Re: Dreamhost/AS26347 unauthorized bgp announcement

[Job Snijders <job.snijders () atrato com>]

Hi Mat,

I see the same thing, we learn the prefix from the route-server in LAX: 

telnet () r1 lax1 us>show ip bgp routes detail 90.201.80.0/20
Number of BGP Routes matching display condition : 1
Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED
       E:EBGP H:HISTORY I:IBGP L:LOCAL M:MULTIPATH m:NOT-INSTALLED-MULTIPATH
       S:SUPPRESSED F:FILTERED s:STALE
1       Prefix: 90.201.80.0/20,  Status: BE,  Age: 0h22m15s
         NEXT_HOP: 206.223.143.83, Metric: 0, Learned from Peer: 206.223.143.253 (19996)
          LOCAL_PREF: 400,  MED: none,  ORIGIN: incomplete,  Weight: 0
         AS_PATH: 26347
            COMMUNITIES: 5580:12431
            Adj_RIB_out count: 18,  Admin distance 20
       Last update to IP routing table: 0h22m15s, 1 path(s) installed:

Kind regards,

Job

On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz () iij ad jp> wrote:

> According to RIPE RIS, AS26347 announced a bunch of prefixes again.
> - http://www.ris.ripe.net/dashboard/26347
>
> First suspicious announcement was started 2013-03-06 07:52:40 UTC, and
> last seen 2013-03-06 08:33:56 UTC.  195 prefixes total.
>
> It seems these unauthorized announcements have the same profile as
> before - AS26347 shrinks the prefix lenght of their received prefix
> somehow upto /20, and re-originates the prefix with origin AS26347.
>
> Any known bugs?
>
> Regards,
> -----
> Matsuzaki Yoshinobu <maz () iij ad jp>
> - IIJ/AS2497  INOC-DBA: 2497*629

-- 
AS5580 - Atrato IP Networks