Suspecious anycast prefixes

Yaoqing(Joey) Liu joey.liuyq at gmail.com
Thu May 5 09:36:50 CDT 2011


On Thu, May 5, 2011 at 3:54 AM, Joe Abley <jabley at hopcount.ca> wrote:
>
> On 2011-05-05, at 11:46, bmanning at vacation.karoshi.com wrote:
>
>> On Wed, May 04, 2011 at 10:23:12PM -0500, Yaoqing(Joey) Liu wrote:
>>> 198.32.64.0/24
>>> AS4555:ASName: EP0-BLK-ASNBLOCK-5;OrgName:Almond Oil Process, LLC.
>>> AS9584:as-name:GENESIS-AP|descr:Diyixian.com Limited|country:HK
>>> AS20144:ASName: L-ROOT;Comment:distributed using Anycast.
>>> AS42909: as-name:         COMMUNITYDNS;descr:           Internet
>>> Computer Bureau Ltd
>>
>>       according to Filip, this is -NOT- supposed to be
>>       anycast.  the only legal origin ASN is 4555.
>>
>>       these other ASNs have hijacked the prefix.
>
> The source data above may be old, or simply wrong -- I don't see *any* AS originating that prefix right now, and I can confirm specifically AS20144 is not configured to originate it.

This is based on last four year's data(2007-2010)collected from more
than 120 peers around the world. Today it may be not announced
anymore, but it used to be announced by the four ASNs simultaneously.
I just checked the detailed info about this prefix, here it is about
the prefix:
198.32.64.0/24
(ASN: average peers announcing this prefix:existing period:total
appearing days: MOAS period: total appearing days)
4555:4.94:20080318-20080506:50:20080318-20080506:50
9584:3.07:20080402-20080513:42:20080402-20080513:42
20144:79.44:20070101-20080501:487:20071215-20080501:138
42909:26.39:20071215-20080515:152:20071215-20080513:150
>
MY source data
> Perhaps I'm misunderstanding the original question, but the assertion that anybody is hijacking that particular prefix seems false.
>
This needs to do further analysis to confirm if it was hijacked

Yaoqing
>
> Joe




More information about the NANOG mailing list