AS16387 leaking routes

• Previous message (by thread): AS16387 leaking routes
• Next message (by thread): AS16387 leaking routes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are other ASN changes as well as from other peers. Here are some just a few minutes old.

Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS

20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97/24|5651|16387
20100215|17:11:13|1266275473309|164.128.32.11|3303|PING REQUEST|198.133.160.1
20100215|17:11:14|1266275474310|164.128.32.11|3303|PING RESPONSE|198.133.160.1|NO RESPONSE
20100215|17:11:14|1266275474310|164.128.32.11|3303|PING REQUEST|198.133.160.2
20100215|17:11:15|1266275475311|164.128.32.11|3303|PING RESPONSE|198.133.160.2|NO RESPONSE

20100215|17:10:05|1266275405989|164.128.32.11|3303|ORIGIN_CHANGE|91.200.172/22|43929|16387
20100215|17:05:13|1266275113867|164.128.32.11|3303|ORIGIN_CHANGE|193.169.44/23|49381|16387
20100215|16:59:02|1266274742071|154.11.11.113|852|ORIGIN_CHANGE|20.132.1/24|21877|16387
20100215|16:55:23|1266274523372|154.11.98.225|852|ORIGIN_CHANGE|91.210.10/24|47245|16387
20100215|16:50:47|1266274247250|154.11.11.113|852|ORIGIN_CHANGE|141.197.8/23|22764|16387

all with ridiculously long paths ofc.


-Ernest McCracken
________________________________________
From: christopher.morrow at gmail.com [christopher.morrow at gmail.com] On Behalf Of Christopher Morrow [morrowc.lists at gmail.com]
Sent: Monday, February 15, 2010 4:46 PM
To: Ernest Andrew McCracken (emccrckn)
Cc: nanog at nanog.org
Subject: Re: AS16387 leaking routes

On Mon, Feb 15, 2010 at 5:32 PM, Ernest Andrew McCracken (emccrckn)
<emccrckn at memphis.edu> wrote:
> Has anyone seen the strange activity from AS16387?  Did they leak their entire table?  Our route collectors are showing AS16387 originating large numbers of prefixes.  It looks like we caught the tail end of this activity as they are now announcing updates with  massive amounts of prepending.

16387 is a uunet customer, it seems, who's only annoucing (now) 2
prefixes... Robtex seems to support them only having a single upstream
(701). I think 701 still prefix-lists all their customers.

You saw this through 3303 without 701 (it seems?) in the path, The
orignal prefix looks actually like 95.79.192.0/19 in the path: 34533
16387
that looks like ESamara trying to poison their paths toward 'healthy
directions, LLC".

maybe ESamara saw something they disliked from this part of the network?

-Chris

• Previous message (by thread): AS16387 leaking routes
• Next message (by thread): AS16387 leaking routes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]