[38658] in North American Network Operators' Group
RE: /24s run amuck again
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Sun Jun 10 04:10:37 2001
Message-Id: <4.3.2.7.2.20010610110045.00aa0e30@max.att.net.il>
Date: Sun, 10 Jun 2001 11:09:47 +0200
To: "Richard A. Steenbergen" <ras@e-gerbil.net>,
Philip Smith <pfs@cisco.com>
From: Hank Nussbacher <hank@att.net.il>
Cc: nanog@merit.edu
In-Reply-To: <Pine.BSF.4.21.0106091351140.29677-100000@overlord.e-gerbil
.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 14:10 09/06/01 -0400, Richard A. Steenbergen wrote:
> > 11371 307 Rhythms NetConnections
Email sent to gharmon@rhythms.net, cgreen@rhythms.net,
doroberts@rhythms.net on Feb 8 - no response.
> > 3491 651 CAIS Internet
>
>DSL providers are becoming very bad about this. Someone pointed out to me
>off list that CAIS had carved up PSI's /8 into over 500 /24s.
>
> > 690 502 Merit Network
>
>Well at least we don't have to go too far to find the guilty party. :P
>
> > 18994 468 Global Crossing
> > 15870 436 Global Center Frankfurt
> > 18993 325 Global Crossing
>
>Those are the GlobalCenter datacenters being converted into the Exodus
>network. It looks like they are leaking a sizable number of /32s /30s etc,
>and since its GBLX space I'm assuming its stuff that used to be aggregated
>into a single announcement.
Email sent to: ipadmin@gblx.net, huberman@gblx.net, ip-eng@gblx.net,
scarter@gblx.net, bgp@gblx.net, bp@gblx.net on June 4 - everyone responded
that the problem was forwarded to Exodus and from there it disappeared into
a black hole.
Basically, after having sent out dozens of emails over the past 6 months I
have come to the conclusion that there are a few out there that will fix
things when presented with the problem. But the vast majority either don't
have a clue, don't want to have a clue or couldn't give a damn that the
routing tables are increasing in size.
-Hank
> > There is no attempt to measure aggregation - that's the job of the
> > CIDR Report. This simply looks at the prefix announced and if it is
> > outside the above limits, it is counted. Makes very interesting
> > reading...
>
>The one interesting pattern I noticed in the rampant /24 abuse was non-
>contiguous announcements. It's likely that this kept them off the CIDR
>Report and any other scans which only looked for contiguous announcements.
>For example:
>
>1.2.3.0/24
>1.2.5.0/24
>1.2.7/0.24
>
>--
>Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
>PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
