AS16387 leaking routes
Has anyone seen the strange activity from AS16387? Did they leak their entire table? Our route collectors are showing AS16387 originating large numbers of prefixes. It looks like we caught the tail end of this activity as they are now announcing updates with massive amounts of prepending. Here's an example. We have several pages worth of this. 20100215|15:17:58|1266268678678|164.128.32.11|3303|ORIGIN_CHANGE|95.79.192/19|34533|16387 20100215|15:18:58|1266268738707|164.128.32.11|3303|BGPMON_PATH|3303,3303,3303,3303,3303,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6 453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453, 6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453 ,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387 Ernest McCracken Research Assistant Networking Research Laboratory http://netlab.cs.memphis.edu Computer Science Department University of Memphis
On Mon, Feb 15, 2010 at 5:32 PM, Ernest Andrew McCracken (emccrckn) <emccrckn@memphis.edu> wrote:
Has anyone seen the strange activity from AS16387? Did they leak their entire table? Our route collectors are showing AS16387 originating large numbers of prefixes. It looks like we caught the tail end of this activity as they are now announcing updates with massive amounts of prepending.
16387 is a uunet customer, it seems, who's only annoucing (now) 2 prefixes... Robtex seems to support them only having a single upstream (701). I think 701 still prefix-lists all their customers. You saw this through 3303 without 701 (it seems?) in the path, The orignal prefix looks actually like 95.79.192.0/19 in the path: 34533 16387 that looks like ESamara trying to poison their paths toward 'healthy directions, LLC". maybe ESamara saw something they disliked from this part of the network? -Chris
There are other ASN changes as well as from other peers. Here are some just a few minutes old. Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS 20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97/24|5651|16387 20100215|17:11:13|1266275473309|164.128.32.11|3303|PING REQUEST|198.133.160.1 20100215|17:11:14|1266275474310|164.128.32.11|3303|PING RESPONSE|198.133.160.1|NO RESPONSE 20100215|17:11:14|1266275474310|164.128.32.11|3303|PING REQUEST|198.133.160.2 20100215|17:11:15|1266275475311|164.128.32.11|3303|PING RESPONSE|198.133.160.2|NO RESPONSE 20100215|17:10:05|1266275405989|164.128.32.11|3303|ORIGIN_CHANGE|91.200.172/22|43929|16387 20100215|17:05:13|1266275113867|164.128.32.11|3303|ORIGIN_CHANGE|193.169.44/23|49381|16387 20100215|16:59:02|1266274742071|154.11.11.113|852|ORIGIN_CHANGE|20.132.1/24|21877|16387 20100215|16:55:23|1266274523372|154.11.98.225|852|ORIGIN_CHANGE|91.210.10/24|47245|16387 20100215|16:50:47|1266274247250|154.11.11.113|852|ORIGIN_CHANGE|141.197.8/23|22764|16387 all with ridiculously long paths ofc. -Ernest McCracken ________________________________________ From: christopher.morrow@gmail.com [christopher.morrow@gmail.com] On Behalf Of Christopher Morrow [morrowc.lists@gmail.com] Sent: Monday, February 15, 2010 4:46 PM To: Ernest Andrew McCracken (emccrckn) Cc: nanog@nanog.org Subject: Re: AS16387 leaking routes On Mon, Feb 15, 2010 at 5:32 PM, Ernest Andrew McCracken (emccrckn) <emccrckn@memphis.edu> wrote:
Has anyone seen the strange activity from AS16387? Did they leak their entire table? Our route collectors are showing AS16387 originating large numbers of prefixes. It looks like we caught the tail end of this activity as they are now announcing updates with massive amounts of prepending.
16387 is a uunet customer, it seems, who's only annoucing (now) 2 prefixes... Robtex seems to support them only having a single upstream (701). I think 701 still prefix-lists all their customers. You saw this through 3303 without 701 (it seems?) in the path, The orignal prefix looks actually like 95.79.192.0/19 in the path: 34533 16387 that looks like ESamara trying to poison their paths toward 'healthy directions, LLC". maybe ESamara saw something they disliked from this part of the network? -Chris
On Mon, Feb 15, 2010 at 6:13 PM, Ernest Andrew McCracken (emccrckn) <emccrckn@memphis.edu> wrote:
There are other ASN changes as well as from other peers. Here are some just a few minutes old.
Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS
20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97/24|5651|16387
don't know what to tell ya... I only see 2 routes from 16387 in routeviews or other places I can view routing info :( This isn't some off-by-one error type thing in your collector code? -Chris
On Mon, Feb 15, 2010 at 9:19 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Mon, Feb 15, 2010 at 6:13 PM, Ernest Andrew McCracken (emccrckn) <emccrckn@memphis.edu> wrote:
There are other ASN changes as well as from other peers. Here are some just a few minutes old.
Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS
20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97/24|5651|16387
don't know what to tell ya... I only see 2 routes from 16387 in routeviews or other places I can view routing info :( This isn't some off-by-one error type thing in your collector code?
Oh, robtex seems uncomplete, or RIS thinks there are other Transits for 16387: <http://www.ris.ripe.net/dashboard/16387> sprint + 701 transit...(both filter customers) -Chris
participants (2)
-
Christopher Morrow
-
Ernest Andrew McCracken (emccrckn)