AS16387 leaking routes
Ernest Andrew McCracken (emccrckn)
emccrckn at memphis.edu
Mon Feb 15 17:13:58 CST 2010
There are other ASN changes as well as from other peers. Here are some just a few minutes old.
Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS
20100215|17:11:14|1266275474310|126.96.36.199|3303|PING RESPONSE|188.8.131.52|NO RESPONSE
20100215|17:11:15|1266275475311|184.108.40.206|3303|PING RESPONSE|220.127.116.11|NO RESPONSE
all with ridiculously long paths ofc.
From: christopher.morrow at gmail.com [christopher.morrow at gmail.com] On Behalf Of Christopher Morrow [morrowc.lists at gmail.com]
Sent: Monday, February 15, 2010 4:46 PM
To: Ernest Andrew McCracken (emccrckn)
Cc: nanog at nanog.org
Subject: Re: AS16387 leaking routes
On Mon, Feb 15, 2010 at 5:32 PM, Ernest Andrew McCracken (emccrckn)
<emccrckn at memphis.edu> wrote:
> Has anyone seen the strange activity from AS16387? Did they leak their entire table? Our route collectors are showing AS16387 originating large numbers of prefixes. It looks like we caught the tail end of this activity as they are now announcing updates with massive amounts of prepending.
16387 is a uunet customer, it seems, who's only annoucing (now) 2
prefixes... Robtex seems to support them only having a single upstream
(701). I think 701 still prefix-lists all their customers.
You saw this through 3303 without 701 (it seems?) in the path, The
orignal prefix looks actually like 18.104.22.168/19 in the path: 34533
that looks like ESamara trying to poison their paths toward 'healthy
maybe ESamara saw something they disliked from this part of the network?
More information about the NANOG