From: Jared Mauch <jared@puck.nether.net> Date: Thu, 24 Feb 2011 16:59:52 -0500
It appears there have been a large number of routing leaks from 6453 today based on my detection scripts that have been running.
(shameless plug for http://puck.nether.net/bgp/leakinfo.cgi)
A quick report of the data show (for today so far) a few thousand of leaks more than is normal for a day like today. I included a snapshot of yesterday below as well.
I've included a more detailed report of the prefixes observed involved here:
http://puck.nether.net/~jared/tata-leak-20110224.txt
This seems to be a somewhat common event for 6453, loking through the history of data available, another event happened on 2011-01-28 as well.
I'm interested in what best operational practices people have employed to help avoid the leaks seen here so I can document them for others to learn to prevent this from happening again.
- Jared
bgp=# select count(blame_asn),blame_asn,asn_responsible from leakinfo where aprox_time::date = '2011-02-24' group by blame_asn,asn_responsible order by 1 desc; count | blame_asn | asn_responsible -------+-----------+----------------- 2208 | 6453 | 6453 360 | 7473 | 3257 230 | | 170 | 17379 | 5511 130 | 8068 | 3356 39 | 3225 | 6453 34 | 45419 | 3356 26 | 3356 | 3356 25 | 12180 | 2828 18 | 22351 | 701 16 | 7991 | 2914 16 | 14051 | 1239 10 | 29571 | 5511 4 | 32327 | 2828 4 | 8966 | 2914 4 | 19080 | 1239 4 | 30209 | 7018 4 | 18734 | 701 4 | 4657 | 3320 3 | 33748 | 1239 2 | 5056 | 1239 2 | 10026 | 2828 2 | 12252 | 2914 1 | 11696 | 2828 (24 rows)
bgp=# select count(blame_asn),blame_asn,asn_responsible from leakinfo where aprox_time::date = '2011-02-23' group by blame_asn,asn_responsible order by 1 desc; count | blame_asn | asn_responsible -------+-----------+----------------- 384 | 7473 | 3257 120 | 17379 | 5511 48 | | 27 | 45419 | 3356 24 | 12180 | 2828 11 | 23456 | 2914 (6 rows)
bgp=# select count(blame_asn),blame_asn,asn_responsible from leakinfo where aprox_time::date = '2011-01-28' group by blame_asn,asn_responsible order by 1 desc; count | blame_asn | asn_responsible -------+-----------+----------------- 9119 | 6453 | 6453 2265 | | 355 | 2914 | 2914 313 | 7473 | 3257 250 | 17379 | 5511 213 | 32592 | 701 106 | 3790 | 1239 72 | 19108 | 6461 62 | 14051 | 1239 51 | 34977 | 6453 48 | 31133 | 3356 47 | 8657 | 174 32 | 7713 | 2914 31 | 1257 | 1239 31 | 8966 | 2914 30 | 30209 | 7018 30 | 31133 | 1299 29 | 8342 | 1239 24 | 38925 | 3320 24 | 12180 | 2828 22 | 8657 | 3549 21 | 15641 | 3549 18 | 31133 | 2914 16 | 15412 | 2914 15 | 7473 | 3549 10 | 6762 | 1299 10 | 6762 | 7018 10 | 20299 | 1239 10 | 6762 | 3561 10 | 6762 | 174 9 | 4323 | 2914 7 | 26163 | 6461 7 | 9505 | 174 7 | 15149 | 6461 7 | 9070 | 3549 7 | 7819 | 6461 6 | 7473 | 174 6 | 3216 | 3549 6 | 1273 | 174 5 | 8657 | 3356 5 | 26769 | 3549 5 | 6762 | 2914 5 | 6762 | 3356 4 | 8047 | 701 4 | 8877 | 174 4 | 174 | 174 2 | 20299 | 174 2 | 7843 | 174 2 | 7473 | 6453 2 | 8928 | 3320 2 | 7991 | 2914 1 | 1273 | 3549 1 | 20485 | 2914 1 | 3216 | 1239 (54 rows)
Can't say if it was a leak or de aggregation, but TATA announcements to us jumped from about 70,000 to almost 190,000 for a while today, then dropped back down. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751