Prefix 120.29.240.0/21

Fredy Kuenzler kuenzler at init7.net
Wed Nov 17 13:40:14 UTC 2010


Am 17.11.2010 10:19, schrieb Fredy Kuenzler:
> We see a number of session towards downstreams flaps obviously caused by
> prefix 120.29.240.0/21, originated by AS45158, transited by AS4739 (see
> below).
>
> #sh ip bgp 120.29.240.0
> Number of BGP Routes matching display condition : 4
> Status codes: s suppressed, d damped, h history, * valid, > best, i
> internal Origin codes: i - IGP, e - EGP, ? - incomplete
> Network             Next Hop       MED LocPrf Weight Path
> *>i 120.29.240.0/21 206.223.143.99 21  150    0
> 4739 45158 {64512 64514 64516 64519 64521 64522 64525 64526 64528 64529
> 64530 64535 64537 64538 64541 64542 64543 64544 64545 64546 64547 64548
> 64549 64552 64553 64556 64557 64560 64561 64562 64564 64565 64566 64568
> 64569 64570 64574 64575 64576 64577 64578 64580 64582 64583 64584 64588
> 64593 64598 64599 64601 64602 64605 64610 64611 64620 64621 65397 65398
> 65470 65471 65472 65473 65474 65479 65480 65484 65485 65490 65502 65505
> 65511 65514 65523 65524 65528 65534 65609} ?

After some investigation I can post a summary of the incident.

At appx. 9:33 CET we saw the first flaps, affecting most of our downstreams, 
with Cisco and Juniper routers. Our backbone, based on Brocade XMR, was not 
affected, apart from the number of BGP updates which caused some CPU load.

Ironically the incident prefix got picked up by a Cisco edge router, and the 
session to the peer (AS4739) where the prefix got injected didn't crash either.

We filtered the evil prefix, and then the systems became stable again.

Meanwhile AS4739 shut down the BGP session with the originator AS45158 
(thanks MMC).

The propagation itself of the originator is rather uncommon, I'd say, as we 
can see, it's a BGP confederation of not less than 77 private AS numbers. 
Don't know for what it should be useful...

We asked some customers what gear they are running, and here is a short 
compilation - all these systems were affected by the BGP flaps:

- Cisco 2821 - c2800nm-advipservicesk9-mz.124-20.T4
- Cisco 2821 - c2800nm-advipservicesk9-mz.124-24.T1.bin
- Cisco ASR1002F - asr1000rp1-adventerprisek9.03.01.01.S.150-1.S1.bin
- Juniper MX480 - junos 10.0R3.10

We couldn't observe flaps of Quagga. Also not one single iBGP session was 
affected within our Brocade / Cisco network.

Best regards,

Fredy Kuenzler
Init7 / AS13030




More information about the NANOG mailing list