Anomalies with AS13214 ?
rveloso at cs.ucla.edu
Mon May 11 14:05:15 CDT 2009
First, thanks for using Cyclops, and thanks for all the Cyclops users
that drop me a message about this.
It seems some router in AS13214 decided to originate all the prefixes
and send them to AS48285 in the Caymans, all the ASPATHs are 48285
The first announcement was on 2009-05-11 11:03:11 UTC and last on
2009-05-11 12:16:32 UTC, there were 266,289 prefixes leaked (they were
As indicated in the Cyclops alerts, only a single monitor(AS48285) in
route-views4 detected this leak. I checked on other neighbors of
AS13214 and they seem fine, so it seems it was only a single router
This incident shows the advantage of having a wide set of peers for
detection, it seems Cyclops was the only tool to detect this incident.
Given the amount of banks and financial institutions in the Caymans, i
would otherwise have raised a red flag, but it seems this case was an
unintentional misconfig by AS13214.
Would appreciate any further comment on the tool, and happy cyclopying!
the Cyclops guy
On May 11, 2009, at 8:30 AM, Jay Hennigan wrote:
> We're getting cyclops alerts that AS13214 is advertising itself
> as origin for all of our prefixes. Their anomaly report shows
> thousands of prefixes originating there.
> Anyone else seeing evidence of this or being affected?
>  http://cyclops.cs.ucla.edu/
> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
> Impulse Internet Service - http://www.impulse.net/
> Your local telephone and internet company - 805 884-6323 - WB6RDV
More information about the NANOG