Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us? 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 -- Randy
On Thu, Mar 26, 2015 at 10:08 AM, Randy <amps@djlab.com> wrote:
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
On Thu, Mar 26, 2015 at 10:38 AM, Randy <amps@djlab.com> wrote:
On 03/26/2015 7:27 am, Christopher Morrow wrote:
is your AS in the path below? (what is your AS so folk can check for your prefixes/customer-prefixes and attempt to help?)
Sorry, we're 29889.
ok, and it looks like the path you clipped is: 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 possibly LAIX is passing along your /24 you didn't mean them to pass on?
All, Info gathered off-list indicates this may be a couple of issues in our case - possible routing leak by 18978 (check your tables!) and more specifics on our prefixes from 4795 that we couldn't see before the leak hence the apparent hijack. -- ~Randy
Hi Randy, Assuming that your prefix is 198.98.180.0/22 (AS29889 - FSNET-1 - Fast Serv Networks, LLC) none of the mentioned more specifics are currently seen from the RIPE NCC's RIS network, see the Looking Glass widget: https://stat.ripe.net/198.98.180.0/23#tabId=routing https://stat.ripe.net/198.98.182.0/23#tabId=at-a-glance though there has been some BGP activity going on since 11:49:42, see the BGPlay and BGP Update Activity widget. In both cases the originating ASN was AS29889. Cheers, Christian On 26/03/15 15:46, Randy wrote:
All,
Info gathered off-list indicates this may be a couple of issues in our case - possible routing leak by 18978 (check your tables!) and more specifics on our prefixes from 4795 that we couldn't see before the leak hence the apparent hijack.
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788. 108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788 -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761 On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us? 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889 -- Randy
On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <rocca@start.ca> wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
common point looks like LAIX ? their routeserver go crazy perhaps? or did they change in/out prefix management information?
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
We are AS 10326 130.215.0.0/16 and I just received a BGPmon alert as well: 130.215.160.0/20 4795 4795 4761 9304 40633 18978 4436 10326 130.215.176.0/20 4795 4795 4761 9304 40633 18978 4436 10326 On Thu, Mar 26, 2015 at 10:45:09AM -0400, Christopher Morrow wrote:
On Thu, Mar 26, 2015 at 10:43 AM, Peter Rocca <rocca@start.ca> wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
common point looks like LAIX ? their routeserver go crazy perhaps? or did they change in/out prefix management information?
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
-- Randy
Same here. These Indosat guys can't seem to catch a break =/ On 3/26/2015 午後 11:43, Peter Rocca wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
Hi List, this morning our BGPmon system picked up many new more specific announcements by a variety of Origin ASns, the interesting part is that the majority of them were classified as BGP Man In The middle attacks (MITM). A typical alert would look like: ==================================================================== Possible BGP MITM attack (Code: 21) ==================================================================== Your prefix: 23.20.0.0/15: Prefix Description: acxiom-online.com --- Amazon EC2 IAD prefix Update time: 2015-03-26 11:27 (UTC) Detected by #peers: 24 Detected prefix: 23.21.112.0/20 Announced by: AS14618 (AMAZON-AES - Amazon.com, Inc.,US) Upstream AS: AS3257 (TINET-BACKBONE Tinet SpA,DE) ASpath: 4608 24130 7545 6939 40633 18978 3257 14618 All alerts have the following part of the AS Path is common: 40633 1897 We're still looking into the details of this particular cases, but based on past experience it's likely that it is not in fact 14618 AWS, that originated this more specific (in this example), but most likely 18978 (or 40633), which leaked it to AS40633 Los Angeles Internet exchange, where others picked it up and propagated it to their customers. In the past we've seen similar issues caused by BGP traffic optimizers. These devices introduce new more specifics (try to keep the ASpath in tact) for Traffic engineering purposes, and then folks leak those. A good write up of a previous example can be found here: http://www.bgpmon.net/accidentally-stealing-the-internet/ A quick scan show that this affected over 5000 prefixes and about 145 Autonomous systems. All of these appear to be more specific prefixes (which is the scary part). Cheers, Andree PS. It appears this is not related to INDOSAT, they just happen to be one of the peers that picked this up. .-- My secret spy satellite informs me that at 2015-03-26 7:43 AM Peter Rocca wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
+1 The summary below aligns with our analysis as well. We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact. -----Original Message----- From: Andree Toonk [mailto:andree+nanog@toonk.nl] Sent: March-26-15 11:54 AM To: Peter Rocca Cc: nanog@nanog.org Subject: Re: Prefix hijack by INDOSAT AS4795 / AS4761 Hi List, this morning our BGPmon system picked up many new more specific announcements by a variety of Origin ASns, the interesting part is that the majority of them were classified as BGP Man In The middle attacks (MITM). A typical alert would look like: ==================================================================== Possible BGP MITM attack (Code: 21) ==================================================================== Your prefix: 23.20.0.0/15: Prefix Description: acxiom-online.com --- Amazon EC2 IAD prefix Update time: 2015-03-26 11:27 (UTC) Detected by #peers: 24 Detected prefix: 23.21.112.0/20 Announced by: AS14618 (AMAZON-AES - Amazon.com, Inc.,US) Upstream AS: AS3257 (TINET-BACKBONE Tinet SpA,DE) ASpath: 4608 24130 7545 6939 40633 18978 3257 14618 All alerts have the following part of the AS Path is common: 40633 1897 We're still looking into the details of this particular cases, but based on past experience it's likely that it is not in fact 14618 AWS, that originated this more specific (in this example), but most likely 18978 (or 40633), which leaked it to AS40633 Los Angeles Internet exchange, where others picked it up and propagated it to their customers. In the past we've seen similar issues caused by BGP traffic optimizers. These devices introduce new more specifics (try to keep the ASpath in tact) for Traffic engineering purposes, and then folks leak those. A good write up of a previous example can be found here: http://www.bgpmon.net/accidentally-stealing-the-internet/ A quick scan show that this affected over 5000 prefixes and about 145 Autonomous systems. All of these appear to be more specific prefixes (which is the scary part). Cheers, Andree PS. It appears this is not related to INDOSAT, they just happen to be one of the peers that picked this up. .-- My secret spy satellite informs me that at 2015-03-26 7:43 AM Peter Rocca wrote:
We just received a similar alert from bgpmon - part of 108.168.0.0/17 is being advertised as /20's - although we're still listed as the origin. We are 40788.
108.168.64.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.80.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.96.0/20 4795 4795 4761 9304 40633 18978 6939 40788 108.168.112.0/20 4795 4795 4761 9304 40633 18978 6939 40788
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: March-26-15 10:08 AM To: nanog@nanog.org Subject: Prefix hijack by INDOSAT AS4795 / AS4761
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
On 03/26/2015 9:00 am, Peter Rocca wrote:
+1
The summary below aligns with our analysis as well.
We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact.
+2, after the morning coffee sunk in and helpful off list replies I can finally see it's probably not INDOSAT involved at all. FYI, the more specifics are still active: 2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active -- ~Randy
This should be resolved from AS18978. If you experience anything else please let me know and I will get it addressed immediately. Regards, Nick Rose CTO @ Enzu Inc. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: Thursday, March 26, 2015 12:14 PM To: Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] On 03/26/2015 9:00 am, Peter Rocca wrote:
+1
The summary below aligns with our analysis as well.
We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact.
+2, after the morning coffee sunk in and helpful off list replies I can finally see it's probably not INDOSAT involved at all. FYI, the more specifics are still active: 2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active -- ~Randy
Several people asked me off list for more details, here is what I have regarding it. This morning a tier2 isp that connects to our network made an error in their router configuration causing the route leakage. The issue has been addressed and we will be performing a full post mortem to ensure this does not happen again. While investigating the issue we did find that the noction appliance stopped advertising the no export community string with its advertisements which is why certain prefixes were also seen. Regards, Nick Rose CTO @ Enzu Inc. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Nick Rose Sent: Thursday, March 26, 2015 3:49 PM To: amps@djlab.com; Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] This should be resolved from AS18978. If you experience anything else please let me know and I will get it addressed immediately. Regards, Nick Rose CTO @ Enzu Inc. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: Thursday, March 26, 2015 12:14 PM To: Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] On 03/26/2015 9:00 am, Peter Rocca wrote:
+1
The summary below aligns with our analysis as well.
We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact.
+2, after the morning coffee sunk in and helpful off list replies I can finally see it's probably not INDOSAT involved at all. FYI, the more specifics are still active: 2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active -- ~Randy
Wouldn't it be a BCP to set no-export from the Noction device too? On 3/26/2015 6:20 PM, Nick Rose wrote:
Several people asked me off list for more details, here is what I have regarding it.
This morning a tier2 isp that connects to our network made an error in their router configuration causing the route leakage. The issue has been addressed and we will be performing a full post mortem to ensure this does not happen again. While investigating the issue we did find that the noction appliance stopped advertising the no export community string with its advertisements which is why certain prefixes were also seen.
Regards, Nick Rose CTO @ Enzu Inc.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Nick Rose Sent: Thursday, March 26, 2015 3:49 PM To: amps@djlab.com; Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]
This should be resolved from AS18978. If you experience anything else please let me know and I will get it addressed immediately.
Regards, Nick Rose CTO @ Enzu Inc.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: Thursday, March 26, 2015 12:14 PM To: Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]
On 03/26/2015 9:00 am, Peter Rocca wrote:
+1
The summary below aligns with our analysis as well.
We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact. +2, after the morning coffee sunk in and helpful off list replies I can finally see it's probably not INDOSAT involved at all.
FYI, the more specifics are still active:
2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active
-- ~Randy
On Thu, Mar 26, 2015 at 11:26:07PM -0400, ML wrote:
On 3/26/2015 6:20 PM, Nick Rose wrote:
While investigating the issue we did find that the noction appliance stopped advertising the no export community string with its advertisements which is why certain prefixes were also seen.
Wouldn't it be a BCP to set no-export from the Noction device too?
Sure, but even that might not always prevent the fake paths from leaking to your eBGP neighbors. For instance, not too long ago there was this bug: "Routes learned with the no-export community from an iBGP neighbor are being advertised to eBGP neighbors. This may occur on Cisco ASR 9000 Series Aggregation Services Routers." (don't remember BugID) In other words: it can happen to the best of us. You should not lie to yourself by inserting fake more-specific paths into routing tables. The moment your lies somehow manage to escape into the default-free-zone you are taking other businesses down. Whether the leak is caused by a bug in the router's software or human error, destroying other people's online presence is far beyond acceptable. If the same leak would've happened /without/ the fake more-specifics, it'd still be an issue, but the collateral damage would have been dampened. The leaked paths would have to compete with the normal paths and best-path selectors like as-path length apply. Using software to insert fake more-specific paths into your routing domain should be discouraged and frowned upon. Kind regards, Job
On 27/Mar/15 12:03, Job Snijders wrote:
Sure, but even that might not always prevent the fake paths from leaking to your eBGP neighbors. For instance, not too long ago there was this bug:
"Routes learned with the no-export community from an iBGP neighbor are being advertised to eBGP neighbors. This may occur on Cisco ASR 9000 Series Aggregation Services Routers." (don't remember BugID)
In other words: it can happen to the best of us.
Your upstream could also re-write any BGP communities you attach to your BGP updates; so unless co-ordinated, there is no real guarantee a NO_EXPORT community will be maintained/honoured within your upstream's network. Mark.
I guess AS18978 didn't learn from their mistake. Got a slew of identical bgpmon alerts for withdrawals and more specifics within the last 30 minutes. Worse than last time. Some still active, like: update time (UTC) Update Type Probe ASn Probe Location Prefix AS path Cleared Duration 2015-03-26 12:18:41 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 Active On 03/26/2015 8:26 pm, ML wrote:
Wouldn't it be a BCP to set no-export from the Noction device too?
On 3/26/2015 6:20 PM, Nick Rose wrote:
Several people asked me off list for more details, here is what I have regarding it.
This morning a tier2 isp that connects to our network made an error in their router configuration causing the route leakage. The issue has been addressed and we will be performing a full post mortem to ensure this does not happen again. While investigating the issue we did find that the noction appliance stopped advertising the no export community string with its advertisements which is why certain prefixes were also seen.
Regards, Nick Rose CTO @ Enzu Inc.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Nick Rose Sent: Thursday, March 26, 2015 3:49 PM To: amps@djlab.com; Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]
This should be resolved from AS18978. If you experience anything else please let me know and I will get it addressed immediately.
Regards, Nick Rose CTO @ Enzu Inc.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: Thursday, March 26, 2015 12:14 PM To: Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]
On 03/26/2015 9:00 am, Peter Rocca wrote:
+1
The summary below aligns with our analysis as well.
We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact. +2, after the morning coffee sunk in and helpful off list replies I can finally see it's probably not INDOSAT involved at all.
FYI, the more specifics are still active:
2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active
-- ~Randy
Ignore my noise, I don't think there was new activity today (although something weird def. happened). BGPmon list was sorted by wrong column and I mixed the dates up. Although it's still showing as active since march which I thought said provider resolved... On 03/26/2015 8:26 pm, ML wrote:
Wouldn't it be a BCP to set no-export from the Noction device too?
On 3/26/2015 6:20 PM, Nick Rose wrote:
Several people asked me off list for more details, here is what I have regarding it.
This morning a tier2 isp that connects to our network made an error in their router configuration causing the route leakage. The issue has been addressed and we will be performing a full post mortem to ensure this does not happen again. While investigating the issue we did find that the noction appliance stopped advertising the no export community string with its advertisements which is why certain prefixes were also seen.
Regards, Nick Rose CTO @ Enzu Inc.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Nick Rose Sent: Thursday, March 26, 2015 3:49 PM To: amps@djlab.com; Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]
This should be resolved from AS18978. If you experience anything else please let me know and I will get it addressed immediately.
Regards, Nick Rose CTO @ Enzu Inc.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy Sent: Thursday, March 26, 2015 12:14 PM To: Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]
On 03/26/2015 9:00 am, Peter Rocca wrote:
+1
The summary below aligns with our analysis as well.
We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact. +2, after the morning coffee sunk in and helpful off list replies I can finally see it's probably not INDOSAT involved at all.
FYI, the more specifics are still active:
2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active
-- ~Randy
Hi, 2015-03-26 15:08 GMT+01:00 Randy <amps@djlab.com>:
On Thursday March 26th 2015 at 12:18 UTC (and on-going) we are seeing more specifics on one of our prefixes. Anyone else seeing similar or is it just us?
198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 198.98.182.0/23 4795 4795 4761 9304 40633 18978 4436 29889
We (as3215) are seeing almost the same path with 40633 18978 3257 3215, for some quite a lot of prefixes. Some alerts from bgpmon: 193.251.32.0/20 271 6939 40633 18978 3257 3215 193.251.32.0/20 271 6939 40633 18978 3257 3215 We are not directly connected to 3257. Looks like 18978 deaggregated to /20 and reannounced to 40633 (LAIX). Rgds, pierre
participants (12)
-
Andree Toonk
-
Christian Teuschel
-
Christopher Morrow
-
Chuck Anderson
-
Job Snijders
-
Mark Tinka
-
ML
-
Nick Rose
-
Paul S.
-
Peter Rocca
-
Pierre Emeriaud
-
Randy