[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Anomalies with AS13214 ?
- Subject: Anomalies with AS13214 ?
- From: andree+nanog at toonk.nl (Andree Toonk)
- Date: Mon, 11 May 2009 20:29:30 +0200
- In-reply-to: <[email protected]>
- References: <[email protected]>
.-- My secret spy satellite informs me that at Mon, 11 May 2009, Jay Hennigan wrote:
> We're getting cyclops[1] alerts that AS13214 is advertising itself as
> origin for all of our prefixes. Their anomaly report shows thousands of
> prefixes originating there.
>
> Anyone else seeing evidence of this or being affected?
It seems it was picked up by route-views4. Non of the RIS peers seem to have seen this.
Looking at the raw bgp data from route-views4:
AS13214 leaked a full table (~266294 prefixes) with 13214 as OriginAS to AS48285 which is a routeviews4 peer.
Routeviews4 saw these announcements as: ASpath 48285 13214.
It seems to have happend twice:
~ 11:03:45 GMT to 12:16:31 GMT (here AS48285 start announcing a valid path to routeviews again)
then a few seconds later again:
~ 12:16:36 GMT to 12:18:14 GMT
After that AS48285 announced ???normal??? ASpath to routeviews again.
So looks like it wasn???t a global hijack, it was only seen by one routeview peer. This is a very similar event as the one we saw on November 11 2008:
http://bgpmon.net/blog/?p=80
This again shows that it???s hard to determine if an event is a ???real??? hijack or not. Some will say it???s irrelevant some want to be notified in all cases. Based on received feedback regarding the November 11 event, BGPmon.net implemented peer thresholds (http://bgpmon.net/blog/?p=88).
Cheers,
Andree