AS16387 leaking routes

Ernest Andrew McCracken (emccrckn) emccrckn at
Mon Feb 15 17:13:58 CST 2010

There are other ASN changes as well as from other peers. Here are some just a few minutes old.

Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS

20100215|17:11:13|1266275473309||3303|PING REQUEST|
20100215|17:11:14|1266275474310||3303|PING RESPONSE||NO RESPONSE
20100215|17:11:14|1266275474310||3303|PING REQUEST|
20100215|17:11:15|1266275475311||3303|PING RESPONSE||NO RESPONSE


all with ridiculously long paths ofc.

-Ernest McCracken
From: christopher.morrow at [christopher.morrow at] On Behalf Of Christopher Morrow [morrowc.lists at]
Sent: Monday, February 15, 2010 4:46 PM
To: Ernest Andrew McCracken (emccrckn)
Cc: nanog at
Subject: Re: AS16387 leaking routes

On Mon, Feb 15, 2010 at 5:32 PM, Ernest Andrew McCracken (emccrckn)
<emccrckn at> wrote:
> Has anyone seen the strange activity from AS16387?  Did they leak their entire table?  Our route collectors are showing AS16387 originating large numbers of prefixes.  It looks like we caught the tail end of this activity as they are now announcing updates with  massive amounts of prepending.

16387 is a uunet customer, it seems, who's only annoucing (now) 2
prefixes... Robtex seems to support them only having a single upstream
(701). I think 701 still prefix-lists all their customers.

You saw this through 3303 without 701 (it seems?) in the path, The
orignal prefix looks actually like in the path: 34533
that looks like ESamara trying to poison their paths toward 'healthy
directions, LLC".

maybe ESamara saw something they disliked from this part of the network?


More information about the NANOG mailing list