BGP Update Report Interval: 20-Nov-14 -to- 27-Nov-14 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name 1 - AS12897 1394574 20.6% 199224.9 -- HEAGMEDIANET HSE Medianet GmbH,DE 2 - AS23752 300478 4.4% 2659.1 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 3 - AS9829 266609 3.9% 169.1 -- BSNL-NIB National Internet Backbone,IN 4 - AS53249 78168 1.2% 39084.0 -- LAWA-AS - Los Angeles World Airport,US 5 - AS28642 63900 0.9% 1879.4 -- Contato Internet Ltda EPP,BR 6 - AS14840 60699 0.9% 1785.3 -- COMMCORP COMUNICACOES LTDA,BR 7 - AS20940 49912 0.7% 102.9 -- AKAMAI-ASN1 Akamai International B.V.,US 8 - AS23688 44891 0.7% 760.9 -- LINK3-TECH-AS-BD-AP Link3 Technologies Ltd.,BD 9 - AS52828 44476 0.7% 1482.5 -- Netpal Internet Palmares Ltda.,BR 10 - AS8402 43028 0.6% 29.3 -- CORBINA-AS OJSC "Vimpelcom",RU 11 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US 12 - AS28573 37224 0.6% 27.0 -- NET Serviços de Comunicação S.A.,BR 13 - AS46573 36961 0.6% 82.1 -- GLOBAL-FRAG-SERVERS - Global Frag Networks,US 14 - AS7545 32539 0.5% 13.4 -- TPG-INTERNET-AP TPG Telecom Limited,AU 15 - AS35819 32391 0.5% 60.3 -- MOBILY-AS Etihad Etisalat Company (Mobily),SA 16 - AS45271 31119 0.5% 103.4 -- ICLNET-AS-AP Idea Cellular Limited,IN 17 - AS3 30043 0.4% 3185.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US 18 - AS53175 30030 0.4% 968.7 -- Unetvale Servicos e Equipamentos LTDA,BR 19 - AS38197 28599 0.4% 27.4 -- SUNHK-DATA-AS-AP Sun Network (Hong Kong) Limited,HK 20 - AS39891 27349 0.4% 98.0 -- ALJAWWALSTC-AS Saudi Telecom Company JSC,SA TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name 1 - AS12897 1394574 20.6% 199224.9 -- HEAGMEDIANET HSE Medianet GmbH,DE 2 - AS53249 78168 1.2% 39084.0 -- LAWA-AS - Los Angeles World Airport,US 3 - AS23342 22191 0.3% 22191.0 -- UNITEDLAYER - Unitedlayer, Inc.,US 4 - AS3181 10938 0.2% 10938.0 -- ASN-MATRIXMOBILE CJSC "Matrix Mobile",RU 5 - AS18135 9065 0.1% 9065.0 -- BTV BTV Cable television,JP 6 - AS3 23868 0.3% 1306.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US 7 - AS37425 15898 0.2% 7949.0 -- Somcable,SO 8 - AS60725 22790 0.3% 7596.7 -- O3B-AS O3b Limited,JE 9 - AS62174 4824 0.1% 4824.0 -- INTERPAN-AS INTERPAN LTD.,BG 10 - AS25003 19994 0.3% 3998.8 -- INTERNET_BINAT Internet Binat Ltd,IL 11 - AS16065 2702 0.0% 2702.0 -- AS16065 Redimi AS,NL 12 - AS23752 300478 4.4% 2659.1 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 13 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US 14 - AS55657 2147 0.0% 2147.0 -- XNS-AS-ID Xtreme Network System, PT,ID 15 - AS4 21237 0.3% 871.0 -- ISI-AS - University of Southern California,US 16 - AS28642 63900 0.9% 1879.4 -- Contato Internet Ltda EPP,BR 17 - AS58599 5559 0.1% 1853.0 -- CYBERGATE-BD Cybergate Limited,BD 18 - AS14840 60699 0.9% 1785.3 -- COMMCORP COMUNICACOES LTDA,BR 19 - AS4 5345 0.1% 1437.0 -- ISI-AS - University of Southern California,US 20 - AS4 8784 0.1% 2303.0 -- ISI-AS - University of Southern California,US TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 94.16.72.0/21 200960 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 2 - 94.16.64.0/21 200914 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 3 - 94.16.80.0/20 200901 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 4 - 194.99.108.0/23 199280 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 5 - 194.127.204.0/23 199121 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 6 - 194.45.104.0/23 197850 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 7 - 185.9.28.0/22 195548 2.8% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE 8 - 202.70.88.0/21 150476 2.2% AS23752 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 9 - 202.70.64.0/21 146967 2.1% AS23752 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP 10 - 198.140.114.0/24 39116 0.6% AS53249 -- LAWA-AS - Los Angeles World Airport,US 11 - 198.140.115.0/24 39052 0.6% AS53249 -- LAWA-AS - Los Angeles World Airport,US 12 - 196.43.157.0/24 38349 0.6% AS5 -- SYMBOLICS - Symbolics, Inc.,US 13 - 130.0.192.0/21 23862 0.3% AS3 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US 14 - 64.29.130.0/24 22191 0.3% AS23342 -- UNITEDLAYER - Unitedlayer, Inc.,US 15 - 192.115.44.0/22 19986 0.3% AS25003 -- INTERNET_BINAT Internet Binat Ltd,IL 16 - 162.249.183.0/24 11921 0.2% AS60725 -- O3B-AS O3b Limited,JE 17 - 5.8.168.0/23 10938 0.2% AS3181 -- ASN-MATRIXMOBILE CJSC "Matrix Mobile",RU 18 - 185.26.155.0/24 10851 0.2% AS60725 -- O3B-AS O3b Limited,JE 19 - 14.0.59.0/24 10546 0.1% AS36408 -- CDNETWORKSUS-02 - CDNetworks Inc.,US 20 - 192.58.232.0/24 10407 0.1% AS6629 -- NOAA-AS - NOAA,US Details at http://bgpupdates.potaroo.net ------------------------------------ Copies of this report are mailed to: nanog@nanog.org eof-list@ripe.net apops@apops.net routing-wg@ripe.net afnog@afnog.org
cidr-report writes:
BGP Update Report Interval: 20-Nov-14 -to- 27-Nov-14 (7 days) Observation Point: BGP Peering with AS131072
TOP 20 Unstable Origin AS Rank ASN Upds % Upds/Pfx AS-Name [...] 11 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US
Disappointing to see Symbolics (AS5) on this list. I would expect these Lisp Machines to have very stable BGP implementations, especially given the leisurely release rhythm for Genera for the past few decades. Has the size of the IPv4 unicast table started triggering global GCs? Seriously, all these low-numbered ASes in the report look fishy. I would have liked this to be an artifact of the reporting software (maybe an issue with 4-byte ASes?), but I do see some strange paths in the BGP table that make it look like (accidental or malicious) hi-hacking of these low-numbered ASes. Now the fact that these AS numbers are low makes me curious. If I wanted to hijack other folks' ASes deliberately, I would probably avoid such numbers because they stand out. Maybe these are just non-standard "private-use" ASes that are leaked? Some suspicious paths I'm seeing right now: 133439 5 197945 4 Hm, maybe 32-bit ASes do have something to do with this... Any ideas? -- Simon. (Just curious) [...]
17 - AS3 30043 0.4% 3185.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US [...]
TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASN Upds % Upds/Pfx AS-Name [...] 13 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US [...] 15 - AS4 21237 0.3% 871.0 -- ISI-AS - University of Southern California,US [...] 19 - AS4 5345 0.1% 1437.0 -- ISI-AS - University of Southern California,US 20 - AS4 8784 0.1% 2303.0 -- ISI-AS - University of Southern California,US
"Simon" == Simon Leinen <simon.leinen@switch.ch> writes:
Simon> Some suspicious paths I'm seeing right now: Simon> 133439 5 Simon> 197945 4 my bet is on someone using the syntax "prepend asnX timesY" on a router that instead wants "prepend asnX asnX...." -- Pierfrancesco Caci, ik5pvx
Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case? On 11/30/2014 午後 11:24, Pierfrancesco Caci wrote:
"Simon" == Simon Leinen <simon.leinen@switch.ch> writes: Simon> Some suspicious paths I'm seeing right now:
Simon> 133439 5 Simon> 197945 4
my bet is on someone using the syntax "prepend asnX timesY" on a router that instead wants "prepend asnX asnX...."
On 11/30/2014 11:26 AM, Valdis.Kletnieks@vt.edu wrote:
On Mon, 01 Dec 2014 00:53:07 +0900, "Paul S." said:
Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case?
You're new here, aren't you? :)
Thank you, I needed the laugh. Sometimes, getting the idea that checking one's work is necessary proves to be a hard lesson to teach to some of those young whippersnappers. I live and work in Reno NV, so I put the lesson in terms they can understand: "A triple check beats a double-cross." This is sufficiently annoying to people that they do indeed check their work...so they don't have to listen to me spout this cliche when things get screwed up.
On Mon, Dec 01, 2014 at 12:53:07AM +0900, Paul S. wrote:
Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case?
Of course not because their neighbors are allowing it to pass; so as with all hijacks, deaggregation, and other unfiltered noise, the only care is traffic going in and out. QA (let alone automated sanity checks) are alien concepts to many, and "well it works" is the answer from some when contacted. It smells like this is as PF surmises and might just be folks amenable to fixing it when contacted. We'll see... Cheers! Joe -- RSUC / GweepNet / Spunk / FnB / CotSG / Usenix / NANOG
----- Original Message -----
From: "Joe Provo" <nanog-post@rsuc.gweep.net>
On Mon, Dec 01, 2014 at 12:53:07AM +0900, Paul S. wrote:
Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case?
Of course not because their neighbors are allowing it to pass; so as with all hijacks, deaggregation, and other unfiltered noise, the only care is traffic going in and out. QA (let alone automated sanity checks) are alien concepts to many, and "well it works" is the answer from some when contacted.
That's sort of the BGP equivalent to BCP38 filtering, isn't it? Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
I’m not new here but the thread caught my eye, as I am one of the lower ASs being mentioned. I guess there isn’t really anything one can do to prevent these things other than listening to route servers, etc. I guess it’s all on what the upstream decides to allow-in and re-advertise. Jason Jason Bothe, Manager of Networking o +1 713 348 5500 m +1 713 703 3552 jason@rice.edu On 30, Nov 2014, at 2:37 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Joe Provo" <nanog-post@rsuc.gweep.net>
On Mon, Dec 01, 2014 at 12:53:07AM +0900, Paul S. wrote:
Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case?
Of course not because their neighbors are allowing it to pass; so as with all hijacks, deaggregation, and other unfiltered noise, the only care is traffic going in and out. QA (let alone automated sanity checks) are alien concepts to many, and "well it works" is the answer from some when contacted.
That's sort of the BGP equivalent to BCP38 filtering, isn't it?
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
.-- My secret spy satellite informs me that at 2014-11-30 6:24 AM Pierfrancesco Caci wrote:
"Simon" == Simon Leinen <simon.leinen@switch.ch> writes:
Simon> Some suspicious paths I'm seeing right now:
Simon> 133439 5 Simon> 197945 4
my bet is on someone using the syntax "prepend asnX timesY" on a router that instead wants "prepend asnX asnX...."
I agree. When looking at distribution of ASns that appear to be hijacking prefixes, the lower number ASns stand out. AS1,2,3,4,5 are common. When looking closer, the next-hop AS is typically the 'expected' AS, which would confirm the prepend theory. 185.78.114.0/24 was announced as ".* 47551 5" and but now as ".* 47551". I guess they found out the 5x prepending didn't work as expected. AS3 (MIT) seems to be particularly popular, probably by folks who attempt to prepend 3 times. Here's a current example: 212.69.8.0/23 [BGP/170] 6d 05:45:32, MED 22007, localpref 100 AS path: 3356 15958 52116 3 I This is a prefix in Serbia, routes to Serbia and doesn't seem to be related to MIT (AS3) at all. Another example: AS35819, Etihad Etisalat was originating some of its prefixes as AS1 earlier this week as well. https://twitter.com/bgpmon/status/537062576002064385 Just a few examples. Cheers, Andree
participants (10)
-
Andree Toonk -
cidr-report@potaroo.net -
Jason Bothe -
Jay Ashworth -
Joe Provo -
Paul S. -
Pierfrancesco Caci -
Simon Leinen -
Stephen Satchell -
Valdis.Kletnieks@vt.edu