Re: Anomalies with AS13214 ?

["Sharlon R. Carty" <me () sharloncarty net>]

Isn't this the second time that AS13214 seemed to have made a "unintentional
misconfig"?

On Mon, May 11, 2009 at 3:05 PM, Ricardo Oliveira <rveloso () cs ucla edu>wrote:

> Hi all,
>
> First, thanks for using Cyclops, and thanks for all the Cyclops users that
> drop me a message about this.
>
> It seems some router in AS13214 decided to originate all the prefixes and
> send them to AS48285 in the Caymans, all the ASPATHs are 48285 13214.
> The first announcement was on 2009-05-11 11:03:11 UTC and last on
> 2009-05-11 12:16:32 UTC, there were 266,289 prefixes leaked (they were
> withdrawn afterwards)
>
> As indicated in the Cyclops alerts, only a single monitor(AS48285) in
> route-views4 detected this leak. I checked on other neighbors of AS13214 and
> they seem fine, so it seems it was only a single router issue.
>
> This incident shows the advantage of having a wide set of peers for
> detection, it seems Cyclops was the only tool to detect this incident. Given
> the amount of banks and financial institutions in the Caymans, i would
> otherwise have raised a red flag, but it seems this case was an
> unintentional misconfig by AS13214.
>
> Would appreciate any further comment on the tool, and happy cyclopying!
>
> --Ricardo
> the Cyclops guy
> http://cyclops.cs.ucla.edu
>
>
>  On May 11, 2009, at 8:30 AM, Jay Hennigan wrote:
>
> We're getting cyclops[1] alerts that AS13214 is advertising itself as
> > origin for all of our prefixes.  Their anomaly report shows thousands of
> > prefixes originating there.
> >
> > Anyone else seeing evidence of this or being affected?
> >
> >
> > [1] http://cyclops.cs.ucla.edu/
> >
> >
> > --
> > Jay Hennigan - CCIE #7880 - Network Engineering - jay () impulse net
> > Impulse Internet Service  -  http://www.impulse.net/
> > Your local telephone and internet company - 805 884-6323 - WB6RDV


-- 
--sharlon