More data would be useful to answer this question. I have not done any research to answer these questions myself, but here are some additional points which may further clarify your own search: - Do these "Premature ASes" announce the same routes before and after they are registered? - Do these PASes announce "new" routes, or do they announce routes that already exist in the global tables via some other legitimate AS? - Do these PASes appear from behind the same transit ASes before and after they are registered? - Is there oscillation in appearances of these PASes before official registration? In other words, do they only appear for a few hours at a time in the period before they're officially registered? There have been instances of rogue network operators announcing networks in order to cause disruption (think DNS cache attack) in "whack-a-mole" style where the AS will appear and disappear very quickly in order to give some minimal additional difficulty in tracking down the culprit. The questions I ask above, if answers are available, would be able to classify some of these attacks and allow for further examination versus some other, yet unidentified cause. Or, is it the case that _all_ off the PASes are then legitimately registered at some point in the future? It may be the case that a savvy network attacker would pick "soon-to-be-legitimate" or "once-were-legitimate-but-are-now-unused" ASes for their attack, but I would bet that at least some would pick ASes that don't come from an easily overlooked range. JT
Hi All,
This is my first post to this list so please forgive me if it's in any way inappropriate, and as I know everyone has work to do, I'll try to be brief.
I am a CS PhD student trying to track ASes (for reasons I'm happy to discuss offline). There is a grave inconsistency I have come across and can't explain. Simply, there seems to be many AS numbers in the non-private range that come into use at some point in time and advertise a range of IPs, but these AS numbers are not allocated until much later.
More specifically, archived BGP tables show many AS numbers which ARIN shows not to have allocated (in their allocation history tables) until many months, sometimes a year/two, later. The number of such ASes has shrunk over time (from about 100 in 1999/2000 to 20-30 in 2002) but still exists. I don't want to "name ASes" <grin>.
Does any one have any explanations? Are network operators "notified" of their new AS number well in advance of the actual receipt of that number on paper, for example? Any help is appreciated (and hopefully this occurence is of interest to nanog).
Thanks, --marwan
ps. If one wishes to refer to a cluster of members of nanog, are they referred to as "NANOs"? (Not to be confused with the salutation made famous by tv's Mork & Mindy, of course) :-)
******************************************************** "Theatre is not supposed to change the world, but it can show the world can change." --unnamed director ********************************************************