Route leaks from AS9498 (BHARTI Airtel)?

Andree Toonk andree+nanog at toonk.nl
Fri Nov 6 19:31:47 UTC 2015


Hi Yang,

My secret spy satellite informs me that Yang Yu wrote On 2015-11-06, 
10:19 AM:

> Yes I saw the same thing. Level 3 customer space inside 8.0.0.0/8 got
> leaked by AS9498 through 174, 4323, 5580 and 12989.
>
> I did got alerts from bgpmon but the event is not shown on
> bgpstream.com. What are the criteria for listing on bgpstream.com?

Great question!

We set out to build a tool that would provide a 'clean' feed of BGP 
events. The goal of bgpstream.com is to give folks an idea of what's 
going on in the world of BGP and in large scale cases like this, to show 
that you're not alone, instead many other networks were affected as 
well. So you'd go there to see if others see the same.

We're still tuning the system, the hardest part is to figure out what is 
a 'suspicious' origin AS change and what is 'probably' ok. We have 
several checks and balances in place, for example GEO based info 
(expected ASn in US, new ASn in India). Historical info (did the AS ever 
announce other prefixes for the expected AS). Peering relations 
(customer - upstream relationship?). Obvious we check the several 
RIR/IRR databases, check for overlapping names / email addresses in 
those records. And a bunch more. All those heuristic combined determine 
if this is a 'suspicious' origin AS change (hijack) or not.

With this we have a fairly good list of events that are worth looking 
into as a human. It's very easy to create a list of hundreds of events a 
day, but many will be perfectly fine and the goal was to have a handful 
of actionable events. As a result we do throttle the number of events 
that are published on bgpstream.com in cases of large scale incidents.
That's what happened to the events this morning. We have 130 AS9498 
events in BGPstream today, that's all that's the admin max today for a 
given AS.

Just to be clear: we did detect many more events, alerted all our users, 
but only publish 130 per AS per day on bgpstream.com to prevent 
cluttering. At least for now :)

Cheers,
  Andree (BGPmon.net)





More information about the NANOG mailing list