What's going on with AS147028?

noc at whojk.com noc at whojk.com
Sat Jul 16 08:15:47 UTC 2022 

I scanned all LLIX members<https://ixp.ll-ix.com/api/v4/member-export/ixf/1.0> again, no LLIX members feeds junk routes to RIS now. I think we can remove AS141011/AS140731/AS141237/AS147028 from the filter list now.

________________________________
From: JK-Net NOC <noc at whojk.com>
Sent: Saturday, July 16, 2022 3:50 PM
To: nanog at nanog.org <nanog at nanog.org>
Cc: noc at he.net <noc at he.net>
Subject: Re: What's going on with AS147028?

I think one of the reason is LL-IX strips their own ASN (59947) from the path and feed it to the route server. I see it as junk routes, and lots of people forgot(or intentionally not) to add 59947 back.
I scanned all LLIX members<https://ixp.ll-ix.com/api/v4/member-export/ixf/1.0> this morning(https://i.imgur.com/CsB8I1M.png), only AS140731 is still feeding junk routes generated by LL-IX to the RIS and bgp.tools, I think it's fine to remove AS141011/AS141237/AS147028 from the filter list.


On Wed, Jul 13, 2022 at 6:22 AM Mike Leber wrote:



This kind of thing is a problem from time to time with the data we get
from route collectors.

When we see it we have to add the culprit ASN to a filter list we keep
in bgp.he.net.

It tends to be a repeat problem with some collectors and some ASNs.

We haven't really figured out why people send junk routes to route
collectors.

The things we've seen aren't just route leaks.  We've seen a variety of
AS path spoofing.

We've already added this specific ASN to the filter list and pushed an
update for bgp.he.net.

Note, this email is specifically talking about routes received from
route collectors and not routes operationally received by he.net via BGP
sessions with actual networks.

Mike.

On 7/12/22 12:49 PM, Eric Dugas via NANOG wrote:


A friend of mine mentioned that both our Canadian ASNs were listed in
AS147028's peer list on https://bgp.he.net/AS147028 but we have no
adjacency to this network.

Their peer count jumped from 1 in May 2022 to 1,800 and just a few
days ago jumped to 8,800. Beside NL-IX, all the IX they are listed on
are virtual IX with a few dozen "hobby networks".

The only lead I have is they use HE as transit and they're pumping
back BGP feed to route collectors like RIPE RIS or Route Views with
routes stripped of HE's ASN.

Eric





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220716/73279f8f/attachment.html>

More information about the NANOG mailing list