Anomalies with AS13214 ?

• Previous message (by thread): finding open resolvers
• Next message (by thread): Anomalies with AS13214 ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2009/5/11 Ricardo Oliveira <rveloso at cs.ucla.edu>:
> Hi all,
>
> First, thanks for using Cyclops, and thanks for all the Cyclops users that
> drop me a message about this.
>
> It seems some router in AS13214 decided to originate all the prefixes and
> send them to AS48285 in the Caymans, all the ASPATHs are 48285 13214.
> The first announcement was on 2009-05-11 11:03:11 UTC and last on 2009-05-11
> 12:16:32 UTC, there were 266,289 prefixes leaked (they were withdrawn
> afterwards)

It looks like AS13214 are misbehaving again...  We have just started
receiving cyclops alerts indicating that AS13214 is announcing our
prefixes again:

Alert ID:                     4927389
Alert type:                   origin change
Monitored ASN,prefix:         78.154.96.0/19
Offending attribute:          78.154.96.0/19-13214
Date:                         2009-07-28 08:30:56 UTC
Duration:                     00:00:01 (hh:mm:ss)
No. monitors:                 1
(http://cyclops.cs.ucla.edu/view_monitors.html?aid=4927389)
Announced prefix:             78.154.96.0/19
Announced ASPATH:             48285 13214
BGP message:
http://cyclops.cs.ucla.edu/show_myalert.html?aid=4927389

I guess ROBTEX didn't implement ingress filters after the last episode...

> As indicated in the Cyclops alerts, only a single monitor(AS48285) in
> route-views4 detected this leak. I checked on other neighbors of AS13214 and
> they seem fine, so it seems it was only a single router issue.
>
> This incident shows the advantage of having a wide set of peers for
> detection, it seems Cyclops was the only tool to detect this incident. Given
> the amount of banks and financial institutions in the Caymans, i would
> otherwise have raised a red flag, but it seems this case was an
> unintentional misconfig by AS13214.
>
> Would appreciate any further comment on the tool, and happy cyclopying!
>
> --Ricardo
> the Cyclops guy
> http://cyclops.cs.ucla.edu
>
>
> On May 11, 2009, at 8:30 AM, Jay Hennigan wrote:
>
>> We're getting cyclops[1] alerts that AS13214 is advertising itself as
>> origin for all of our prefixes.  Their anomaly report shows thousands of
>> prefixes originating there.
>>
>> Anyone else seeing evidence of this or being affected?
>>
>>
>> [1] http://cyclops.cs.ucla.edu/
>>
>>
>> --
>> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
>> Impulse Internet Service  -  http://www.impulse.net/
>> Your local telephone and internet company - 805 884-6323 - WB6RDV
>
>
>



-- 
Russell Heilling                        http://perlmonkey.blogspot.com
"The amazing ability of the bee to adapt herself often helps the
 beekeeper to overcome the results of his ignorance." - Brother Adam

• Previous message (by thread): finding open resolvers
• Next message (by thread): Anomalies with AS13214 ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]