[122506] in North American Network Operators' Group
RE: AS16387 leaking routes
daemon@ATHENA.MIT.EDU (Ernest Andrew McCracken (emccrckn))
Mon Feb 15 18:14:46 2010
From: "Ernest Andrew McCracken (emccrckn)" <emccrckn@memphis.edu>
To: Christopher Morrow <morrowc.lists@gmail.com>
Date: Mon, 15 Feb 2010 17:13:58 -0600
In-Reply-To: <75cb24521002151446x68801f7dxbcf31b88fc7cf07c@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
There are other ASN changes as well as from other peers. Here are some just=
a few minutes old.
Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS
20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97=
/24|5651|16387
20100215|17:11:13|1266275473309|164.128.32.11|3303|PING REQUEST|198.133.160=
.1
20100215|17:11:14|1266275474310|164.128.32.11|3303|PING RESPONSE|198.133.16=
0.1|NO RESPONSE
20100215|17:11:14|1266275474310|164.128.32.11|3303|PING REQUEST|198.133.160=
.2
20100215|17:11:15|1266275475311|164.128.32.11|3303|PING RESPONSE|198.133.16=
0.2|NO RESPONSE
20100215|17:10:05|1266275405989|164.128.32.11|3303|ORIGIN_CHANGE|91.200.172=
/22|43929|16387
20100215|17:05:13|1266275113867|164.128.32.11|3303|ORIGIN_CHANGE|193.169.44=
/23|49381|16387
20100215|16:59:02|1266274742071|154.11.11.113|852|ORIGIN_CHANGE|20.132.1/24=
|21877|16387
20100215|16:55:23|1266274523372|154.11.98.225|852|ORIGIN_CHANGE|91.210.10/2=
4|47245|16387
20100215|16:50:47|1266274247250|154.11.11.113|852|ORIGIN_CHANGE|141.197.8/2=
3|22764|16387
all with ridiculously long paths ofc.
-Ernest McCracken
________________________________________
From: christopher.morrow@gmail.com [christopher.morrow@gmail.com] On Behalf=
Of Christopher Morrow [morrowc.lists@gmail.com]
Sent: Monday, February 15, 2010 4:46 PM
To: Ernest Andrew McCracken (emccrckn)
Cc: nanog@nanog.org
Subject: Re: AS16387 leaking routes
On Mon, Feb 15, 2010 at 5:32 PM, Ernest Andrew McCracken (emccrckn)
<emccrckn@memphis.edu> wrote:
> Has anyone seen the strange activity from AS16387? Did they leak their e=
ntire table? Our route collectors are showing AS16387 originating large nu=
mbers of prefixes. It looks like we caught the tail end of this activity a=
s they are now announcing updates with massive amounts of prepending.
16387 is a uunet customer, it seems, who's only annoucing (now) 2
prefixes... Robtex seems to support them only having a single upstream
(701). I think 701 still prefix-lists all their customers.
You saw this through 3303 without 701 (it seems?) in the path, The
orignal prefix looks actually like 95.79.192.0/19 in the path: 34533
16387
that looks like ESamara trying to poison their paths toward 'healthy
directions, LLC".
maybe ESamara saw something they disliked from this part of the network?
-Chris=
