Invalid prefix announcement from AS9035 for 129.77.0.0/16
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams. If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
Hi Matthew, You are not the only one having this issue. They are announcing some other prefixes as well! 2009/10/9 Matthew Huff <mhuff@ox.com>
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-- Wouter Prins wp@null0.nl 0x301FA912
Agreed. Our prefixes at AS40060 were announced as well. I received a notification around 7:00am EDT that our prefixes were detected announced from AS9035 with the same upstream AS1267. On 10/9/09 8:34 AM, "Wouter Prins" <wp@null0.nl> wrote:
Hi Matthew, You are not the only one having this issue. They are announcing some other prefixes as well!
2009/10/9 Matthew Huff <mhuff@ox.com>
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-- Adam Kennedy Senior Network Administrator Cyberlink Technologies, Inc. Phone: 888-293-3693 x4352 Fax: 574-855-5761
Lots of people were affected, but none significantly. They originated 86,747 networks very briefly (less than a minute at 7:23 UTC), and I don't think anyone outside Telecom Italia's customer cone even saw them. So the impact was really, really limited. The correct origins were being reasserted even before the last of the announcements came over the wire. It always irks me when I see "routing alerts" that arrive hours after the event is over, without any of the context that would allow you to know whether it had any real impact. Your instinct to check looking glasses is the right one, but you have to move quickly and know where to look. Of course, I'm biased. --jim On Fri, Oct 9, 2009 at 9:20 AM, Adam Kennedy <akennedy@cyberlinktech.com>wrote:
Agreed. Our prefixes at AS40060 were announced as well. I received a notification around 7:00am EDT that our prefixes were detected announced from AS9035 with the same upstream AS1267.
On 10/9/09 8:34 AM, "Wouter Prins" <wp@null0.nl> wrote:
Hi Matthew, You are not the only one having this issue. They are announcing some other prefixes as well!
2009/10/9 Matthew Huff <mhuff@ox.com>
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-- Adam Kennedy Senior Network Administrator Cyberlink Technologies, Inc. Phone: 888-293-3693 x4352 Fax: 574-855-5761
Does anyone know why it takes BGPMon so long to send out an email. It looks like it BGPMon detected the AS9035 announcements at the right time (around 7:00 UTC) but I didn't get a notification until around 13:00 UTC. It seems like many people rely on BGPMon to do this type of detection, so the long delay is frustrating. Thanks Dylan Ebner -----Original Message----- From: Jim Cowie [mailto:cowie@renesys.com] Sent: Friday, October 09, 2009 9:11 AM To: Adam Kennedy Cc: NANOG Subject: Re: Invalid prefix announcement from AS9035 for 129.77.0.0/16 Lots of people were affected, but none significantly. They originated 86,747 networks very briefly (less than a minute at 7:23 UTC), and I don't think anyone outside Telecom Italia's customer cone even saw them. So the impact was really, really limited. The correct origins were being reasserted even before the last of the announcements came over the wire. It always irks me when I see "routing alerts" that arrive hours after the event is over, without any of the context that would allow you to know whether it had any real impact. Your instinct to check looking glasses is the right one, but you have to move quickly and know where to look. Of course, I'm biased. --jim On Fri, Oct 9, 2009 at 9:20 AM, Adam Kennedy <akennedy@cyberlinktech.com>wrote:
Agreed. Our prefixes at AS40060 were announced as well. I received a notification around 7:00am EDT that our prefixes were detected announced from AS9035 with the same upstream AS1267.
On 10/9/09 8:34 AM, "Wouter Prins" <wp@null0.nl> wrote:
Hi Matthew, You are not the only one having this issue. They are announcing some other prefixes as well!
2009/10/9 Matthew Huff <mhuff@ox.com>
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-- Adam Kennedy Senior Network Administrator Cyberlink Technologies, Inc. Phone: 888-293-3693 x4352 Fax: 574-855-5761
Usually I get alerts from BGPMon within about 20 minutes of an event being detected. Not so much with the event this morning. I'm guessing that the orgination of 86,747 prefixes from the wrong AS probably got their MTA pretty busy... -----Original Message----- From: Dylan Ebner [mailto:dylan.ebner@crlmed.com] Sent: Friday, October 09, 2009 10:23 AM To: Jim Cowie; Adam Kennedy Cc: NANOG Subject: RE: Invalid prefix announcement from AS9035 for 129.77.0.0/16 Does anyone know why it takes BGPMon so long to send out an email. It looks like it BGPMon detected the AS9035 announcements at the right time (around 7:00 UTC) but I didn't get a notification until around 13:00 UTC. It seems like many people rely on BGPMon to do this type of detection, so the long delay is frustrating. Thanks Dylan Ebner
I thought that may be the case as well. Do people know of other services like BGPMon that may be able to keep up with the load better? Does anyone know how cyclops faired this morning with the additional load? Dylan Ebner -----Original Message----- From: Andrew Nusbaum [mailto:Andrew.Nusbaum@mindspark.com] Sent: Friday, October 09, 2009 9:27 AM To: Dylan Ebner; Jim Cowie; Adam Kennedy Cc: NANOG Subject: RE: Invalid prefix announcement from AS9035 for 129.77.0.0/16 Usually I get alerts from BGPMon within about 20 minutes of an event being detected. Not so much with the event this morning. I'm guessing that the orgination of 86,747 prefixes from the wrong AS probably got their MTA pretty busy... -----Original Message----- From: Dylan Ebner [mailto:dylan.ebner@crlmed.com] Sent: Friday, October 09, 2009 10:23 AM To: Jim Cowie; Adam Kennedy Cc: NANOG Subject: RE: Invalid prefix announcement from AS9035 for 129.77.0.0/16 Does anyone know why it takes BGPMon so long to send out an email. It looks like it BGPMon detected the AS9035 announcements at the right time (around 7:00 UTC) but I didn't get a notification until around 13:00 UTC. It seems like many people rely on BGPMon to do this type of detection, so the long delay is frustrating. Thanks Dylan Ebner
I actually got origin change alerts from Cyclops about 2 minutes after the announcements started. -Andy -----Original Message----- From: Dylan Ebner [mailto:dylan.ebner@crlmed.com] Sent: Friday, October 09, 2009 10:31 AM To: Andrew Nusbaum; Jim Cowie; Adam Kennedy Cc: NANOG Subject: RE: Invalid prefix announcement from AS9035 for 129.77.0.0/16 I thought that may be the case as well. Do people know of other services like BGPMon that may be able to keep up with the load better? Does anyone know how cyclops faired this morning with the additional load? Dylan Ebner -----Original Message----- From: Andrew Nusbaum [mailto:Andrew.Nusbaum@mindspark.com] Sent: Friday, October 09, 2009 9:27 AM To: Dylan Ebner; Jim Cowie; Adam Kennedy Cc: NANOG Subject: RE: Invalid prefix announcement from AS9035 for 129.77.0.0/16 Usually I get alerts from BGPMon within about 20 minutes of an event being detected. Not so much with the event this morning. I'm guessing that the orgination of 86,747 prefixes from the wrong AS probably got their MTA pretty busy... -----Original Message----- From: Dylan Ebner [mailto:dylan.ebner@crlmed.com] Sent: Friday, October 09, 2009 10:23 AM To: Jim Cowie; Adam Kennedy Cc: NANOG Subject: RE: Invalid prefix announcement from AS9035 for 129.77.0.0/16 Does anyone know why it takes BGPMon so long to send out an email. It looks like it BGPMon detected the AS9035 announcements at the right time (around 7:00 UTC) but I didn't get a notification until around 13:00 UTC. It seems like many people rely on BGPMon to do this type of detection, so the long delay is frustrating. Thanks Dylan Ebner
On Fri, Oct 9, 2009 at 10:41 AM, Andrew Nusbaum <Andrew.Nusbaum@mindspark.com> wrote:
I actually got origin change alerts from Cyclops about 2 minutes after the announcements started.
your email address starts with an A... So one of Jim's subtle hints here is that for folks willing to pay for alerting, they(renesys) can (not that I have any data to support this) alert 'in a timely fashion'. I suspect when your depending upon a machine under someone's desk that's not getting revenue support you get what you pay for. Note well, that I (personally) don't subscribe to any of these services... -Chris
-Andy
-----Original Message----- From: Dylan Ebner [mailto:dylan.ebner@crlmed.com] Sent: Friday, October 09, 2009 10:31 AM To: Andrew Nusbaum; Jim Cowie; Adam Kennedy Cc: NANOG Subject: RE: Invalid prefix announcement from AS9035 for 129.77.0.0/16
I thought that may be the case as well. Do people know of other services like BGPMon that may be able to keep up with the load better? Does anyone know how cyclops faired this morning with the additional load?
Dylan Ebner
-----Original Message----- From: Andrew Nusbaum [mailto:Andrew.Nusbaum@mindspark.com] Sent: Friday, October 09, 2009 9:27 AM To: Dylan Ebner; Jim Cowie; Adam Kennedy Cc: NANOG Subject: RE: Invalid prefix announcement from AS9035 for 129.77.0.0/16
Usually I get alerts from BGPMon within about 20 minutes of an event being detected. Not so much with the event this morning. I'm guessing that the orgination of 86,747 prefixes from the wrong AS probably got their MTA pretty busy...
-----Original Message----- From: Dylan Ebner [mailto:dylan.ebner@crlmed.com] Sent: Friday, October 09, 2009 10:23 AM To: Jim Cowie; Adam Kennedy Cc: NANOG Subject: RE: Invalid prefix announcement from AS9035 for 129.77.0.0/16
Does anyone know why it takes BGPMon so long to send out an email. It looks like it BGPMon detected the AS9035 announcements at the right time (around 7:00 UTC) but I didn't get a notification until around 13:00 UTC. It seems like many people rely on BGPMon to do this type of detection, so the long delay is frustrating.
Thanks
Dylan Ebner
there are multiple systems available, sign up for a few i've noticed cyclops alerts are sent faster than bgpon PHAS was fast, but the project is over and something new is going to be released there is ripe MyASN there is watchmynet and IAR On Fri, Oct 9, 2009 at 7:23 AM, Dylan Ebner <dylan.ebner@crlmed.com> wrote:
Does anyone know why it takes BGPMon so long to send out an email. It looks like it BGPMon detected the AS9035 announcements at the right time (around 7:00 UTC) but I didn't get a notification until around 13:00 UTC. It seems like many people rely on BGPMon to do this type of detection, so the long delay is frustrating.
Thanks
Dylan Ebner
-----Original Message----- From: Jim Cowie [mailto:cowie@renesys.com] Sent: Friday, October 09, 2009 9:11 AM To: Adam Kennedy Cc: NANOG Subject: Re: Invalid prefix announcement from AS9035 for 129.77.0.0/16
Lots of people were affected, but none significantly. They originated 86,747 networks very briefly (less than a minute at 7:23 UTC), and I don't think anyone outside Telecom Italia's customer cone even saw them. So the impact was really, really limited. The correct origins were being reasserted even before the last of the announcements came over the wire.
It always irks me when I see "routing alerts" that arrive hours after the event is over, without any of the context that would allow you to know whether it had any real impact. Your instinct to check looking glasses is the right one, but you have to move quickly and know where to look.
Of course, I'm biased. --jim
On Fri, Oct 9, 2009 at 9:20 AM, Adam Kennedy <akennedy@cyberlinktech.com>wrote:
Agreed. Our prefixes at AS40060 were announced as well. I received a notification around 7:00am EDT that our prefixes were detected announced from AS9035 with the same upstream AS1267.
On 10/9/09 8:34 AM, "Wouter Prins" <wp@null0.nl> wrote:
Hi Matthew, You are not the only one having this issue. They are announcing some other prefixes as well!
2009/10/9 Matthew Huff <mhuff@ox.com>
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-- Adam Kennedy Senior Network Administrator Cyberlink Technologies, Inc. Phone: 888-293-3693 x4352 Fax: 574-855-5761
We also received a notification that our IP block 67.135.55.0/24 (AS19629) is being annouced by AS9035. Hopefully someone is receiving my emails. Thanks Dylan Ebner, Network Engineer Consulting Radiologists, Ltd. 1221 Nicollet Mall, Minneapolis, MN 55403 ph. 612.573.2236 fax. 612.573.2250 dylan.ebner@crlmed.com www.consultingradiologists.com -----Original Message----- From: Matthew Huff [mailto:mhuff@ox.com] Sent: Friday, October 09, 2009 7:28 AM To: nanog@nanog.org Subject: Invalid prefix announcement from AS9035 for 129.77.0.0/16 About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams. If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
We are seeing the same ting with 66.146.192.0/19 & 66.251.224.0/19. According to cyclopes this is still continuing. . . Dylan Ebner wrote:
We also received a notification that our IP block 67.135.55.0/24 (AS19629) is being annouced by AS9035. Hopefully someone is receiving my emails.
Thanks
Dylan Ebner, Network Engineer Consulting Radiologists, Ltd. 1221 Nicollet Mall, Minneapolis, MN 55403 ph. 612.573.2236 fax. 612.573.2250 dylan.ebner@crlmed.com www.consultingradiologists.com
-----Original Message----- From: Matthew Huff [mailto:mhuff@ox.com] Sent: Friday, October 09, 2009 7:28 AM To: nanog@nanog.org Subject: Invalid prefix announcement from AS9035 for 129.77.0.0/16
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
I just received confirmation from AS9035 that they are not annoucing my IP block. Dylan Ebner, Network Engineer -----Original Message----- From: sjk [mailto:sjk@sleepycatz.com] Sent: Friday, October 09, 2009 9:20 AM Cc: nanog@nanog.org Subject: Re: Invalid prefix announcement from AS9035 for 129.77.0.0/16 We are seeing the same ting with 66.146.192.0/19 & 66.251.224.0/19. According to cyclopes this is still continuing. . . Dylan Ebner wrote:
We also received a notification that our IP block 67.135.55.0/24 (AS19629) is being annouced by AS9035. Hopefully someone is receiving my emails.
Thanks
Dylan Ebner, Network Engineer Consulting Radiologists, Ltd. 1221 Nicollet Mall, Minneapolis, MN 55403 ph. 612.573.2236 fax. 612.573.2250 dylan.ebner@crlmed.com www.consultingradiologists.com
-----Original Message----- From: Matthew Huff [mailto:mhuff@ox.com] Sent: Friday, October 09, 2009 7:28 AM To: nanog@nanog.org Subject: Invalid prefix announcement from AS9035 for 129.77.0.0/16
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
Matthew Huff wrote:
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
Was there an explanation for the leak posted? Maybe this was a coincidence but the only prefixes I received alerts on were prefixes I only advertise to Level3. There was one exception. There was a leaked prefix that is the next /24 above on our Level3 only prefixes. -ML
On Sat, Oct 10, 2009 at 4:24 PM, ML <ml@kenweb.org> wrote:
Matthew Huff wrote:
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
Was there an explanation for the leak posted?
Maybe this was a coincidence but the only prefixes I received alerts on were prefixes I only advertise to Level3. There was one exception. There was a leaked prefix that is the next /24 above on our Level3 only prefixes.
-ML
on a side note, has anyone that's running any of these type of monitoring services performed any analysis or compiled any metrics on leaks? (renesys maybe?) personally, i'd be sort of interested in seeing some stats on leaks such as: origin (asn/network, country, common/exchange point) duration of leak size of leak # of upstream networks that accepted the leaked prefixes asn of networks that accepted the leak # of incidents per network/repeat offenders -ck
participants (10)
-
Adam Kennedy
-
Andrew Nusbaum
-
christian
-
Christopher Morrow
-
Dylan Ebner
-
Jim Cowie
-
Matthew Huff
-
ML
-
sjk
-
Wouter Prins