Anomalies with AS13214 ?

Ricardo Oliveira rveloso at
Mon May 11 14:05:15 CDT 2009

Hi all,

First, thanks for using Cyclops, and thanks for all the Cyclops users  
that drop me a message about this.

It seems some router in AS13214 decided to originate all the prefixes  
and send them to AS48285 in the Caymans, all the ASPATHs are 48285  
The first announcement was on 2009-05-11 11:03:11 UTC and last on  
2009-05-11 12:16:32 UTC, there were 266,289 prefixes leaked (they were  
withdrawn afterwards)

As indicated in the Cyclops alerts, only a single monitor(AS48285) in  
route-views4 detected this leak. I checked on other neighbors of  
AS13214 and they seem fine, so it seems it was only a single router  

This incident shows the advantage of having a wide set of peers for  
detection, it seems Cyclops was the only tool to detect this incident.  
Given the amount of banks and financial institutions in the Caymans, i  
would otherwise have raised a red flag, but it seems this case was an  
unintentional misconfig by AS13214.

Would appreciate any further comment on the tool, and happy cyclopying!

the Cyclops guy

On May 11, 2009, at 8:30 AM, Jay Hennigan wrote:

> We're getting cyclops[1] alerts that AS13214 is advertising itself  
> as origin for all of our prefixes.  Their anomaly report shows  
> thousands of prefixes originating there.
> Anyone else seeing evidence of this or being affected?
> [1]
> --
> Jay Hennigan - CCIE #7880 - Network Engineering - jay at
> Impulse Internet Service  -
> Your local telephone and internet company - 805 884-6323 - WB6RDV

More information about the NANOG mailing list