On (2012-10-03 00:43 -0400), ML wrote:
Has anyone put in place a method to identify if one their BGP peers suddenly withdraws X% of their prefixes?
I've had monitoring for this for many years, over SNMP. Right now my limits are a) prefix count went or came from 0 or b) relative difference is minimum 1.5x and absolute difference is minimum of 1000 Output what I get as emails: rtr1: AS702 2001:600:202::15 ge-1-0-4.BR2.LND18.ALTER.NET 0 => 34 rtr2: AS2119 148.122.8.213 ti3001b300-ge3-1-0.ti.telenor.net 688 => 0 (1/3) rtr2: AS2119 2001:4600:10::4d ti3001b300-ge3-1-0.ti.telenor.net 13 => 0 (2/3) rtr3: AS3491 80.81.192.50 br02.frf02.pccwbtn.net 37548 => 4710 And there are about 10-20 emails per day, even when looking only rather 'coarse' changes. But to be honest, I almost never peek at the folder where I get these, I'm probably moving the output on IRC channel, as I've found it superior way to keep track of alarms compared to emails for my workflow. -- ++ytti