Anomalies with AS13214 ?
andree+nanog at toonk.nl
Mon May 11 13:29:30 CDT 2009
.-- My secret spy satellite informs me that at Mon, 11 May 2009, Jay Hennigan wrote:
> We're getting cyclops alerts that AS13214 is advertising itself as
> origin for all of our prefixes. Their anomaly report shows thousands of
> prefixes originating there.
> Anyone else seeing evidence of this or being affected?
It seems it was picked up by route-views4. Non of the RIS peers seem to have seen this.
Looking at the raw bgp data from route-views4:
AS13214 leaked a full table (~266294 prefixes) with 13214 as OriginAS to AS48285 which is a routeviews4 peer.
Routeviews4 saw these announcements as: ASpath 48285 13214.
It seems to have happend twice:
~ 11:03:45 GMT to 12:16:31 GMT (here AS48285 start announcing a valid path to routeviews again)
then a few seconds later again:
~ 12:16:36 GMT to 12:18:14 GMT
After that AS48285 announced ânormalâ ASpath to routeviews again.
So looks like it wasnât a global hijack, it was only seen by one routeview peer. This is a very similar event as the one we saw on November 11 2008:
This again shows that itâs hard to determine if an event is a ârealâ hijack or not. Some will say itâs irrelevant some want to be notified in all cases. Based on received feedback regarding the November 11 event, BGPmon.net implemented peer thresholds (http://bgpmon.net/blog/?p=88).
More information about the NANOG