Suspecious anycast prefixes

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Thu May 5 13:24:33 CDT 2011


On Thu, May 05, 2011 at 09:36:50AM -0500, Yaoqing(Joey) Liu wrote:
> On Thu, May 5, 2011 at 3:54 AM, Joe Abley <jabley at hopcount.ca> wrote:
> >
> > On 2011-05-05, at 11:46, bmanning at vacation.karoshi.com wrote:
> >
> >> On Wed, May 04, 2011 at 10:23:12PM -0500, Yaoqing(Joey) Liu wrote:
> >>> 198.32.64.0/24
> >>> AS4555:ASName: EP0-BLK-ASNBLOCK-5;OrgName:Almond Oil Process, LLC.
> >>> AS9584:as-name:GENESIS-AP|descr:Diyixian.com Limited|country:HK
> >>> AS20144:ASName: L-ROOT;Comment:distributed using Anycast.
> >>> AS42909: as-name:         COMMUNITYDNS;descr:           Internet
> >>> Computer Bureau Ltd
> >>
> >>       according to Filip, this is -NOT- supposed to be
> >>       anycast.  the only legal origin ASN is 4555.
> >>
> >>       these other ASNs have hijacked the prefix.
> >
> > The source data above may be old, or simply wrong -- I don't see *any* AS originating that prefix right now, and I can confirm specifically AS20144 is not configured to originate it.
> 
> This is based on last four year's data(2007-2010)collected from more
> than 120 peers around the world. Today it may be not announced
> anymore, but it used to be announced by the four ASNs simultaneously.
> I just checked the detailed info about this prefix, here it is about
> the prefix:
> 198.32.64.0/24
> (ASN: average peers announcing this prefix:existing period:total
> appearing days: MOAS period: total appearing days)
> 4555:4.94:20080318-20080506:50:20080318-20080506:50
> 9584:3.07:20080402-20080513:42:20080402-20080513:42
> 20144:79.44:20070101-20080501:487:20071215-20080501:138
> 42909:26.39:20071215-20080515:152:20071215-20080513:150
> >
> MY source data
> > Perhaps I'm misunderstanding the original question, but the assertion that anybody is hijacking that particular prefix seems false.
> >
> This needs to do further analysis to confirm if it was hijacked
> 
> Yaoqing
> >
> > Joe


	in that period, it was originated by these parties, most of whom were authorized to
	announce it.  at this time, only one ASN is authorized to announce, and its not.

	not sure how you expect to determine, with simple routing data, if the prefix was 
	hijacked.  you would need to see the letters of authorization or contracts of service/carriage
	to determine if an ASN was impropperly announcing.  

	for that matter, why do you care what occured years ago?  the Internet is an evolving, fluid media
	and things change all the time.  if you want particulars on this prefix, i should have the 
	authoritative data, since I was the registered contact for both the prefix and the ASN in that 
	period and can pull the records.  Contact me offline for details on access.

/bill




More information about the NANOG mailing list