[137979] in North American Network Operators' Group
Re: 6453 routing leaks (January and Today)
daemon@ATHENA.MIT.EDU (Jared Mauch)
Fri Feb 25 07:22:48 2011
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <DEC7E2FF-0F45-4B6D-8EEC-0A8716779B83@puck.nether.net>
Date: Fri, 25 Feb 2011 07:22:36 -0500
To: Jared Mauch <jared@puck.nether.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Update:
I have had a source ask me to post the following:
-- snip --
The problem with route leaking was caused by specific routing platform =
resulting in some peer routes not being properly tagged.
We are deploying additional measures to prevent this from happening in =
the future
-- snip --
- Jared
On Feb 24, 2011, at 4:59 PM, Jared Mauch wrote:
> It appears there have been a large number of routing leaks from 6453 =
today based on my detection scripts that have been running.
>=20
> (shameless plug for http://puck.nether.net/bgp/leakinfo.cgi)
>=20
> A quick report of the data show (for today so far) a few thousand of =
leaks more than is normal for a day like today. I included a snapshot =
of yesterday below as well.
>=20
> I've included a more detailed report of the prefixes observed involved =
here:=20
>=20
> http://puck.nether.net/~jared/tata-leak-20110224.txt
>=20
> This seems to be a somewhat common event for 6453, loking through the =
history of data available, another event happened on 2011-01-28 as well.
>=20
> I'm interested in what best operational practices people have employed =
to help avoid the leaks seen here so I can document them for others to =
learn to prevent this from happening again.
>=20
> - Jared
>=20
> bgp=3D# select count(blame_asn),blame_asn,asn_responsible from =
leakinfo where aprox_time::date =3D '2011-02-24' group by =
blame_asn,asn_responsible order by 1 desc;
> count | blame_asn | asn_responsible=20
> -------+-----------+-----------------
> 2208 | 6453 | 6453
> 360 | 7473 | 3257
> 230 | |=20
> 170 | 17379 | 5511
> 130 | 8068 | 3356
> 39 | 3225 | 6453
> 34 | 45419 | 3356
> 26 | 3356 | 3356
> 25 | 12180 | 2828
> 18 | 22351 | 701
> 16 | 7991 | 2914
> 16 | 14051 | 1239
> 10 | 29571 | 5511
> 4 | 32327 | 2828
> 4 | 8966 | 2914
> 4 | 19080 | 1239
> 4 | 30209 | 7018
> 4 | 18734 | 701
> 4 | 4657 | 3320
> 3 | 33748 | 1239
> 2 | 5056 | 1239
> 2 | 10026 | 2828
> 2 | 12252 | 2914
> 1 | 11696 | 2828
> (24 rows)
>=20
> bgp=3D# select count(blame_asn),blame_asn,asn_responsible from =
leakinfo where aprox_time::date =3D '2011-02-23' group by =
blame_asn,asn_responsible order by 1 desc;
> count | blame_asn | asn_responsible=20
> -------+-----------+-----------------
> 384 | 7473 | 3257
> 120 | 17379 | 5511
> 48 | |=20
> 27 | 45419 | 3356
> 24 | 12180 | 2828
> 11 | 23456 | 2914
> (6 rows)
>=20
> bgp=3D# select count(blame_asn),blame_asn,asn_responsible from =
leakinfo where aprox_time::date =3D '2011-01-28' group by =
blame_asn,asn_responsible order by 1 desc;
> count | blame_asn | asn_responsible=20
> -------+-----------+-----------------
> 9119 | 6453 | 6453
> 2265 | |=20
> 355 | 2914 | 2914
> 313 | 7473 | 3257
> 250 | 17379 | 5511
> 213 | 32592 | 701
> 106 | 3790 | 1239
> 72 | 19108 | 6461
> 62 | 14051 | 1239
> 51 | 34977 | 6453
> 48 | 31133 | 3356
> 47 | 8657 | 174
> 32 | 7713 | 2914
> 31 | 1257 | 1239
> 31 | 8966 | 2914
> 30 | 30209 | 7018
> 30 | 31133 | 1299
> 29 | 8342 | 1239
> 24 | 38925 | 3320
> 24 | 12180 | 2828
> 22 | 8657 | 3549
> 21 | 15641 | 3549
> 18 | 31133 | 2914
> 16 | 15412 | 2914
> 15 | 7473 | 3549
> 10 | 6762 | 1299
> 10 | 6762 | 7018
> 10 | 20299 | 1239
> 10 | 6762 | 3561
> 10 | 6762 | 174
> 9 | 4323 | 2914
> 7 | 26163 | 6461
> 7 | 9505 | 174
> 7 | 15149 | 6461
> 7 | 9070 | 3549
> 7 | 7819 | 6461
> 6 | 7473 | 174
> 6 | 3216 | 3549
> 6 | 1273 | 174
> 5 | 8657 | 3356
> 5 | 26769 | 3549
> 5 | 6762 | 2914
> 5 | 6762 | 3356
> 4 | 8047 | 701
> 4 | 8877 | 174
> 4 | 174 | 174
> 2 | 20299 | 174
> 2 | 7843 | 174
> 2 | 7473 | 6453
> 2 | 8928 | 3320
> 2 | 7991 | 2914
> 1 | 1273 | 3549
> 1 | 20485 | 2914
> 1 | 3216 | 1239
> (54 rows)
>=20
