Cogent leaking /32s?
I received an alert from Cyclops telling me a probe in AS513 had seen a /32 that I announce to Cogent for one of our BGP sessions. Did anyone else see this?
We had a problem with cogent about a year ago. Somehow.. cymru was announcing a /32 of ours and black holing it for whatever reason. It was removed but wasn't happy that cogent was allowing cymru to do this sort of action. To this date we do not have a valid reason from cogent on why they allowed this to happen. Cheers, Zak Thompson -----Original Message----- From: ML [mailto:ml@kenweb.org] Sent: Friday, October 02, 2009 7:23 AM To: nanog@nanog.org Subject: Cogent leaking /32s? I received an alert from Cyclops telling me a probe in AS513 had seen a /32 that I announce to Cogent for one of our BGP sessions. Did anyone else see this?
We had a problem with cogent about a year ago. Somehow.. cymru was announcing a /32 of ours and black holing it for whatever reason. It was removed but wasn't happy that cogent was allowing cymru to do this sort of action. To this date we do not have a valid reason from cogent on why they allowed this to happen.
Of course, if it was accidental, then there wouldn't be a "valid reason" why "they allowed." It could be more helpful to indicate what they did tell you. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
If there is DDoS attack going on from/to specific /32, sometimes they do that to avoid too much overload for the network. Cogent should give the answer for what's going on. Alex Zak Thompson wrote:
We had a problem with cogent about a year ago. Somehow.. cymru was announcing a /32 of ours and black holing it for whatever reason. It was removed but wasn't happy that cogent was allowing cymru to do this sort of action. To this date we do not have a valid reason from cogent on why they allowed this to happen.
Cheers, Zak Thompson
-----Original Message----- From: ML [mailto:ml@kenweb.org] Sent: Friday, October 02, 2009 7:23 AM To: nanog@nanog.org Subject: Cogent leaking /32s?
I received an alert from Cyclops telling me a probe in AS513 had seen a /32 that I announce to Cogent for one of our BGP sessions.
Did anyone else see this?
Le vendredi 02 octobre 2009 à 11:01 -0500, Alex H. Ryu a écrit :
If there is DDoS attack going on from/to specific /32, sometimes they do that to avoid too much overload for the network. Cogent should give the answer for what's going on.
Generally, such is kept in-AS (null-routing or routing to some other sink of choice). mh
Alex
Zak Thompson wrote:
We had a problem with cogent about a year ago. Somehow.. cymru was announcing a /32 of ours and black holing it for whatever reason. It was removed but wasn't happy that cogent was allowing cymru to do this sort of action. To this date we do not have a valid reason from cogent on why they allowed this to happen.
Cheers, Zak Thompson
-----Original Message----- From: ML [mailto:ml@kenweb.org] Sent: Friday, October 02, 2009 7:23 AM To: nanog@nanog.org Subject: Cogent leaking /32s?
I received an alert from Cyclops telling me a probe in AS513 had seen a /32 that I announce to Cogent for one of our BGP sessions.
Did anyone else see this?
-- michael hallgren, mh2198-ripe
On Fri, 2 Oct 2009, ML wrote:
I received an alert from Cyclops telling me a probe in AS513 had seen a /32 that I announce to Cogent for one of our BGP sessions.
Did anyone else see this?
Are you relying on the /24 filtering "everybody" does, or did you announce it to them with NO-EXPORT set? -- Mikael Abrahamsson email: swmike@swm.pp.se
Yes, I absolutely love the /24 filtering "everybody" does. Internet littering at its best. http://thyme.apnic.net/current/data-badpfx-nos Clue On Fri, Oct 2, 2009 at 10:36 AM, Mikael Abrahamsson <swmike@swm.pp.se>wrote:
On Fri, 2 Oct 2009, ML wrote:
I received an alert from Cyclops telling me a probe in AS513 had seen a /32
that I announce to Cogent for one of our BGP sessions.
Did anyone else see this?
Are you relying on the /24 filtering "everybody" does, or did you announce it to them with NO-EXPORT set?
-- Mikael Abrahamsson email: swmike@swm.pp.se
Le vendredi 02 octobre 2009 à 10:54 -0500, Clue Store a écrit :
Yes, I absolutely love the /24 filtering "everybody" does. Internet littering at its best.
Yes, nice... mh
Clue On Fri, Oct 2, 2009 at 10:36 AM, Mikael Abrahamsson <swmike@swm.pp.se>wrote:
On Fri, 2 Oct 2009, ML wrote:
I received an alert from Cyclops telling me a probe in AS513 had seen a /32
that I announce to Cogent for one of our BGP sessions.
Did anyone else see this?
Are you relying on the /24 filtering "everybody" does, or did you announce it to them with NO-EXPORT set?
-- Mikael Abrahamsson email: swmike@swm.pp.se
-- michael hallgren, mh2198-ripe
On Fri, Oct 02, 2009 at 10:54:13AM -0500, Clue Store wrote:
Yes, I absolutely love the /24 filtering "everybody" does. Internet littering at its best.
There is no rule that says you have to filter at /24, or that no other network may ever advertise something longer. This issue is probably best expressed as "you are highly unlikely to have full global Internet reachability if you announce something longer than a /24", not "you are highly unlikely to have anyone accept your announcement if it are longer than a /24". -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Richard A Steenbergen wrote:
On Fri, Oct 02, 2009 at 10:54:13AM -0500, Clue Store wrote:
Yes, I absolutely love the /24 filtering "everybody" does. Internet littering at its best.
There is no rule that says you have to filter at /24, or that no other network may ever advertise something longer. This issue is probably best expressed as "you are highly unlikely to have full global Internet reachability if you announce something longer than a /24", not "you are highly unlikely to have anyone accept your announcement if it are longer than a /24".
Just to clarify it was a /32 for Cogent A/B peering. When I set it up they didn't recommend setting no-export.
ML <ml@kenweb.org> writes:
I received an alert from Cyclops telling me a probe in AS513 had seen a /32 that I announce to Cogent for one of our BGP sessions.
Did anyone else see this?
cyclops alerted me that the /32s my routers use got announced. I'm still tying to figure out what's up. They're not routes I announce, and as far as I can tell, they were announced with a cern next hop. seph
I called cogent. Best guess is that they leaked the /32 announcements that people do for the peer a/b stuff. They normally filter them, and don't have any recommendation about whether or not to set no export. seph seph <seph@directionless.org> writes:
ML <ml@kenweb.org> writes:
I received an alert from Cyclops telling me a probe in AS513 had seen a /32 that I announce to Cogent for one of our BGP sessions.
Did anyone else see this?
cyclops alerted me that the /32s my routers use got announced. I'm still tying to figure out what's up. They're not routes I announce, and as far as I can tell, they were announced with a cern next hop.
seph
participants (9)
-
Alex H. Ryu -
Clue Store -
Joe Greco -
Michael Hallgren -
Mikael Abrahamsson -
ML -
Richard A Steenbergen -
seph -
Zak Thompson