Announcing a reserved ASN?
Owen DeLong
owen at delong.com
Sun Feb 3 19:40:11 UTC 2013
AS23456 is what you get if your system doesn't properly support 32-bit ASNs
and an AS-PATH (or peer) uses a 32-bit ASN.
There should be an extended attribute on the route that contains the full
32-bit AS-PATH called AS4_PATH associated with any such routes.
Arguably any route containing AS23456 without an AS4_PATH attribute is
invalid and could be filtered.
Unfortunately, routers that would display AS23456 instead of restoring the
full 32-bit AS_PATH may not be able to identify this.
A properly transmitted route from a 4-byte ASN will be recovered as follows:
91.217.86.0/23 *[BGP/170] 1w5d 09:11:37, MED 101, localpref 100
AS path: 8121 1299 3209 197269 I
> to 192.124.40.129 via ge-0/0/0.0
OTOH, you may occasionally see artifacts like this (I don't know why):
91.217.87.0/24 *[BGP/170] 1w5d 09:10:16, MED 101, localpref 100
AS path: 8121 1299 174 23456 197269 I
> to 192.124.40.129 via ge-0/0/0.0
But if you are seeing 23456 on an AS4 capable router without at least some
indication of a 4-byte ASN in the path, it's probably fishy.
On Feb 3, 2013, at 4:57 AM, Suresh Ramasubramanian <ops.lists at gmail.com> wrote:
> At least the 103.x which are announced by airtel. The other netblocks (one
> Indian and two brazilian) appear unrelated though also showing as23456
>
> --srs (htc one x)
> On 03-Feb-2013 6:12 PM, "Suresh Ramasubramanian"
> <ops.lists at gmail.com<javascript:_e({}, 'cvml',
> 'ops.lists at gmail.com');>>
> wrote:
>
>> AS23456 is currently announcing a good few netblocks (which don't have a
>> very good smtp reputation, by the way).
>>
>> Funny thing is, that's a special use ASN as per rfc4893, something about
>> two octet ASNs that don't have a four octet representation.
>>
>> Only one upstream (airtelbroadband-as-ap, as24560) that I can see
>>
>>>> 103.7.204.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 103.14.208.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 103.23.124.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 103.30.12.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 103.245.112.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 111.235.148.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 177.55.249.0/24
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 186.251.192.0/21
Missing AS4_PATH -- Probably a spoofed/hijacked route
If you're motivated to pursue this, the best thing to do is probably to contact the last legitimate AS before 23456 in the AS-PATH and inquire.
Owen
More information about the NANOG
mailing list