Suspecious anycast prefixes

Yaoqing(Joey) Liu joey.liuyq at
Mon May 9 14:05:36 UTC 2011

On Thu, May 5, 2011 at 1:24 PM,  <bmanning at> wrote:
> On Thu, May 05, 2011 at 09:36:50AM -0500, Yaoqing(Joey) Liu wrote:
>> On Thu, May 5, 2011 at 3:54 AM, Joe Abley <jabley at> wrote:
>> >
>> > On 2011-05-05, at 11:46, bmanning at wrote:
>> >
>> >> On Wed, May 04, 2011 at 10:23:12PM -0500, Yaoqing(Joey) Liu wrote:
>> >>>
>> >>> AS4555:ASName: EP0-BLK-ASNBLOCK-5;OrgName:Almond Oil Process, LLC.
>> >>> AS9584:as-name:GENESIS-AP| Limited|country:HK
>> >>> AS20144:ASName: L-ROOT;Comment:distributed using Anycast.
>> >>> AS42909: as-name:         COMMUNITYDNS;descr:           Internet
>> >>> Computer Bureau Ltd
>> >>
>> >>       according to Filip, this is -NOT- supposed to be
>> >>       anycast.  the only legal origin ASN is 4555.
>> >>
>> >>       these other ASNs have hijacked the prefix.
>> >
>> > The source data above may be old, or simply wrong -- I don't see *any* AS originating that prefix right now, and I can confirm specifically AS20144 is not configured to originate it.
>> This is based on last four year's data(2007-2010)collected from more
>> than 120 peers around the world. Today it may be not announced
>> anymore, but it used to be announced by the four ASNs simultaneously.
>> I just checked the detailed info about this prefix, here it is about
>> the prefix:
>> (ASN: average peers announcing this prefix:existing period:total
>> appearing days: MOAS period: total appearing days)
>> 4555:4.94:20080318-20080506:50:20080318-20080506:50
>> 9584:3.07:20080402-20080513:42:20080402-20080513:42
>> 20144:79.44:20070101-20080501:487:20071215-20080501:138
>> 42909:26.39:20071215-20080515:152:20071215-20080513:150
>> >
>> MY source data
>> > Perhaps I'm misunderstanding the original question, but the assertion that anybody is hijacking that particular prefix seems false.
>> >
>> This needs to do further analysis to confirm if it was hijacked
>> Yaoqing
>> >
>> > Joe
>        in that period, it was originated by these parties, most of whom were authorized to
>        announce it.  at this time, only one ASN is authorized to announce, and its not.
>        not sure how you expect to determine, with simple routing data, if the prefix was
>        hijacked.  you would need to see the letters of authorization or contracts of service/carriage
>        to determine if an ASN was impropperly announcing.
>        for that matter, why do you care what occured years ago?  the Internet is an evolving, fluid media
>        and things change all the time.  if you want particulars on this prefix, i should have the
>        authoritative data, since I was the registered contact for both the prefix and the ASN in that
>        period and can pull the records.  Contact me offline for details on access.

I might not explain the background clearly and confused people. We're
doing research on multiple origin AS issue, and we want to confirm if
our inference is correct based on history data we collected. For
example, we found several hundreds of prefixes with multiple origins
more than two, some of them were inferred as anycast using our
methodology, but we're not positive with the conjecture, so we want to
find the ground truth from operators. Thanks for the detailed

> /bill

More information about the NANOG mailing list