AS23456 is what you get if your system doesn't properly support 32-bit ASNs and an AS-PATH (or peer) uses a 32-bit ASN. There should be an extended attribute on the route that contains the full 32-bit AS-PATH called AS4_PATH associated with any such routes. Arguably any route containing AS23456 without an AS4_PATH attribute is invalid and could be filtered. Unfortunately, routers that would display AS23456 instead of restoring the full 32-bit AS_PATH may not be able to identify this. A properly transmitted route from a 4-byte ASN will be recovered as follows: 91.217.86.0/23 *[BGP/170] 1w5d 09:11:37, MED 101, localpref 100 AS path: 8121 1299 3209 197269 I > to 192.124.40.129 via ge-0/0/0.0 OTOH, you may occasionally see artifacts like this (I don't know why): 91.217.87.0/24 *[BGP/170] 1w5d 09:10:16, MED 101, localpref 100 AS path: 8121 1299 174 23456 197269 I > to 192.124.40.129 via ge-0/0/0.0 But if you are seeing 23456 on an AS4 capable router without at least some indication of a 4-byte ASN in the path, it's probably fishy. On Feb 3, 2013, at 4:57 AM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
At least the 103.x which are announced by airtel. The other netblocks (one Indian and two brazilian) appear unrelated though also showing as23456
--srs (htc one x) On 03-Feb-2013 6:12 PM, "Suresh Ramasubramanian" <ops.lists@gmail.com<javascript:_e({}, 'cvml', 'ops.lists@gmail.com');>> wrote:
AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way).
Funny thing is, that's a special use ASN as per rfc4893, something about two octet ASNs that don't have a four octet representation.
Only one upstream (airtelbroadband-as-ap, as24560) that I can see
103.7.204.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.14.208.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.23.124.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.30.12.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.245.112.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
111.235.148.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
177.55.249.0/24
Missing AS4_PATH -- Probably a spoofed/hijacked route
186.251.192.0/21
Missing AS4_PATH -- Probably a spoofed/hijacked route If you're motivated to pursue this, the best thing to do is probably to contact the last legitimate AS before 23456 in the AS-PATH and inquire. Owen