nanog mailing list archives
Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 31 Mar 2011 18:18:08 +0200
On Thu, Mar 31, 2011 at 5:33 PM, Tony Tauber <ttauber () 1-4-5 net> wrote:
I don't believe this record indicates that Level3 proxy registered the route object. It means that someone used the DBANK-MNT maintainer ID in the Level3 RR to enter a route object 18 months ago.
possibly...
It looks like Level3 is originating the route in AS3356, not accepting it from AS13767 (which is what the object would suggest to do.) Oops, looks like the route is now gone. Guess it got cleaned.
l3 ams router says:
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i148.163.0.0/20 4.69.181.3 0 100 0 i
* i 4.69.181.3 0 100 0 i
*>i148.163.64.0/20 4.69.181.3 0 100 0 i
* i 4.69.181.3 0 100 0 i
* 148.163.178.0/24 213.206.131.45 100000 86 0 1239 13767 i
* i 4.69.185.185 100 0 13767 i
*>i 4.69.185.185 100 0 13767 i
* 148.163.179.0/24 213.206.131.45 100000 86 0 1239 13767 i
* i 4.69.185.185 100 0 13767 i
*>i 4.69.185.185 100 0 13767 i
* i148.163.224.0/19 4.69.181.3 0 100 0 i
*>i 4.69.181.3 0 100 0 i
there's a possibility that, in this case, L3 is simply holding up the
/16 for their customer, sinking junk traffic and permitting more
specifics by the customer? (it's not clear here, though the above
seems to show sprint propogating databank's prefixes while L3 is
originating some parts of the /16 still.
<http://www.robtex.com/as/as13767.html>
indicates that the 2 upstreams for databank are apparently L3 and sprint.
-Chris
Tony On Thu, Mar 31, 2011 at 5:49 AM, Christopher Morrow <morrowc.lists () gmail com> wrote:I forgot: $ whois -h whois.radb.net 148.163.0.0 route: 148.163.0.0/16 descr: /16 for Celanese origin: AS13767 mnt-by: DBANK-MNT changed: jpope () databank com 20090818 source: LEVEL3 (this means l3 proxy'd in the record, I think... maybe an L3 person can speak to this bit?)-chris (being able to validate 'ownership', really authorization to route, automatically will sure be nice, eh?)
Current thread:
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??, (continued)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Ross Harvey (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Brandon Ross (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Owen DeLong (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Paul Ferguson (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Suresh Ramasubramanian (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Owen DeLong (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Suresh Ramasubramanian (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Christopher Morrow (Mar 31)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Christopher Morrow (Mar 31)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Tony Tauber (Mar 31)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Christopher Morrow (Mar 31)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Ronald F. Guilmette (Mar 31)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Owen DeLong (Mar 30)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Ronald F. Guilmette (Mar 31)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Matthew Petach (Mar 31)
- RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Stefan Fouant (Mar 31)
- Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Owen DeLong (Mar 31)
- RE: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking?? Rafael Cresci (Mar 31)