[139248] in North American Network Operators' Group
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu Mar 31 12:19:11 2011
In-Reply-To: <AANLkTi=_jVaXmWwd2=Qq-GuDE_3y2yzGKcBdO5ixN0nV@mail.gmail.com>
Date: Thu, 31 Mar 2011 18:18:08 +0200
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Tony Tauber <ttauber@1-4-5.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>, Brandon Ross <bross@pobox.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Mar 31, 2011 at 5:33 PM, Tony Tauber <ttauber@1-4-5.net> wrote:
> I don't believe this record indicates that Level3 proxy registered the ro=
ute
> object.
> It means that someone used the DBANK-MNT maintainer ID in the Level3 RR t=
o
> enter a route object 18 months ago.
>
possibly...
> It looks like Level3 is originating the route in AS3356, not accepting it
> from AS13767 (which is what the object would suggest to do.)
>
> Oops, looks like the route is now gone.=A0 Guess it got cleaned.
>
l3 ams router says:
Status codes: s suppressed, d damped, h history, * valid, > best, i - inter=
nal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i148.163.0.0/20 4.69.181.3 0 100 0 i
* i 4.69.181.3 0 100 0 i
*>i148.163.64.0/20 4.69.181.3 0 100 0 i
* i 4.69.181.3 0 100 0 i
* 148.163.178.0/24 213.206.131.45 100000 86 0 1239 13767 i
* i 4.69.185.185 100 0 13767 i
*>i 4.69.185.185 100 0 13767 i
* 148.163.179.0/24 213.206.131.45 100000 86 0 1239 13767 i
* i 4.69.185.185 100 0 13767 i
*>i 4.69.185.185 100 0 13767 i
* i148.163.224.0/19 4.69.181.3 0 100 0 i
*>i 4.69.181.3 0 100 0 i
there's a possibility that, in this case, L3 is simply holding up the
/16 for their customer, sinking junk traffic and permitting more
specifics by the customer? (it's not clear here, though the above
seems to show sprint propogating databank's prefixes while L3 is
originating some parts of the /16 still.
<http://www.robtex.com/as/as13767.html>
indicates that the 2 upstreams for databank are apparently L3 and sprint.
-Chris
> Tony
>
> On Thu, Mar 31, 2011 at 5:49 AM, Christopher Morrow
> <morrowc.lists@gmail.com> wrote:
>>
>> I forgot:
>> $ whois -h whois.radb.net 148.163.0.0
>> route: =A0 =A0 =A0 =A0 148.163.0.0/16
>> descr: =A0 =A0 =A0 =A0 /16 for Celanese
>> origin: =A0 =A0 =A0 =A0AS13767
>> mnt-by: =A0 =A0 =A0 =A0DBANK-MNT
>> changed: =A0 =A0 =A0 jpope@databank.com 20090818
>> source: =A0 =A0 =A0 =A0LEVEL3
>>
>> (this means l3 proxy'd in the record, I think... maybe an L3 person
>> can speak to this bit?)
>>
>> > -chris
>> > (being able to validate 'ownership', really authorization to route,
>> > automatically will sure be nice, eh?)
>> >
>>
>
>
