AS number inconsistencies

John Todd jtodd at loligo.com
Mon Jul 8 14:36:10 UTC 2002


More data would be useful to answer this question. I have not done 
any research to answer these questions myself, but here are some 
additional points which may further clarify your own search:

- Do these "Premature ASes" announce the same routes before and after 
they are registered?

- Do these PASes announce "new" routes, or do they announce routes 
that already exist in the global tables via some other legitimate AS?

- Do these PASes appear from behind the same transit ASes before and 
after they are registered?

- Is there oscillation in appearances of these PASes before official 
registration?  In other words, do they only appear for a few hours at 
a time in the period before they're officially registered?

There have been instances of rogue network operators announcing 
networks in order to cause disruption (think DNS cache attack) in 
"whack-a-mole" style where the AS will appear and disappear very 
quickly in order to give some minimal additional difficulty in 
tracking down the culprit.  The questions I ask above, if answers are 
available, would be able to classify some of these attacks and allow 
for further examination versus some other, yet unidentified cause.

Or, is it the case that _all_ off the PASes are then legitimately 
registered at some point in the future?  It may be the case that a 
savvy network attacker would pick "soon-to-be-legitimate" or 
"once-were-legitimate-but-are-now-unused" ASes for their attack, but 
I would bet that at least some would pick ASes that don't come from 
an easily overlooked range.

JT


>Hi All,
>
>This is my first post to this list so please forgive me if it's in any way
>inappropriate, and as I know everyone has work to do, I'll try to be
>brief.
>
>I am a CS PhD student trying to track ASes (for reasons I'm happy to
>discuss offline). There is a grave inconsistency I have come across and
>can't explain. Simply, there seems to be many AS numbers in the
>non-private range that come into use at some point in time and advertise a
>range of IPs, but these AS numbers are not allocated until much later.
>
>More specifically, archived BGP tables show many AS numbers which ARIN
>shows not to have allocated (in their allocation history tables) until
>many months, sometimes a year/two, later. The number of such ASes has
>shrunk over time (from about 100 in 1999/2000 to 20-30 in 2002) but still
>exists. I don't want to "name ASes" <grin>.
>
>Does any one have any explanations? Are network operators "notified" of
>their new AS number well in advance of the actual receipt of that number
>on paper, for example? Any help is appreciated (and hopefully this
>occurence is of interest to nanog).
>
>Thanks,
>--marwan
>
>ps. If one wishes to refer to a cluster of members of nanog, are they
>referred to as "NANOs"? (Not to be confused with the salutation made
>famous by tv's Mork & Mindy, of course) :-)
>
>********************************************************
>"Theatre is not supposed to change the world,
>  but it can show the world can change."
>                                      --unnamed director
>********************************************************




More information about the NANOG mailing list