I looked at some RIS (and routeviews) MRT data. First I looked at BGP updates: * There were no BGP updates captured by RIPE RIS between 2025-08-12..2025-08-26 for 2400::/12. * The largest prefix in 2400::/12 for which updates/withdraws were seen in that period was 2400:2000::/20. When I look at the combined RIS+routeviews RIBS at 08:00 UTC on 2025-08-30, these are the largest prefixes in 2400::/12 and their visibility: ┌────────────────┬────────────┐ │ prefix │ visibility │ │ │ (peers) │ ├────────────────┼────────────┤ │ 2400:2000::/20 │ 689 │ │ 2400:4000::/22 │ 690 │ │ 2400:6280::/30 │ 268 │ │ 2400:7b80::/30 │ 799 │ │ 2400:a840::/31 │ 795 │ │ 2400:a842::/31 │ 795 │ │ 2400:a844::/31 │ 795 │ │ 2400:a846::/31 │ 795 │ │ 2400:a848::/31 │ 795 │ │ 2400:a84a::/31 │ 795 │ │ 2400:a84c::/31 │ 795 │ │ 2400:a84e::/31 │ 795 │ │ 2400:a980::/29 │ 777 │ │ 2400:ca00::/28 │ 792 │ │ 2400:d800::/30 │ 780 │ │ 2400:d800::/31 │ 780 │ │ 2400:dd00::/28 │ 693 │ If 2400::/12 was widely visible, it indicates a gap in the coverage of routeviews and RIS. I can’t speak for routeviews, but as RIS project we would be very happy to add peers that cover such a blindspot. We want to make data analysis like I just did easier. We have a prototype for a new way to search in MRT data. It started as an internal research/debugging aid, but we want to start releasing pre-processed data soon. If things work out I will do a talk on this at the next RIPE and NANOG meetings on this way to search in BGP data - the talk is about to be submitted. Kind regards, Ties On Sat, 30 Aug 2025 at 14:56, Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
According to RIPEStat, 2400::/12 hasn't been seen since Oct 2023, from AS13030 (Init7).
I also cannot seem to see any recent announcement of that anywhere in the usual sources, or my internal data. I would say this was an error on Qrator's part.
In that case, what more do I must do?
Although it didn't seem to happen here, best practice is to always announce 100% of your allocated IPs at all times. This provides protection against someone announcing an umbrella and pulling traffic for any uncovered space. It's not perfect , but protects against general stupid.
On Sat, Aug 30, 2025 at 2:59 AM Pirawat WATANAPONGSE via NANOG < nanog@lists.nanog.org> wrote:
Dear Gurus,
Radar tool by Qrator [Reference: https://radar.qrator.net ] claims that Zenlayer Inc. [AS4229] is “umbrella-ing” me by announcing ‘2400::/12’ on top of my more-specific address block. The tool classifies it as a type of hijacking. [Disclaimer: apologies to Zenlayer if you didn’t do it; but that’s the information I received] My neighboring organization also has a more-specific block that falls under The Umbrella too.
However, other tools (https://stat.ripe.net , https://irrexplorer.nlnog.net , https://bgp.he.net , etc.) seem unable to see that particular announcement.
Questions: 1. Is Qrator claim true? (because I have already tried but cannot verify) 2. If so, should I be concerned? Even though I already ROA-ed *and* IRR-ed my own block, but if “the other end” doesn’t validate, it won’t do any good, correct? (Oh, yeah, the other end also has to somehow “not see” my longer-prefix. But that can happen as well, no?) 3. In that case, what more do I must do?
I would extremely appreciate someone helping me out on this matter.
Best Regards,
Pirawat. _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GT2M54NG... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/47LPGUEA...