They're doing this to our routes in any2 in LA as well. ... -----Original Message----- From: Job Snijders [mailto:job.snijders@atrato.com] Sent: Wednesday, March 06, 2013 4:04 AM To: Matsuzaki Yoshinobu Cc: nanog@nanog.org Subject: Re: Dreamhost/AS26347 unauthorized bgp announcement Hi Mat, I see the same thing, we learn the prefix from the route-server in LAX: telnet@r1.lax1.us>show ip bgp routes detail 90.201.80.0/20 Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH S:SUPPRESSED F:FILTERED s:STALE 1 Prefix: 90.201.80.0/20, Status: BE, Age: 0h22m15s NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer: 206.223.143.253 (19996) LOCAL_PREF: 400, MED: none, ORIGIN: incomplete, Weight: 0 AS_PATH: 26347 COMMUNITIES: 5580:12431 Adj_RIB_out count: 18, Admin distance 20 Last update to IP routing table: 0h22m15s, 1 path(s) installed: Kind regards, Job On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz@iij.ad.jp> wrote:
According to RIPE RIS, AS26347 announced a bunch of prefixes again. - http://www.ris.ripe.net/dashboard/26347
First suspicious announcement was started 2013-03-06 07:52:40 UTC, and last seen 2013-03-06 08:33:56 UTC. 195 prefixes total.
It seems these unauthorized announcements have the same profile as before - AS26347 shrinks the prefix lenght of their received prefix somehow upto /20, and re-originates the prefix with origin AS26347.
Any known bugs?
Regards, ----- Matsuzaki Yoshinobu <maz@iij.ad.jp> - IIJ/AS2497 INOC-DBA: 2497*629
-- AS5580 - Atrato IP Networks