Anomalies with AS13214 ?

Andree Toonk andree+nanog at toonk.nl
Mon May 11 18:29:30 UTC 2009


.-- My secret spy satellite informs me that at Mon, 11 May 2009, Jay Hennigan wrote:

> We're getting cyclops[1] alerts that AS13214 is advertising itself as  
> origin for all of our prefixes.  Their anomaly report shows thousands of  
> prefixes originating there.
>
> Anyone else seeing evidence of this or being affected?

It seems it was picked up by route-views4. Non of the RIS peers seem to have seen this.

Looking at the raw bgp data from route-views4:
AS13214 leaked a full table (~266294 prefixes) with 13214  as OriginAS to AS48285 which is a routeviews4 peer.
Routeviews4 saw these announcements as: ASpath 48285 13214.

It seems to  have happend twice:
~ 11:03:45 GMT to 12:16:31 GMT (here AS48285 start announcing a valid path to routeviews again) 
then a few seconds later again:
~ 12:16:36 GMT to 12:18:14 GMT 
After that AS48285 announced ‘normal’ ASpath to routeviews again.

So looks like it wasn’t a global hijack, it was only seen by one routeview peer.  This is a very similar event as the one we saw on November 11 2008:
http://bgpmon.net/blog/?p=80

This again shows that it’s hard to determine if an event is a ‘real’ hijack or not. Some will say it’s irrelevant some want to be notified in all cases. Based on received feedback regarding the November 11 event, BGPmon.net implemented peer thresholds (http://bgpmon.net/blog/?p=88).

Cheers,
 Andree




More information about the NANOG mailing list