Anomalies with AS13214 ?

Ricardo Oliveira rveloso at cs.ucla.edu
Mon May 11 19:05:15 UTC 2009


Hi all,

First, thanks for using Cyclops, and thanks for all the Cyclops users  
that drop me a message about this.

It seems some router in AS13214 decided to originate all the prefixes  
and send them to AS48285 in the Caymans, all the ASPATHs are 48285  
13214.
The first announcement was on 2009-05-11 11:03:11 UTC and last on  
2009-05-11 12:16:32 UTC, there were 266,289 prefixes leaked (they were  
withdrawn afterwards)

As indicated in the Cyclops alerts, only a single monitor(AS48285) in  
route-views4 detected this leak. I checked on other neighbors of  
AS13214 and they seem fine, so it seems it was only a single router  
issue.

This incident shows the advantage of having a wide set of peers for  
detection, it seems Cyclops was the only tool to detect this incident.  
Given the amount of banks and financial institutions in the Caymans, i  
would otherwise have raised a red flag, but it seems this case was an  
unintentional misconfig by AS13214.

Would appreciate any further comment on the tool, and happy cyclopying!

--Ricardo
the Cyclops guy
http://cyclops.cs.ucla.edu


On May 11, 2009, at 8:30 AM, Jay Hennigan wrote:

> We're getting cyclops[1] alerts that AS13214 is advertising itself  
> as origin for all of our prefixes.  Their anomaly report shows  
> thousands of prefixes originating there.
>
> Anyone else seeing evidence of this or being affected?
>
>
> [1] http://cyclops.cs.ucla.edu/
>
>
> --
> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
> Impulse Internet Service  -  http://www.impulse.net/
> Your local telephone and internet company - 805 884-6323 - WB6RDV





More information about the NANOG mailing list