Hi, On the 5th we notice that 27048 was announcing 2 of ours /24 812 3549 209 721 27064 27047 27047 27047 27048 It lasted about 9h but didn't impact anything due to its prepend and such... My inquiry is: . False positive? . Broken 16b <=> 32b ASN's? . Human Error? . I should remove my Echelon triggering keywords from my personal .sig? ( 27048 is part of a US DoD ASN range =D ). I check around and it happened a few times in the past. ( I saw a CIDR report in 2008 where 27048 was announcing 8m+ IP's ) Let me know. -- ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On Tue, Mar 12, 2013 at 9:55 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Hi,
On the 5th we notice that 27048 was announcing 2 of ours /24
812 3549 209 721 27064 27047 27047 27047 27048
maybe 721 doesn't have prefix AND as-path filters? (or 209 maybe?) or intentional filtering gone wrong :(
It lasted about 9h but didn't impact anything due to its prepend and such...
My inquiry is:
. False positive? . Broken 16b <=> 32b ASN's? . Human Error? . I should remove my Echelon triggering keywords from my personal .sig? ( 27048 is part of a US DoD ASN range =D ).
I check around and it happened a few times in the past. ( I saw a CIDR report in 2008 where 27048 was announcing 8m+ IP's )
Let me know.
-- ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On Mar 12, 2013, at 10:23 AM, Christopher Morrow wrote:
On Tue, Mar 12, 2013 at 9:55 AM, Alain Hebert <ahebert@pubnix.net> wrote:
Hi,
On the 5th we notice that 27048 was announcing 2 of ours /24
812 3549 209 721 27064 27047 27047 27047 27048
maybe 721 doesn't have prefix AND as-path filters? (or 209 maybe?) or intentional filtering gone wrong :(
http://puck.nether.net/bgp/leakinfo.cgi?search=do&search_prefix=&search_aspath=&search_asn=&recent=1000&source=nanog20130312 I know I see lots of these cases of intentional filtering gone wrong. eg: XO(2828) routes being leaked via a customer to Cogent(174) I didn't see anything related to 27048 in the past few years history at all, but there is bad filtering all over the place. Please combine as-path filtering with your traditional prefix-list filtering as well to block these as-paths. - Jared
participants (3)
-
Alain Hebert
-
Christopher Morrow
-
Jared Mauch