 0.4% 61.6 -- MFNX MFN - Metromedia Fiber Network 18 - AS8151 10399 0.4% 12.5 -- Uninet S.A. de C.V. 19 - AS668 9885 0.3% 39.5 -- ASN-ASNET-NET-AS - Defense Research and Engineering Network 20 - AS11486 9818 0.3% 34.8 -- WAN - Worldcom Advance Networks TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS35489 3553 0.1% 3553.0 -- TOTO-TECH-AS Toto Ltd. 2 - AS4809 5390 0.2% 2695.0 -- CHINANET-CORE-WAN-CENTRAL CHINANET core WAN Central 3 - AS31594 1395 0.1% 1395.0 -- FORTESS-AS Fortess LLC Network 4 - AS9945 1063 0.0% 1063.0 -- KCACBACKUP-AS-KR Korea Information Security Agency 5 - AS10100 4024 0.1% 1006.0 -- ASN-AP-UBSW # AS-AP-UBSW CONVERTED TO ASN-AP-UBSW FOR RPSL COMPLIANCE UBS Warburg Autonomous System Asia-Pacific 6 - AS34378 947 0.0% 947.0 -- RUG-AS Razguliay-UKRROS Group 7 - AS39250 1890 0.1% 945.0 -- COLOPROVIDER-AS Colo Provider 8 - AS12922 662 0.0% 662.0 -- MULTITRADE-AS Bank Outsourcer 9 - AS3043 3286 0.1% 657.2 -- AMPHIB-AS - Amphibian Media Corporation 10 - AS14699 6122 0.2% 612.2 -- BTCBCI - Bloomingdale Communications Inc 11 - AS27407 604 0.0% 604.0 -- FRISCHS-INC - Frisch's Restaurants, Inc. 12 - AS4678 5817 0.2% 581.7 -- FINE CANON NETWORK COMMUNICATIONS INC. 13 - AS32937 1154 0.0% 577.0 -- CAC-FOR-THE-DEAF-AND-HARD-OF-HEARING - Communication Access Center for the Deaf and Hard of Hearing, Inc. 14 - AS21391 1680 0.1% 560.0 -- TDA-AS TDA AS Maintainer 15 - AS38197 1960 0.1% 490.0 -- SUNHK-DATA-AS-AP Sun Network (Hong Kong) Limited 16 - AS27731 473 0.0% 473.0 -- ACH Colombia 17 - AS33188 927 0.0% 463.5 -- SCS-NETWORK-1 - Sono Corporate Suites 18 - AS31414 458 0.0% 458.0 -- SEVENCS-AS SevenCs AG & Co.KG 19 - AS23734 857 0.0% 428.5 -- ONE-NORTH-AS-AP ONE-NORTH 20 - AS12497 2541 0.1% 423.5 -- SANET-GE SANET NETWORK (AS) TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 61.0.0.0/8 4305 0.1% AS4678 -- FINE CANON NETWORK COMMUNICATIONS INC. 2 - 222.127.32.0/19 4064 0.1% AS4775 -- GLOBE-TELECOM-AS Telecom Carrier / ISP Plus + 3 - 147.60.0.0/16 4003 0.1% AS10100 -- ASN-AP-UBSW # AS-AP-UBSW CONVERTED TO ASN-AP-UBSW FOR RPSL COMPLIANCE UBS Warburg Autonomous System Asia-Pacific 4 - 62.213.176.0/23 3553 0.1% AS35489 -- TOTO-TECH-AS Toto Ltd. 5 - 209.140.24.0/24 3235 0.1% AS3043 -- AMPHIB-AS - Amphibian Media Corporation 6 - 59.37.2.0/23 2758 0.1% AS4809 -- CHINANET-CORE-WAN-CENTRAL CHINANET core WAN Central 7 - 58.49.108.0/24 2632 0.1% AS4809 -- CHINANET-CORE-WAN-CENTRAL CHINANET core WAN Central 8 - 170.210.128.0/21 2049 0.1% AS4270 -- Red de Interconexion Universitaria 9 - 216.32.206.0/24 1996 0.1% AS20473 -- AS-CHOOPA - Choopa, LLC 10 - 210.56.52.0/24 1854 0.1% AS38197 -- SUNHK-DATA-AS-AP Sun Network (Hong Kong) Limited 11 - 83.98.220.0/23 1823 0.1% AS39250 -- COLOPROVIDER-AS Colo Provider 12 - 194.242.124.0/22 1395 0.0% AS31594 -- FORTESS-AS Fortess LLC Network 13 - 138.187.128.0/18 1276 0.0% AS3303 -- SWISSCOM Swisscom Solutions Ltd 14 - 209.69.212.0/22 1275 0.0% AS11574 -- AVALONSYS - Avalon Systems, Inc. 15 - 143.81.0.0/21 1149 0.0% AS6034 -- DDN-ASNBLK - DoD Network Information Center 16 - 89.4.130.0/24 1086 0.0% AS24731 -- ASN-NESMA National Engineering Services and Marketing Company Ltd. (NESMA) 17 - 221.143.13.0/24 1063 0.0% AS9945 -- KCACBACKUP-AS-KR Korea Information Security Agency 18 - 146.222.45.0/24 1031 0.0% AS703 -- UNSPECIFIED UUNET 19 - 146.222.69.0/24 1028 0.0% AS703 -- UNSPECIFIED UUNET 20 - 194.42.208.0/20 987 0.0% AS705 -- UUNET - MCI Communications Services, Inc. d/b/a Verizon Business Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog(a)merit.edu eof-list(a)ripe.net apops(a)apops.net routing-wg(a)ripe.net afnog(a)afnog.org ausnog(a)ausnog.net

1 0

The Cidr Report
by cidr-report＠potaroo.net 12 Jan '07

12 Jan '07

This report has been generated at Fri Jan 12 21:45:54 2007 AEST. The report analyses the BGP Routing Table of an AS4637 (Reach) router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org/as4637 for a current version of this report. Recent Table History Date Prefixes CIDR Agg 05-01-07 203862 133004 06-01-07 204012 133074 07-01-07 203992 133133 08-01-07 204055 133297 09-01-07 204137 133361 10-01-07 204234 133138 11-01-07 204266 133090 12-01-07 204271 133169 AS Summary 24021 Number of ASes in routing system 10158 Number of ASes announcing only one prefix 1522 Largest number of prefixes announced by an AS AS7018 : ATT-INTERNET4 - AT&T WorldNet Services 90820096 Largest address span announced by an AS (/32s) AS721 : DISA-ASNBLK - DoD Network Information Center Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 12Jan07 --- ASnum NetsNow NetsAggr NetGain % Gain Description Table 204425 133198 71227 34.8% All ASes AS4134 1233 297 936 75.9% CHINANET-BACKBONE No.31,Jin-rong Street AS18566 984 106 878 89.2% COVAD - Covad Communications Co. AS4755 1044 172 872 83.5% VSNL-AS Videsh Sanchar Nigam Ltd. Autonomous System AS9498 919 90 829 90.2% BBIL-AP BHARTI BT INTERNET LTD. AS4323 1060 304 756 71.3% TWTC - Time Warner Telecom, Inc. AS22773 712 47 665 93.4% CCINET-2 - Cox Communications Inc. AS11492 908 328 580 63.9% CABLEONE - CABLE ONE AS19262 757 183 574 75.8% VZGNI-TRANSIT - Verizon Internet Services Inc. AS7018 1522 990 532 35.0% ATT-INTERNET4 - AT&T WorldNet Services AS6197 1022 508 514 50.3% BATI-ATL - BellSouth Network Solutions, Inc AS17488 567 56 511 90.1% HATHWAY-NET-AP Hathway IP Over Cable Internet AS19916 567 70 497 87.7% ASTRUM-0001 - OLM LLC AS18101 499 32 467 93.6% RIL-IDC Reliance Infocom Ltd Internet Data Centre, AS721 747 295 452 60.5% DISA-ASNBLK - DoD Network Information Center AS17676 503 66 437 86.9% JPNIC-JP-ASN-BLOCK Japan Network Information Center AS15270 494 80 414 83.8% AS-PAETEC-NET - PaeTec.net -a division of PaeTecCommunications, Inc. AS4766 724 317 407 56.2% KIXS-AS-KR Korea Telecom AS9583 1023 618 405 39.6% SIFY-AS-IN Sify Limited AS8151 827 442 385 46.6% Uninet S.A. de C.V. AS2386 1104 735 369 33.4% INS-AS - AT&T Data Communications Services AS6467 415 51 364 87.7% ESPIRECOMM - Xspedius Communications Co. AS4812 429 69 360 83.9% CHINANET-SH-AP China Telecom (Group) AS3602 514 186 328 63.8% AS3602-RTI - Rogers Telecom Inc. AS16852 390 66 324 83.1% BROADWING-FOCAL - Broadwing Communications, Inc. AS33588 422 120 302 71.6% BRESNAN-AS - Bresnan Communications, LLC. AS6198 552 263 289 52.4% BATI-MIA - BellSouth Network Solutions, Inc AS6517 401 115 286 71.3% YIPESCOM - Yipes Communications, Inc. AS14654 304 32 272 89.5% WAYPORT - Wayport AS10139 303 33 270 89.1% SMARTBRO-PH-AP Smart Broadband, Inc. AS22047 307 38 269 87.6% VTR BANDA ANCHA S.A. Total 21253 6709 14544 68.4% Top 30 total Possible Bogus Routes 24.246.0.0/17 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 24.246.128.0/18 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 61.4.64.0/20 AS9929 CNCNET-CN China Netcom Corp. 64.7.112.0/21 AS13511 ITXC - ITXC 64.7.120.0/21 AS13537 ITXC-2 - ITXC 64.7.240.0/20 AS3602 AS3602-RTI - Rogers Telecom Inc. 64.13.192.0/18 AS31815 MEDIATEMPLE - Media Temple, Inc. 64.17.32.0/24 AS13488 CBWU-13488 - Continental Broadband Florida, Inc DBA WebUnited 64.17.33.0/24 AS13488 CBWU-13488 - Continental Broadband Florida, Inc DBA WebUnited 64.17.37.0/24 AS13488 CBWU-13488 - Continental Broadband Florida, Inc DBA WebUnited 64.46.96.0/20 AS13680 AS13680 Hostway Corporation Tampa, FL 64.46.112.0/20 AS13680 AS13680 Hostway Corporation Tampa, FL 64.79.64.0/19 AS10789 BIGNET-AS - The Bignet 64.79.86.0/24 AS10789 BIGNET-AS - The Bignet 64.79.87.0/24 AS10789 BIGNET-AS - The Bignet 64.79.88.0/24 AS10789 BIGNET-AS - The Bignet 64.79.89.0/24 AS10789 BIGNET-AS - The Bignet 64.79.90.0/24 AS10789 BIGNET-AS - The Bignet 64.79.96.0/20 AS10789 BIGNET-AS - The Bignet 64.89.224.0/20 AS15276 MAX-LV - Intuitive Logic 64.89.224.0/24 AS15276 MAX-LV - Intuitive Logic 64.89.225.0/24 AS15276 MAX-LV - Intuitive Logic 64.89.226.0/24 AS15276 MAX-LV - Intuitive Logic 64.89.232.0/24 AS15276 MAX-LV - Intuitive Logic 64.89.239.0/24 AS15276 MAX-LV - Intuitive Logic 64.250.128.0/18 AS10789 BIGNET-AS - The Bignet 65.60.45.0/24 AS32311 JKS-ASN - JKS Media, LLC 66.11.32.0/20 AS6261 VISINET - Visionary Systems, Inc. 66.37.96.0/20 AS3764 IA-HOU-AS - Internet America, Inc. 66.163.96.0/20 AS25767 WAVEFORM - Waveform Technology, LLC 66.235.158.0/23 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 69.36.128.0/20 AS16527 GVTCINTERNET - Guadalupe Valley Telephone Co-op, Inc. 69.36.192.0/20 AS29804 INTEGRATIX - Integratix Inc. 69.55.108.0/24 AS4977 NET1 - Pecos Technologies 72.9.128.0/20 AS27572 THEBOE-27572 - The Boeing Company 72.9.130.0/24 AS29904 THEBOE-29904 - The Boeing Company 78.192.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 78.255.248.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 79.192.0.0/16 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 79.255.248.0/21 AS12654 RIPE-NCC-RIS-AS RIPE NCC RIS project 125.213.0.0/16 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 128.209.0.0/16 AS4017 BELLST - Bell Atlantic Science & Technology 131.64.0.0/12 AS721 DISA-ASNBLK - DoD Network Information Center 132.0.0.0/10 AS721 DISA-ASNBLK - DoD Network Information Center 137.0.0.0/13 AS721 DISA-ASNBLK - DoD Network Information Center 138.136.0.0/13 AS721 DISA-ASNBLK - DoD Network Information Center 139.56.0.0/19 AS14956 BROADVISION-ASN - Broadvision Inc. 139.56.72.0/23 AS702 AS702 MCI EMEA - Commercial IP service provider in Europe 151.135.0.0/16 AS4763 TELSTRANZ-AS TelstraClear Ltd 158.0.0.0/13 AS721 DISA-ASNBLK - DoD Network Information Center 159.3.211.0/24 AS2687 ATT-ASIAPACIFIC AT&T Global Network Services - EMEA 159.220.0.0/22 AS16050 REUTERS-DOCKLANDS-RES-AS Reuters Docklands resiliancy 159.220.4.0/22 AS16050 REUTERS-DOCKLANDS-RES-AS Reuters Docklands resiliancy 159.220.4.0/24 AS16050 REUTERS-DOCKLANDS-RES-AS Reuters Docklands resiliancy 159.220.8.0/22 AS35528 REUTERS-UK2-AS Reuters-UK2 159.220.40.0/24 AS1787 REUTERS-AMERICA-ISP-CELL-AS - Reuters America Inc. 159.220.41.0/24 AS1787 REUTERS-AMERICA-ISP-CELL-AS - Reuters America Inc. 159.220.42.0/24 AS1787 REUTERS-AMERICA-ISP-CELL-AS - Reuters America Inc. 159.220.43.0/24 AS1787 REUTERS-AMERICA-ISP-CELL-AS - Reuters America Inc. 159.220.64.0/23 AS24977 MONEYLINE-UK Moneyline Telerate 162.54.122.0/24 AS5400 BT BT European Backbone 163.142.0.0/16 AS2500 JPNIC-ASBLOCK-AP JPNIC 190.54.0.0/16 AS6429 Core Internet AT&T Chile 192.30.93.0/24 AS17757 HPAUS-AP HP Australia 192.30.94.0/24 AS17757 HPAUS-AP HP Australia 192.40.105.0/24 AS12582 TSF-DATANET-NGD-AS TSF MPLS VPN Services 192.69.107.0/24 AS5515 SONERA-GLOBAL-IP Sonera Solution Autonomous System 192.69.108.0/24 AS5515 SONERA-GLOBAL-IP Sonera Solution Autonomous System 192.69.177.0/24 AS5515 SONERA-GLOBAL-IP Sonera Solution Autonomous System 192.70.164.0/24 AS25689 NRCNET-AS - National Research Council of Canada 192.81.160.0/24 AS719 ELISA-AS Elisa Oyj 192.81.182.0/24 AS719 ELISA-AS Elisa Oyj 192.81.183.0/24 AS719 ELISA-AS Elisa Oyj 192.81.184.0/24 AS719 ELISA-AS Elisa Oyj 192.88.99.0/24 AS29259 DE-IABG-TELEPORT IABG Teleport, DE 192.96.36.0/24 AS5713 SAIX-NET 192.96.37.0/24 AS10474 NETACTIVE 192.96.135.0/24 AS2018 TENET-1 192.96.136.0/23 AS2018 TENET-1 192.96.140.0/24 AS2018 TENET-1 192.96.143.0/24 AS2018 TENET-1 192.96.145.0/24 AS2018 TENET-1 192.96.177.0/24 AS6083 POSIX-AFRICA 192.96.250.0/24 AS2018 TENET-1 192.107.104.0/24 AS7137 TELEMATIX/ ENITEL 192.124.252.0/22 AS680 DFN-IP service G-WiN 192.133.6.0/24 AS10282 EQUANT-CEEUR EQUANT AS for Central and Eastern Europe region 192.139.3.0/24 AS23184 PERSONA - PERSONA COMMUNICATIONS INC. 192.153.144.0/21 AS721 DISA-ASNBLK - DoD Network Information Center 192.172.0.0/19 AS721 DISA-ASNBLK - DoD Network Information Center 192.188.208.0/20 AS721 DISA-ASNBLK - DoD Network Information Center 192.245.235.0/24 AS29748 CARPATHIA-HOSTING - Carpathia Hosting 193.43.228.0/22 AS8757 ACCESS11 Access 11 Ltd. (UK) 194.31.227.0/24 AS21461 TRANSFAIRNET Transfair-net GmbH Krefeld 194.59.176.0/20 AS1273 CW Cable & Wireless 194.246.72.0/23 AS8893 ARTFILES-AS Artfiles New Media GmbH 195.35.104.0/24 AS12445 SPIDERNET-AS Selene s.p.a. 196.6.108.0/24 AS5713 SAIX-NET 196.6.175.0/24 AS3741 IS 196.6.176.0/23 AS3741 IS 196.6.183.0/24 AS3741 IS 196.6.196.0/24 AS3741 IS 196.6.199.0/24 AS3741 IS 196.6.208.0/24 AS3741 IS 196.6.211.0/24 AS3741 IS 196.6.212.0/23 AS3741 IS 196.6.212.0/24 AS3741 IS 196.6.222.0/23 AS3741 IS 196.6.237.0/24 AS3741 IS 196.10.119.0/24 AS2018 TENET-1 196.10.122.0/23 AS2018 TENET-1 196.10.136.0/22 AS3741 IS 196.10.140.0/22 AS3741 IS 196.10.231.0/24 AS3741 IS 196.10.251.0/24 AS2018 TENET-1 196.10.252.0/23 AS2018 TENET-1 196.10.254.0/24 AS2018 TENET-1 196.11.0.0/20 AS3741 IS 196.11.40.0/21 AS3741 IS 196.11.135.0/24 AS3741 IS 196.11.188.0/23 AS3741 IS 196.11.190.0/24 AS3741 IS 196.11.251.0/24 AS3741 IS 196.13.101.0/24 AS2018 TENET-1 196.13.102.0/23 AS2018 TENET-1 196.13.104.0/24 AS2018 TENET-1 196.13.108.0/24 AS3741 IS 196.13.116.0/22 AS2018 TENET-1 196.13.121.0/24 AS2018 TENET-1 196.13.125.0/24 AS2018 TENET-1 196.13.126.0/24 AS2018 TENET-1 196.13.128.0/22 AS3741 IS 196.13.144.0/22 AS2905 TICSA-ASN 196.13.152.0/21 AS2905 TICSA-ASN 196.13.160.0/24 AS2905 TICSA-ASN 196.13.169.0/24 AS2018 TENET-1 196.13.174.0/23 AS2018 TENET-1 196.13.176.0/21 AS2018 TENET-1 196.13.188.0/22 AS2018 TENET-1 196.13.192.0/22 AS2018 TENET-1 196.13.196.0/24 AS2018 TENET-1 198.23.26.0/24 AS4390 BELLATLANTIC-COM - Bell Atlantic, Inc. 198.54.82.0/24 AS2018 TENET-1 198.54.92.0/24 AS2018 TENET-1 198.54.222.0/24 AS2018 TENET-1 198.54.249.0/24 AS2018 TENET-1 198.54.250.0/24 AS2018 TENET-1 198.54.251.0/24 AS2018 TENET-1 198.97.72.0/21 AS721 DISA-ASNBLK - DoD Network Information Center 198.97.80.0/20 AS721 DISA-ASNBLK - DoD Network Information Center 198.97.96.0/19 AS721 DISA-ASNBLK - DoD Network Information Center 198.97.240.0/20 AS721 DISA-ASNBLK - DoD Network Information Center 198.161.87.0/24 AS6539 GT-BELL - Bell Canada 198.163.155.0/24 AS684 MTSAL-ASN - MTS Allstream Inc. 198.167.0.0/16 AS7456 INTERHOP - Interhop Network SERVICES Inc. 198.168.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 198.169.0.0/16 AS803 SASKTEL - SaskTel 199.9.128.0/17 AS668 ASN-ASNET-NET-AS - Defense Research and Engineering Network 199.10.0.0/16 AS721 DISA-ASNBLK - DoD Network Information Center 199.60.0.0/20 AS271 BCNET-AS - University of British Columbia 199.114.0.0/21 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.128.0/18 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.130.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.132.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.134.0/24 AS3541 ITSDN-U4 - DISA/UNRRA 199.114.136.0/24 AS27044 DDN-ASNBLK1 - DoD Network Information Center 199.114.138.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.140.0/24 AS3544 ITSDN-U7 - DISA/UNRRA 199.114.142.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.144.0/24 AS27064 DDN-ASNBLK1 - DoD Network Information Center 199.114.148.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.150.0/24 AS721 DISA-ASNBLK - DoD Network Information Center 199.114.152.0/24 AS27033 DDN-ASNBLK1 - DoD Network Information Center 199.114.153.0/24 AS27034 DDN-ASNBLK1 - DoD Network Information Center 199.114.154.0/24 AS1733 CENTAF-SWA - AF DDN PMO 199.114.160.0/24 AS1733 CENTAF-SWA - AF DDN PMO 199.121.0.0/16 AS721 DISA-ASNBLK - DoD Network Information Center 199.123.0.0/18 AS721 DISA-ASNBLK - DoD Network Information Center 199.123.16.0/20 AS721 DISA-ASNBLK - DoD Network Information Center 199.123.80.0/21 AS721 DISA-ASNBLK - DoD Network Information Center 199.175.64.0/19 AS6539 GT-BELL - Bell Canada 199.189.32.0/19 AS7332 IQUEST-AS - IQuest Internet 199.202.0.0/16 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 199.246.116.0/24 AS813 UUNET-CANADA - MCI Communications Services, Inc. d/b/a Verizon Business 202.4.160.0/24 AS9498 BBIL-AP BHARTI BT INTERNET LTD. 202.4.161.0/24 AS9498 BBIL-AP BHARTI BT INTERNET LTD. 202.4.162.0/24 AS9498 BBIL-AP BHARTI BT INTERNET LTD. 202.9.64.0/19 AS9290 TPN-AS-AP Smart Global Network (M) Sdn Bhd 202.58.113.0/24 AS19161 INNOCOM-TELECOM - INNOCOM TELECOM 202.58.224.0/19 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.224.0/20 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.240.0/20 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.240.0/24 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.244.0/24 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.249.0/24 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.250.0/24 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.58.253.0/24 AS17925 WAVENET WAVENET PHILIPPINES INC. 202.86.252.0/22 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.253.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.254.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.86.255.0/24 AS9304 HUTCHISON-AS-AP Hutchison Global Communications 202.90.33.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.90.40.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.90.41.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.90.42.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.90.43.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.90.44.0/24 AS9830 SWIFTONLINE-AS-AP SWIFT ONLINE BORDER AS 202.94.70.0/24 AS9837 POWERTEL-AP Powertel Ltd 202.124.192.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.193.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.194.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.195.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.196.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.197.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.198.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.199.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.200.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.201.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.202.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.203.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.204.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.205.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.206.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.124.207.0/24 AS17557 PKTELECOM-AS-AP Pakistan Telecom 202.125.96.0/20 AS7693 COMNET-TH KSC Commercial Internet Co. Ltd. 202.136.254.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.136.255.0/24 AS4808 CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network 202.148.32.0/20 AS17495 GATEWAY-AP BROADBAND WIRELESSS INTERNET SERVICE PROVIDER 202.164.100.0/24 AS18101 RIL-IDC Reliance Infocom Ltd Internet Data Centre, 202.182.32.0/22 AS10223 UECOMM-AU Uecomm Ltd 203.13.171.0/24 AS1221 ASN-TELSTRA Telstra Pty Ltd 203.62.0.0/17 AS7575 AARNET-AS-AP Australian Academic and Reasearch Network (AARNet) 203.78.48.0/20 AS9299 IPG-AS-AP Philippine Long Distance Telephone Company 203.80.32.0/20 AS4817 DESTRA-AU-AP Destra Corporation 203.89.139.0/24 AS17911 BRAINPK-AS-AP Brain Telecommunication Ltd. 203.111.192.0/20 AS7473 SINGTEL-AS-AP Singapore Telecom 203.128.128.0/19 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 203.152.136.0/23 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport 203.152.138.0/23 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport 203.152.142.0/24 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport 203.152.143.0/24 AS23649 NEWSKIES-AS-AP New Skies Satellites, Hong Kong Teleport 203.160.104.0/22 AS23914 OCI-AS-VN One-Connection Internet Company 203.160.110.0/23 AS7643 VNN-AS-AP Vietnam Posts and Telecommunications (VNPT) 204.29.196.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 204.29.197.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 204.48.58.0/24 AS4323 TWTC - Time Warner Telecom, Inc. 204.48.60.0/24 AS4323 TWTC - Time Warner Telecom, Inc. 204.153.68.0/24 AS4017 BELLST - Bell Atlantic Science & Technology 204.153.71.0/24 AS4017 BELLST - Bell Atlantic Science & Technology 204.153.104.0/24 AS10913 INTERNAP-BLK - Internap Network Services 204.154.125.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc. 204.154.126.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc. 204.154.127.0/24 AS3952 TELLABS-ASN - TELLABS Operations, Inc. 205.143.144.0/21 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 205.150.0.0/15 AS701 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business 206.128.104.0/21 AS11709 VIC - VIRTUAL INTERACTIVE CENTER 207.7.64.0/19 AS14093 ITRIBE - iTRiBE, Inc. 207.189.62.0/23 AS7132 SBIS-AS - SBC Internet Services 207.191.224.0/23 AS2828 XO-AS15 - XO Communications 207.191.232.0/21 AS2828 XO-AS15 - XO Communications 207.231.96.0/19 AS11194 NUNETPA - NuNet Inc 207.246.192.0/20 AS5656 ACCESSUS-DOM - accessU.S./BASENet 209.105.224.0/19 AS20074 KNOWLEDGENET - KNOWLEDGENET 209.159.128.0/19 AS209 ASN-QWEST - Qwest 209.177.64.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.177.65.0/24 AS8088 SRTNET - SRT ENTERPRISES 209.177.66.0/23 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.177.68.0/23 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.177.70.0/24 AS19159 STING - Sting Communications 209.177.89.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.177.93.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.177.94.0/24 AS6461 MFNX MFN - Metromedia Fiber Network 209.177.95.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 209.205.81.0/24 AS15066 SkyNet de Colombia S.A. 209.205.82.0/24 AS15066 SkyNet de Colombia S.A. 209.205.84.0/24 AS15066 SkyNet de Colombia S.A. 209.212.128.0/19 AS7453 GTINET - Gateway Telecommunications, Inc. 210.5.128.0/20 AS4837 CHINA169-BACKBONE CNCGROUP China169 Backbone 216.21.1.0/24 AS11652 DATATONE - Datatone Communications Inc 216.21.6.0/24 AS11652 DATATONE - Datatone Communications Inc 216.21.7.0/24 AS11652 DATATONE - Datatone Communications Inc 216.21.15.0/24 AS11652 DATATONE - Datatone Communications Inc 216.21.17.0/24 AS11652 DATATONE - Datatone Communications Inc 216.65.160.0/19 AS7770 TRITON - Triton Technologies, Inc. 216.71.224.0/20 AS23527 COTELLIGENCE - Cotelligence, Inc. 216.201.72.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.73.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.74.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.75.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.76.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.77.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.78.0/24 AS14709 Telefonica Moviles Panama S.A. 216.201.79.0/24 AS14709 Telefonica Moviles Panama S.A. 216.230.224.0/20 AS15270 AS-PAETEC-NET - PaeTec.net -a division of PaeTecCommunications, Inc. 216.240.240.0/20 AS7018 ATT-INTERNET4 - AT&T WorldNet Services 216.240.242.0/24 AS7018 ATT-INTERNET4 - AT&T WorldNet Services Please see http://www.cidr-report.org for the full report ------------------------------------ Copies of this report are mailed to: nanog(a)merit.edu eof-list(a)ripe.net apops(a)apops.net routing-wg(a)ripe.net afnog(a)afnog.org ausnog(a)ausnog.net

1 0

Web Honeynet Project: announcement, exploit URLs this Wednesday
by Gadi Evron 12 Jan '07

12 Jan '07

[ Warning: this email message includes links to live web server malware propagated this Wednesday via file inclusions exploits. These links are not safe! ] Hello. The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will in the next few months announce research on real-world web server attacks which infect web servers with: Tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild. The Web Honeynet Project will, for now, not deal with the regular SQL injection and XSS attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms. These attacks form botnets constructed from web servers (mainly IIS and Apache on Linux and Windows servers) and transform hosting farms/colos to attack platforms. Most of these "tools" are being injected by (mainly) file inclusion attacks against (mainly) PHP web applications, as is well known and established. PHP (or scripting) shells, etc. have been known for a while, as well as file inclusion (or RFI) attacks, however, mostly as something secondary and not much (if any - save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves. The bad guys currently exploit, create botnets and deface in a massive fashion and force ISPs and colos to combat an impossible situation where any (mainly) PHP application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one. What is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) - meaning aside for research, the Web Honeynet Project will also release actionable data on offensive IP addresses, URLs and on the tools themselves to be made available to operational folks, so that they can mitigate the threat. It's long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. Several folks (and quite loudly - me) have been warning about this for a while, not it's time to take action instead of talk. :) Note: Below you can find sample statistics on some of the Web Honeynet Project information for this last Wednesday, on file inclusion attacks seeding malware. You will likely notice most of these have been taken care of by now. The first research on the subject (after looking into several hundred such tools) will be made public in the February edition of the Virus Bulletin magazine, from: Kfir Damari, Noam Rathaus and Gadi Evron (yours truly). The SecuriTeam and ISOTF Web Honeynet Project would like to thank Beyond Security ( http://www.beyondsecurity.com ) for all the support. Special thanks (so far) to: Ryan Carter, Randy Vaughn and the rest of the new members of the project. For more information on the Web Honeynet Project feel free to contact me. Also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are). Gadi. Sample report and statistics (for Wednesday the 10th of January, 2007): IP | Hit Count | Malware (Count), ... | 195.225.130.118 | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4), http://m embers.lycos.co.uk/onuhack/injek.txt? (6), http://m embers.lycos.co.uk/onuhack/cmd.do? (2), 69.93.147.242 | 11 | http://w ww.clubmusic.caucasus.net/administrator/cmd.gif? (1), http://c lubmusic.caucasus.net/administrator/cmd.gif? (4), http://w ww.ucanartists.org/components/com_extcalendar/cmd.gif? (5), http://t bchat.caucasus.net/cmd.gif? (1), 216.22.3.11 | 8 | http://h eidi.by.ru/cmdi.txt? (7), http://h eidiz.by.ru/cmdi.txt? (1), 62.149.36.116 | 8 | http://w ww.fc-magdeburg.de/jscripts/tiny_mce/plugins/pic.gif?? (3), http://w ww.discoverchimpanzees.org/blog/sendit.jpg?? (2), http://u bk.no-ip.biz/shine.jpg?? (1), http://w ww.sle.br/polvo2/script/ftv3doc.gif?? (1), http://w ww.sle.br/polvo2/css/css.gif?? (1), 85.25.148.178 | 7 | h ttp://213.133.108.122/alex.gif? (1), http://c lubmusic.caucasus.net/Administrator/cmd.gif? (5), http://w ww.ucanartists.org/components/com_extcalendar/cmd.gif? (1), 69.13.6.170 | 7 | http://c ajem.by.ru/cmd.gif? (3), http://k ama.opensolarisproject.com/phpBB2/files/cmd.gif? (1), http://s upsup.by.ru/cmd.gif? (2), http://w ww.bhlynx.org/htdig/sad.gif? (1), 201.63.179.122 | 7 | http://d arkhand.netfast.org/list.txt??? (2), http://w ww.locman.net/Guide/vkod/list.txt?? (3), http://g odarmy.net/cmd.txt?? (1), http://c hapolin.by.ru/cmds/list.txt? (1), 219.67.171.131 | 7 | http://i ntra/ (7), 193.39.119.174 | 6 | http://w ww.sirmet.it/pronti/cmd.txt?? (1), http://w ww.overclockers.pl/images/r57.gif? (1), http://w ww.rldiseno.com/administrator/components/com_remository/morgancmd.gif? (1), http://v irtual.uarg.unpa.edu.ar/myftp/list.txt? (1), http://w ww.sirmet.it/pronti/cmd.txt? (1), http://v irtual.uarg.unpa.edu.ar/myftp/list.txt?? (1), 80.74.142.173 | 6 | http://7 2.232.231.10/~superbr/tk.txt?? (1), http://t hebesthack.altervista.org/soka.txt? (2), http://m rmorte.by.ru/r57.swf?&add=bot (1), http://w ww.bhlynx.org/htdig/UPLOADING/full.gif? (2), Statistics: IP Count (Unique): 11 Hit Count: 79 (from same IP: 86.08%) Malware | Hit Count | IPs (Count), ... | cmd.gif | 279 | 69.93.147.242 (11), 85.25.148.178 (6), 69.13.6.170 (6), 211.174.52.20 (4), 205.234.146.49 (4), 85.25.7.109 (3), 201.9.252.67 (3), 204.157.9.185 (3), 216.46.205.101 (3), 70.86.237.202 (3), 66.228.211.16 (3), 206.225.82.46 (3), 213.192.241.44 (3), 82.208.181.122 (2), 64.34.203.104 (2), 216.104.149.111 (2), 201.19.41.223 (2), 140.138.2.234 (2), 82.194.78.30 (2), 151.8.228.196 (2), 82.194.70.92 (2), 66.111.45.130 (2), 202.8.87.197 (2), 194.30.160.101 (2), 83.149.84.184 (2), 83.65.141.130 (2), 70.84.49.42 (2), 203.146.247.79 (2), 212.34.138.206 (2), 72.22.90.219 (2), 216.16.246.240 (2), 195.214.44.149 (2), 193.84.250.29 (2), 130.94.69.17 (2), 216.174.97.241 (2), 202.5.195.7 (2), 201.9.216.138 (2), 62.149.140.17 (2), 213.202.247.177 (2), 66.249.137.127 (2), 69.31.45.194 (2), 65.98.67.250 (2), 200.32.5.203 (2), 62.152.64.210 (2), 81.169.155.146 (2), 62.75.247.5 (2), 201.50.166.11 (2), 62.103.159.219 (1), 82.165.181.50 (1), 201.19.27.135 (1), 200.62.64.1 (1), 84.191.92.243 (1), 72.21.56.226 (1), 193.93.22.78 (1), 65.111.169.4 (1), 205.234.105.84 (1), 81.169.176.252 (1), 208.53.170.148 (1), 87.253.128.30 (1), 148.244.125.3 (1), 216.22.24.29 (1), 216.237.124.82 (1), 82.79.190.155 (1), 216.55.155.27 (1), 69.64.34.14 (1), 193.189.139.51 (1), 62.149.36.24 (1), 62.193.237.34 (1), 212.227.127.183 (1), 203.22.204.167 (1), 201.19.33.183 (1), 202.75.40.172 (1), 62.213.96.213 (1), 69.26.178.141 (1), 66.62.91.188 (1), 65.98.24.42 (1), 62.90.247.53 (1), 213.190.10.170 (1), 195.225.196.213 (1), 81.33.30.22 (1), 202.75.48.81 (1), 201.27.130.105 (1), 80.86.83.26 (1), 201.8.170.227 (1), 195.117.34.114 (1), 209.200.229.90 (1), 204.157.11.179 (1), 203.150.230.119 (1), 194.135.81.25 (1), 213.171.206.174 (1), 69.9.37.130 (1), 201.19.41.150 (1), 201.238.227.107 (1), 72.36.228.18 (1), 80.32.187.191 (1), 205.234.190.102 (1), 203.130.242.71 (1), 193.165.77.26 (1), 172.178.51.210 (1), 200.42.92.84 (1), 65.110.9.76 (1), 62.193.238.124 (1), 84.19.176.212 (1), 85.13.128.214 (1), 66.199.183.131 (1), 217.156.103.28 (1), 212.227.127.159 (1), 64.239.45.44 (1), 70.84.183.130 (1), 70.84.178.34 (1), 83.243.43.98 (1), 189.141.43.211 (1), 65.254.50.114 (1), 70.85.230.210 (1), 85.25.134.185 (1), 64.66.120.30 (1), 216.32.67.66 (1), 195.140.142.111 (1), 200.217.200.13 (1), 80.190.243.85 (1), 200.21.85.98 (1), 201.9.214.114 (1), 194.177.128.241 (1), 201.19.41.112 (1), 82.192.67.66 (1), 81.169.177.159 (1), 208.53.170.15 (1), 72.29.93.179 (1), 64.118.85.15 (1), 61.64.159.247 (1), 213.188.35.62 (1), 72.36.229.154 (1), 193.238.106.20 (1), 198.173.64.81 (1), 62.193.238.72 (1), 203.162.202.137 (1), 208.49.83.50 (1), 82.150.135.90 (1), 201.9.192.32 (1), 204.157.10.95 (1), 70.84.86.122 (1), 85.221.229.18 (1), 81.88.17.101 (1), 209.112.56.11 (1), 67.19.48.116 (1), 193.109.252.107 (1), 205.234.252.143 (1), 65.254.139.52 (1), 62.75.177.72 (1), 82.165.177.145 (1), 201.19.24.185 (1), 8.6.223.5 (1), 213.115.183.36 (1), 205.205.189.1 (1), 212.227.119.154 (1), 85.12.17.242 (1), 212.204.213.31 (1), 212.97.96.139 (1), 195.34.78.100 (1), 201.19.43.137 (1), 62.193.228.59 (1), 66.232.114.230 (1), 216.193.201.201 (1), 200.101.93.29 (1), 69.56.245.170 (1), 66.201.119.2 (1), 81.182.246.8 (1), 194.145.200.200 (1), 202.188.124.52 (1), 62.193.216.17 (1), 213.251.172.103 (1), 66.36.240.45 (1), 217.160.226.5 (1), 212.241.192.85 (1), 65.19.139.183 (1), 69.73.175.50 (1), 193.138.206.126 (1), 74.52.220.58 (1), 66.226.74.90 (1), 72.232.9.238 (1), 83.143.85.50 (1), 64.76.24.214 (1), 202.158.89.67 (1), 12.6.95.21 (1), 217.160.226.2 (1), 82.195.230.142 (1), 64.20.50.35 (1), 70.85.221.154 (1), 72.36.179.162 (1), 212.227.96.202 (1), 64.91.255.130 (1), 209.160.32.106 (1), 209.59.163.222 (1), 213.186.34.130 (1), 216.227.215.62 (1), 201.9.209.49 (1), 72.29.64.229 (1), 200.162.196.214 (1), 213.247.60.210 (1), 72.9.248.146 (1), 205.234.235.173 (1), 218.150.78.201 (1), 64.34.166.126 (1), cmd.txt | 123 | 87.238.209.101 (5), 212.110.122.165 (3), 62.193.237.22 (3), 64.3.156.59 (3), 81.29.75.112 (2), 217.160.252.4 (2), 85.119.219.36 (2), 204.157.15.189 (2), 212.241.192.113 (2), 193.6.6.101 (2), 81.57.112.15 (2), 207.58.177.50 (2), 200.255.50.131 (2), 202.5.195.7 (2), 213.240.243.15 (2), 193.39.119.174 (2), 64.34.203.104 (1), 203.36.0.15 (1), 82.192.87.144 (1), 201.75.27.149 (1), 85.98.229.152 (1), 88.232.110.242 (1), 201.63.179.122 (1), 213.189.27.96 (1), 87.238.208.100 (1), 201.19.16.223 (1), 204.2.106.3 (1), 62.75.251.113 (1), 66.111.45.130 (1), 201.58.41.9 (1), 72.232.53.210 (1), 82.165.183.17 (1), 88.226.0.154 (1), 208.234.20.125 (1), 66.18.160.59 (1), 85.12.147.20 (1), 195.39.35.115 (1), 85.107.94.14 (1), 81.215.251.88 (1), 62.166.203.203 (1), 200.168.144.40 (1), 62.193.226.73 (1), 88.226.0.79 (1), 72.36.190.242 (1), 82.98.74.4 (1), 194.44.38.218 (1), 64.8.114.14 (1), 70.84.205.34 (1), 220.134.22.185 (1), 84.244.146.209 (1), 82.160.16.3 (1), 85.101.26.131 (1), 86.127.26.72 (1), 85.106.226.172 (1), 85.101.195.146 (1), 69.61.12.2 (1), 65.254.36.146 (1), 64.34.168.95 (1), 213.188.35.62 (1), 85.97.85.192 (1), 213.251.168.77 (1), 201.92.114.224 (1), 208.49.83.50 (1), 85.103.172.119 (1), 66.228.211.16 (1), 86.109.192.86 (1), 80.118.168.219 (1), 201.75.60.132 (1), 81.169.175.152 (1), 200.168.144.175 (1), 85.214.42.118 (1), 213.161.194.235 (1), 205.205.189.1 (1), 85.108.187.234 (1), 85.99.187.79 (1), 87.118.98.140 (1), 195.34.78.100 (1), 85.107.93.3 (1), 64.0.197.99 (1), 207.58.138.211 (1), 204.15.121.100 (1), 195.46.154.122 (1), 210.196.116.84 (1), 201.29.65.167 (1), 203.63.5.173 (1), 200.29.2.93 (1), 85.97.126.185 (1), 86.127.29.111 (1), 85.98.5.167 (1), 70.85.23.132 (1), 200.89.73.35 (1), 81.214.168.249 (1), 86.127.26.31 (1), 193.202.89.13 (1), 200.243.56.196 (1), 85.99.224.67 (1), 207.58.129.57 (1), 84.191.212.176 (1), 64.118.84.10 (1), 82.98.225.171 (1), 85.99.141.199 (1), list.txt | 106 | 201.63.179.122 (6), 72.29.71.211 (3), 62.149.140.15 (3), 216.139.67.90 (2), 207.150.191.52 (2), 195.149.99.131 (2), 209.172.34.86 (2), 70.85.154.226 (2), 70.87.86.130 (2), 202.143.173.2 (2), 193.39.119.174 (2), 84.252.146.194 (2), 81.169.155.146 (2), 72.52.184.4 (1), 213.251.132.191 (1), 82.165.235.5 (1), 216.22.24.29 (1), 72.29.68.123 (1), 216.104.149.111 (1), 69.16.207.166 (1), 154.37.2.50 (1), 216.180.243.242 (1), 72.232.91.130 (1), 66.227.122.97 (1), 216.55.147.90 (1), 63.146.198.100 (1), 193.226.140.228 (1), 67.19.80.180 (1), 216.130.161.111 (1), 66.197.195.101 (1), 216.7.178.164 (1), 64.27.5.179 (1), 69.72.224.106 (1), 204.157.11.179 (1), 217.112.42.25 (1), 82.102.15.13 (1), 81.169.167.240 (1), 72.36.158.226 (1), 209.59.195.31 (1), 218.36.126.67 (1), 66.7.200.164 (1), 63.247.139.69 (1), 70.84.146.130 (1), 65.254.50.114 (1), 87.17.78.245 (1), 194.30.160.11 (1), 202.130.106.156 (1), 209.59.130.114 (1), 194.79.71.157 (1), 201.42.41.18 (1), 200.146.61.40 (1), 203.88.114.169 (1), 161.132.144.50 (1), 151.51.63.190 (1), 194.145.127.68 (1), 134.58.253.114 (1), 67.91.198.51 (1), 91.121.7.26 (1), 72.21.51.210 (1), 72.18.130.32 (1), 209.33.215.180 (1), 210.0.211.228 (1), 205.234.99.226 (1), 88.149.156.142 (1), 62.149.140.18 (1), 209.51.140.2 (1), 70.86.172.210 (1), 64.151.90.220 (1), 200.241.111.203 (1), 67.18.167.138 (1), 81.4.74.238 (1), 82.163.66.89 (1), 216.117.150.82 (1), 201.26.46.108 (1), 87.118.98.140 (1), 216.227.217.6 (1), 64.0.197.99 (1), 193.25.197.122 (1), 72.29.73.71 (1), 200.101.93.29 (1), 83.143.81.2 (1), 200.216.87.236 (1), 83.243.154.180 (1), 72.36.202.166 (1), 216.246.45.69 (1), 210.208.204.56 (1), 38.118.74.77 (1), c.txt | 60 | 213.193.229.39 (5), 86.54.102.2 (4), 195.10.193.5 (3), 62.231.119.106 (3), 193.25.197.127 (3), 202.64.87.188 (2), 207.58.142.226 (2), 65.75.190.245 (2), 158.66.1.12 (2), 209.47.167.151 (2), 193.198.217.3 (1), 67.15.42.38 (1), 85.158.249.30 (1), 70.86.48.66 (1), 82.80.253.45 (1), 69.90.141.2 (1), 201.34.32.66 (1), 216.17.101.249 (1), 202.83.173.216 (1), 196.203.35.2 (1), 195.189.226.241 (1), 194.67.32.44 (1), 58.71.41.3 (1), 213.193.229.20 (1), 72.232.69.250 (1), 195.206.96.40 (1), 61.246.2.74 (1), 195.46.71.19 (1), 193.43.88.3 (1), 87.238.162.143 (1), 83.228.34.135 (1), 193.25.197.122 (1), 87.238.162.16 (1), 72.29.82.174 (1), 192.71.85.140 (1), 65.77.42.233 (1), 87.106.33.210 (1), 213.193.246.81 (1), 212.75.96.165 (1), 213.193.246.25 (1), 85.214.75.173 (1), 69.60.109.202 (1), cmd.do | 53 | 200.24.106.14 (4), 141.44.47.74 (3), 200.188.219.122 (2), 87.242.72.37 (2), 217.112.36.52 (2), 195.225.130.118 (2), 62.103.159.219 (1), 85.17.3.141 (1), 205.214.64.176 (1), 66.227.122.97 (1), 84.244.8.53 (1), 69.155.36.50 (1), 81.21.79.93 (1), 209.8.117.170 (1), 70.86.234.234 (1), 69.64.50.67 (1), 64.191.33.200 (1), 204.9.174.110 (1), 72.232.62.98 (1), 67.159.21.37 (1), 64.92.171.58 (1), 64.38.19.238 (1), 62.193.248.88 (1), 209.126.142.253 (1), 206.51.236.115 (1), 216.227.218.113 (1), 85.25.59.184 (1), 213.83.63.53 (1), 208.49.83.50 (1), 208.101.43.190 (1), 62.116.130.180 (1), 67.18.229.90 (1), 147.94.192.41 (1), 66.225.239.199 (1), 91.143.130.1 (1), 81.57.112.15 (1), 70.86.207.162 (1), 216.194.64.235 (1), 69.56.243.130 (1), 222.237.78.168 (1), 163.29.233.6 (1), 209.123.92.40 (1), 198.77.13.98 (1), 62.4.84.36 (1), c.in | 51 | 212.12.121.43 (3), 66.103.152.111 (3), 202.123.79.16 (3), 193.138.230.200 (3), 62.221.213.68 (2), 64.8.118.5 (2), 66.230.196.135 (2), 64.199.142.69 (2), 209.47.167.151 (2), 66.246.134.221 (1), 67.19.143.130 (1), 89.207.232.18 (1), 204.11.234.28 (1), 64.38.11.6 (1), 64.15.138.182 (1), 63.245.201.68 (1), 62.4.70.180 (1), 62.193.229.152 (1), 87.233.12.130 (1), 70.86.36.194 (1), 209.47.139.138 (1), 67.19.224.66 (1), 81.183.219.157 (1), 213.193.230.201 (1), 70.86.151.130 (1), 66.7.193.220 (1), 218.38.14.205 (1), 72.22.69.224 (1), 189.146.75.42 (1), 75.126.58.208 (1), 72.36.155.170 (1), 70.84.122.194 (1), 66.235.206.151 (1), 72.51.35.25 (1), 204.16.246.8 (1), 67.18.252.98 (1), 202.139.20.8 (1), 85.92.70.238 (1), tk.txt | 48 | 83.137.17.37 (2), 202.181.206.50 (2), 61.194.40.108 (2), 72.5.54.40 (2), 203.146.140.221 (1), 205.234.190.84 (1), 216.61.218.2 (1), 66.226.64.33 (1), 198.64.149.204 (1), 64.202.123.184 (1), 82.217.225.104 (1), 87.233.14.82 (1), 205.234.190.102 (1), 62.193.234.11 (1), 212.80.70.2 (1), 87.117.224.250 (1), 72.36.190.242 (1), 69.0.231.197 (1), 62.111.211.194 (1), 64.8.114.14 (1), 81.29.195.54 (1), 213.192.241.47 (1), 209.59.137.106 (1), 69.64.33.9 (1), 212.34.138.238 (1), 209.172.34.86 (1), 80.74.142.173 (1), 194.109.148.172 (1), 216.120.228.160 (1), 62.193.228.59 (1), 217.71.214.135 (1), 67.159.26.207 (1), 212.241.248.177 (1), 211.115.217.151 (1), 150.140.140.91 (1), 209.126.254.191 (1), 213.240.243.15 (1), 201.32.170.233 (1), 64.76.24.214 (1), 62.193.226.57 (1), 200.161.198.118 (1), 213.184.216.134 (1), 206.251.247.140 (1), 204.14.110.100 (1), sad.gif | 40 | 212.110.122.165 (2), 81.169.175.152 (2), 82.208.181.122 (1), 193.93.22.78 (1), 216.246.60.183 (1), 216.70.72.167 (1), 205.234.223.151 (1), 62.75.161.45 (1), 85.17.53.242 (1), 216.7.178.164 (1), 219.95.3.182 (1), 128.121.21.33 (1), 218.111.135.154 (1), 194.204.11.67 (1), 200.162.196.187 (1), 69.13.6.170 (1), 220.134.22.185 (1), 67.19.25.34 (1), 200.234.201.118 (1), 67.19.71.228 (1), 210.245.226.52 (1), 83.143.81.22 (1), 64.20.33.154 (1), 81.0.254.66 (1), 72.232.25.58 (1), 64.34.169.139 (1), 68.23.46.65 (1), 204.157.11.61 (1), 212.3.242.140 (1), 81.222.134.125 (1), 222.122.46.217 (1), 202.5.195.7 (1), 198.173.81.121 (1), 222.122.31.173 (1), 72.36.155.138 (1), 64.106.143.220 (1), 83.14.225.50 (1), 213.239.175.53 (1), tool20.dat | 37 | 85.98.228.55 (3), 81.215.251.73 (2), 81.214.163.255 (2), 81.214.160.78 (1), 81.215.248.208 (1), 81.215.245.81 (1), 81.214.168.215 (1), 81.214.165.43 (1), 85.104.40.203 (1), 81.214.161.240 (1), 81.215.237.251 (1), 81.214.174.71 (1), 81.214.169.172 (1), 81.214.172.202 (1), 81.214.171.65 (1), 81.214.168.116 (1), 85.98.123.10 (1), 81.214.166.1 (1), 81.214.175.73 (1), 81.214.164.94 (1), 81.215.247.8 (1), 85.98.123.29 (1), 201.19.113.219 (1), 81.214.164.5 (1), 201.19.65.249 (1), 81.214.169.97 (1), 81.215.255.156 (1), 85.104.40.207 (1), 81.214.169.190 (1), 81.214.175.27 (1), 81.214.171.215 (1), 81.214.162.240 (1), 81.214.172.207 (1), c.php.txt | 32 | 81.183.219.157 (2), 64.199.142.69 (2), 202.60.74.106 (2), 84.19.182.32 (1), 72.36.192.42 (1), 193.164.131.35 (1), 85.43.93.220 (1), 65.42.183.2 (1), 81.92.6.204 (1), 70.84.178.34 (1), 195.2.72.34 (1), 72.232.214.242 (1), 66.165.236.122 (1), 72.29.75.151 (1), 195.138.198.28 (1), 208.101.29.107 (1), 67.19.37.228 (1), 66.103.130.131 (1), 70.86.36.194 (1), 195.238.74.73 (1), 219.93.90.33 (1), 66.235.209.82 (1), 85.25.11.42 (1), 66.45.242.178 (1), 66.235.206.151 (1), 195.2.72.35 (1), 69.93.128.17 (1), 212.24.224.18 (1), 72.232.6.132 (1), Statistics: Malware Count (Unique): 11 Malware Hit Count: 829 (from same IP: 98.67%)

1 0

RE: 4 Byte AS tested
by Geoff Huston 11 Jan '07

11 Jan '07

At 09:33 AM 12/01/2007, Anderson, Matthew R [NTK] wrote: >One test case I would like to see is alternating 2- and 4-byte ASNs >in the path. This may be harder. E.g., AS_PATH = 1239 23456 1221 >23456 23456 23456. Or how about an AS_PATH including the 4-byte ASN >placeholder (23456) whose origin is a 2-byte OLD speaker? E.g., >AS_PATH = 1239 23456 1221 23456 23456 23456 12234. I've done a number of small scale permutations with BGP configurations, but larger tests of the form you describe here will need some more willing participants, particularly if we are interested in doing this in the context of the Internet itself rather than in a collection of small scale ebgp peerings. Geoff

1 0

4 Byte AS tested
by Geoff Huston 11 Jan '07

11 Jan '07

# bgpctl show rib 203.10.62.0/24 flags: * = Valid, > = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *> 203.10.62.0/24 147.28.0.1 100 0 0.3130 0.1239 0.4637 0.4637 0.4637 0.4637 0.4637 0.4637 0.1221 1.202 i George Michaelson, Randy Bush and myself have successfully tested the implementation of 4Byte AS BGP on a public Internet transit. The above BGP RIB snapshot was taken at a 4Byte BGP speaker in North America, showing a transit path across AS 1221, AS 4637, AS 1239 and AS 3130 , with correct reconstruction of the originating AS at the other (4Byte AS) end. The code base used was OpenBGPD, with 4 byte patches that I've added to the code in the past couple of weeks. (Patched versions of openbgpd to include 4-byte AS support can be found at http://www.potaroo.net/tools/bgpd/) cheers, Geoff

9 13