Re: What's going on with AS147028?

[Ben Cox via NANOG <nanog () nanog org>]

I run bgp.tools (with it's own route collectors, that people should
totally feed :) https://bgp.tools/kb/setup-sessions ) but I feel like
I can add some insight here to what I think is happening with
AS147028.

I've had multiple issues with networks feeding me that also are on
LL-IX (https://www.peeringdb.com/ix/2343) or LL-HOST (Maybe? AS59947).

It appears (based on my discussions with a few of the offending
networks) that LL-IX or LL-HOST strips their own ASN (59947) from the
path when you take up a transit or maybe (i'm not sure) peer on their
route servers on LL-IX

When you combine this and exporting to projects like RouteViews/RIPE
RIS/bgp.tools, you get a peer graph that looks like the feeder ASN is
peering with... almost everyone who AS59947 peers with.

This has become so much of a problem (as I am slightly mad for getting
this kind of data right) that bgp.tools disallows sessions to be setup
if it looks like the AS either is upstreamed by AS59947 or has a port
with LL-IX, (with a message to email me)

The users who do email me, about 50% of them commit to adding the
AS59947 ASN back on, and I enable their ability to export to
bgp.tools.

Hope this clears things up! This exact AS has been the cause of many
frustrations for me for a while now!

On Tue, Jul 12, 2022 at 11:22 PM Mike Leber via NANOG <nanog () nanog org> wrote:
> This kind of thing is a problem from time to time with the data we get
> from route collectors.
>
> When we see it we have to add the culprit ASN to a filter list we keep
> in bgp.he.net.
>
> It tends to be a repeat problem with some collectors and some ASNs.
>
> We haven't really figured out why people send junk routes to route
> collectors.
>
> The things we've seen aren't just route leaks.  We've seen a variety of
> AS path spoofing.
>
> We've already added this specific ASN to the filter list and pushed an
> update for bgp.he.net.
>
> Note, this email is specifically talking about routes received from
> route collectors and not routes operationally received by he.net via BGP
> sessions with actual networks.
>
> Mike.
>
> On 7/12/22 12:49 PM, Eric Dugas via NANOG wrote:
> > A friend of mine mentioned that both our Canadian ASNs were listed in
> > AS147028's peer list on https://bgp.he.net/AS147028 but we have no
> > adjacency to this network.
> >
> > Their peer count jumped from 1 in May 2022 to 1,800 and just a few
> > days ago jumped to 8,800. Beside NL-IX, all the IX they are listed on
> > are virtual IX with a few dozen "hobby networks".
> >
> > The only lead I have is they use HE as transit and they're pumping
> > back BGP feed to route collectors like RIPE RIS or Route Views with
> > routes stripped of HE's ASN.
> >
> > Eric