6453 routing leaks (January and Today)
Kevin Oberman
oberman at es.net
Fri Feb 25 00:50:19 UTC 2011
> From: Jared Mauch <jared at puck.nether.net>
> Date: Thu, 24 Feb 2011 16:59:52 -0500
>
> It appears there have been a large number of routing leaks from 6453 today based on my detection scripts that have been running.
>
> (shameless plug for http://puck.nether.net/bgp/leakinfo.cgi)
>
> A quick report of the data show (for today so far) a few thousand of leaks more than is normal for a day like today. I included a snapshot of yesterday below as well.
>
> I've included a more detailed report of the prefixes observed involved here:
>
> http://puck.nether.net/~jared/tata-leak-20110224.txt
>
> This seems to be a somewhat common event for 6453, loking through the history of data available, another event happened on 2011-01-28 as well.
>
> I'm interested in what best operational practices people have employed to help avoid the leaks seen here so I can document them for others to learn to prevent this from happening again.
>
> - Jared
>
> bgp=# select count(blame_asn),blame_asn,asn_responsible from leakinfo where aprox_time::date = '2011-02-24' group by blame_asn,asn_responsible order by 1 desc;
> count | blame_asn | asn_responsible
> -------+-----------+-----------------
> 2208 | 6453 | 6453
> 360 | 7473 | 3257
> 230 | |
> 170 | 17379 | 5511
> 130 | 8068 | 3356
> 39 | 3225 | 6453
> 34 | 45419 | 3356
> 26 | 3356 | 3356
> 25 | 12180 | 2828
> 18 | 22351 | 701
> 16 | 7991 | 2914
> 16 | 14051 | 1239
> 10 | 29571 | 5511
> 4 | 32327 | 2828
> 4 | 8966 | 2914
> 4 | 19080 | 1239
> 4 | 30209 | 7018
> 4 | 18734 | 701
> 4 | 4657 | 3320
> 3 | 33748 | 1239
> 2 | 5056 | 1239
> 2 | 10026 | 2828
> 2 | 12252 | 2914
> 1 | 11696 | 2828
> (24 rows)
>
> bgp=# select count(blame_asn),blame_asn,asn_responsible from leakinfo where aprox_time::date = '2011-02-23' group by blame_asn,asn_responsible order by 1 desc;
> count | blame_asn | asn_responsible
> -------+-----------+-----------------
> 384 | 7473 | 3257
> 120 | 17379 | 5511
> 48 | |
> 27 | 45419 | 3356
> 24 | 12180 | 2828
> 11 | 23456 | 2914
> (6 rows)
>
> bgp=# select count(blame_asn),blame_asn,asn_responsible from leakinfo where aprox_time::date = '2011-01-28' group by blame_asn,asn_responsible order by 1 desc;
> count | blame_asn | asn_responsible
> -------+-----------+-----------------
> 9119 | 6453 | 6453
> 2265 | |
> 355 | 2914 | 2914
> 313 | 7473 | 3257
> 250 | 17379 | 5511
> 213 | 32592 | 701
> 106 | 3790 | 1239
> 72 | 19108 | 6461
> 62 | 14051 | 1239
> 51 | 34977 | 6453
> 48 | 31133 | 3356
> 47 | 8657 | 174
> 32 | 7713 | 2914
> 31 | 1257 | 1239
> 31 | 8966 | 2914
> 30 | 30209 | 7018
> 30 | 31133 | 1299
> 29 | 8342 | 1239
> 24 | 38925 | 3320
> 24 | 12180 | 2828
> 22 | 8657 | 3549
> 21 | 15641 | 3549
> 18 | 31133 | 2914
> 16 | 15412 | 2914
> 15 | 7473 | 3549
> 10 | 6762 | 1299
> 10 | 6762 | 7018
> 10 | 20299 | 1239
> 10 | 6762 | 3561
> 10 | 6762 | 174
> 9 | 4323 | 2914
> 7 | 26163 | 6461
> 7 | 9505 | 174
> 7 | 15149 | 6461
> 7 | 9070 | 3549
> 7 | 7819 | 6461
> 6 | 7473 | 174
> 6 | 3216 | 3549
> 6 | 1273 | 174
> 5 | 8657 | 3356
> 5 | 26769 | 3549
> 5 | 6762 | 2914
> 5 | 6762 | 3356
> 4 | 8047 | 701
> 4 | 8877 | 174
> 4 | 174 | 174
> 2 | 20299 | 174
> 2 | 7843 | 174
> 2 | 7473 | 6453
> 2 | 8928 | 3320
> 2 | 7991 | 2914
> 1 | 1273 | 3549
> 1 | 20485 | 2914
> 1 | 3216 | 1239
> (54 rows)
Can't say if it was a leak or de aggregation, but TATA announcements to
us jumped from about 70,000 to almost 190,000 for a while today, then
dropped back down.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the NANOG
mailing list