AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way). Funny thing is, that's a special use ASN as per rfc4893, something about two octet ASNs that don't have a four octet representation. Only one upstream (airtelbroadband-as-ap, as24560) that I can see
103.7.204.0/22 103.14.208.0/22 103.23.124.0/22 103.30.12.0/22 103.245.112.0/22 111.235.148.0/22 177.55.249.0/24 186.251.192.0/21
--srs (htc one x)
At least the 103.x which are announced by airtel. The other netblocks (one Indian and two brazilian) appear unrelated though also showing as23456 --srs (htc one x) On 03-Feb-2013 6:12 PM, "Suresh Ramasubramanian" <ops.lists@gmail.com<javascript:_e({}, 'cvml', 'ops.lists@gmail.com');>> wrote:
AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way).
Funny thing is, that's a special use ASN as per rfc4893, something about two octet ASNs that don't have a four octet representation.
Only one upstream (airtelbroadband-as-ap, as24560) that I can see
103.7.204.0/22 103.14.208.0/22 103.23.124.0/22 103.30.12.0/22 103.245.112.0/22 111.235.148.0/22 177.55.249.0/24 186.251.192.0/21
--srs (htc one x)
-- --srs (iPad)
AS23456 is what you get if your system doesn't properly support 32-bit ASNs and an AS-PATH (or peer) uses a 32-bit ASN. There should be an extended attribute on the route that contains the full 32-bit AS-PATH called AS4_PATH associated with any such routes. Arguably any route containing AS23456 without an AS4_PATH attribute is invalid and could be filtered. Unfortunately, routers that would display AS23456 instead of restoring the full 32-bit AS_PATH may not be able to identify this. A properly transmitted route from a 4-byte ASN will be recovered as follows: 91.217.86.0/23 *[BGP/170] 1w5d 09:11:37, MED 101, localpref 100 AS path: 8121 1299 3209 197269 I > to 192.124.40.129 via ge-0/0/0.0 OTOH, you may occasionally see artifacts like this (I don't know why): 91.217.87.0/24 *[BGP/170] 1w5d 09:10:16, MED 101, localpref 100 AS path: 8121 1299 174 23456 197269 I > to 192.124.40.129 via ge-0/0/0.0 But if you are seeing 23456 on an AS4 capable router without at least some indication of a 4-byte ASN in the path, it's probably fishy. On Feb 3, 2013, at 4:57 AM, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
At least the 103.x which are announced by airtel. The other netblocks (one Indian and two brazilian) appear unrelated though also showing as23456
--srs (htc one x) On 03-Feb-2013 6:12 PM, "Suresh Ramasubramanian" <ops.lists@gmail.com<javascript:_e({}, 'cvml', 'ops.lists@gmail.com');>> wrote:
AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way).
Funny thing is, that's a special use ASN as per rfc4893, something about two octet ASNs that don't have a four octet representation.
Only one upstream (airtelbroadband-as-ap, as24560) that I can see
103.7.204.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.14.208.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.23.124.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.30.12.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.245.112.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
111.235.148.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
177.55.249.0/24
Missing AS4_PATH -- Probably a spoofed/hijacked route
186.251.192.0/21
Missing AS4_PATH -- Probably a spoofed/hijacked route If you're motivated to pursue this, the best thing to do is probably to contact the last legitimate AS before 23456 in the AS-PATH and inquire. Owen
On Sun, Feb 03, 2013 at 06:12:32PM +0530, Suresh Ramasubramanian wrote:
AS23456 is currently announcing a good few netblocks (which don't have a very good smtp reputation, by the way).
To say the least. A quick rDNS scan reveals that those netblocks include: 8448 addresses 6932 return nxdomain 512 return servfail 1004 with rDNS entries Those 1004 hosts with rDNS account for 36 domains: ainoutserver.net alphainfonet.com boxmatter.org clickcabin.com cloud-core.com contrymail.com coremail4you.org dealatmail.org deliver8mail.org deliverbox.org deliveryalive.org deliveryaverage.org emailadvisir.org emailpacts.com emailservercore.com emailvalue.co.in emailvalue.in fairmail4you.org financeofferpros.com globalmaildelivery.org inboxdelivery.org livemailservices.in nayasa.net newwaygain.com paydayloanforyou.net payloantoyou.com quickpaydaytoyou.net ready4deal.org realemail.org realemaildelivery.org sandeshdelivery.org sandeshfour.com sandeshone.com sandeshonline.org truemaildelivery.org warmmailcampaign.com I'm sure they're all perfectly legitimate businesses. ---rsk
participants (3)
-
Owen DeLong
-
Rich Kulawiec
-
Suresh Ramasubramanian