[140217] in North American Network Operators' Group
Re: Suspecious anycast prefixes
daemon@ATHENA.MIT.EDU (Yaoqing(Joey) Liu)
Thu May 5 10:37:40 2011
In-Reply-To: <31E0CDD1-AC16-4E5A-843E-C670F9148E84@hopcount.ca>
Date: Thu, 5 May 2011 09:36:50 -0500
From: "Yaoqing(Joey) Liu" <joey.liuyq@gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: bmanning@vacation.karoshi.com, nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, May 5, 2011 at 3:54 AM, Joe Abley <jabley@hopcount.ca> wrote:
>
> On 2011-05-05, at 11:46, bmanning@vacation.karoshi.com wrote:
>
>> On Wed, May 04, 2011 at 10:23:12PM -0500, Yaoqing(Joey) Liu wrote:
>>> 198.32.64.0/24
>>> AS4555:ASName: EP0-BLK-ASNBLOCK-5;OrgName:Almond Oil Process, LLC.
>>> AS9584:as-name:GENESIS-AP|descr:Diyixian.com Limited|country:HK
>>> AS20144:ASName: L-ROOT;Comment:distributed using Anycast.
>>> AS42909: as-name: =A0 =A0 =A0 =A0 COMMUNITYDNS;descr: =A0 =A0 =A0 =A0 =
=A0 Internet
>>> Computer Bureau Ltd
>>
>> =A0 =A0 =A0 according to Filip, this is -NOT- supposed to be
>> =A0 =A0 =A0 anycast. =A0the only legal origin ASN is 4555.
>>
>> =A0 =A0 =A0 these other ASNs have hijacked the prefix.
>
> The source data above may be old, or simply wrong -- I don't see *any* AS=
originating that prefix right now, and I can confirm specifically AS20144 =
is not configured to originate it.
This is based on last four year's data(2007-2010)collected from more
than 120 peers around the world. Today it may be not announced
anymore, but it used to be announced by the four ASNs simultaneously.
I just checked the detailed info about this prefix, here it is about
the prefix:
198.32.64.0/24
(ASN: average peers announcing this prefix:existing period:total
appearing days: MOAS period: total appearing days)
4555:4.94:20080318-20080506:50:20080318-20080506:50
9584:3.07:20080402-20080513:42:20080402-20080513:42
20144:79.44:20070101-20080501:487:20071215-20080501:138
42909:26.39:20071215-20080515:152:20071215-20080513:150
>
MY source data
> Perhaps I'm misunderstanding the original question, but the assertion tha=
t anybody is hijacking that particular prefix seems false.
>
This needs to do further analysis to confirm if it was hijacked
Yaoqing
>
> Joe
