nanog mailing list archives

RE: AS16387 leaking routes

From: "Ernest Andrew McCracken (emccrckn)" <emccrckn () memphis edu>
Date: Mon, 15 Feb 2010 17:13:58 -0600

There are other ASN changes as well as from other peers. Here are some just a few minutes old.

Date|Time|timestamp|Peer IP|Peer ASN|Event Description|Prefix|old AS|new AS

20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97/24|5651|16387
20100215|17:11:13|1266275473309|164.128.32.11|3303|PING REQUEST|198.133.160.1
20100215|17:11:14|1266275474310|164.128.32.11|3303|PING RESPONSE|198.133.160.1|NO RESPONSE
20100215|17:11:14|1266275474310|164.128.32.11|3303|PING REQUEST|198.133.160.2
20100215|17:11:15|1266275475311|164.128.32.11|3303|PING RESPONSE|198.133.160.2|NO RESPONSE

20100215|17:10:05|1266275405989|164.128.32.11|3303|ORIGIN_CHANGE|91.200.172/22|43929|16387
20100215|17:05:13|1266275113867|164.128.32.11|3303|ORIGIN_CHANGE|193.169.44/23|49381|16387
20100215|16:59:02|1266274742071|154.11.11.113|852|ORIGIN_CHANGE|20.132.1/24|21877|16387
20100215|16:55:23|1266274523372|154.11.98.225|852|ORIGIN_CHANGE|91.210.10/24|47245|16387
20100215|16:50:47|1266274247250|154.11.11.113|852|ORIGIN_CHANGE|141.197.8/23|22764|16387

all with ridiculously long paths ofc.


-Ernest McCracken
________________________________________
From: christopher.morrow () gmail com [christopher.morrow () gmail com] On Behalf Of Christopher Morrow [morrowc.lists 
() gmail com]
Sent: Monday, February 15, 2010 4:46 PM
To: Ernest Andrew McCracken (emccrckn)
Cc: nanog () nanog org
Subject: Re: AS16387 leaking routes

On Mon, Feb 15, 2010 at 5:32 PM, Ernest Andrew McCracken (emccrckn)
<emccrckn () memphis edu> wrote:

Has anyone seen the strange activity from AS16387?  Did they leak their entire table?  Our route collectors are 
showing AS16387 originating large numbers of prefixes.  It looks like we caught the tail end of this activity as they 
are now announcing updates with  massive amounts of prepending.


16387 is a uunet customer, it seems, who's only annoucing (now) 2
prefixes... Robtex seems to support them only having a single upstream
(701). I think 701 still prefix-lists all their customers.

You saw this through 3303 without 701 (it seems?) in the path, The
orignal prefix looks actually like 95.79.192.0/19 in the path: 34533
16387
that looks like ESamara trying to poison their paths toward 'healthy
directions, LLC".

maybe ESamara saw something they disliked from this part of the network?

-Chris

Current thread:

AS16387 leaking routes Ernest Andrew McCracken (emccrckn) (Feb 15)
- Re: AS16387 leaking routes Christopher Morrow (Feb 15)
  - RE: AS16387 leaking routes Ernest Andrew McCracken (emccrckn) (Feb 15)
    - Re: AS16387 leaking routes Christopher Morrow (Feb 15)
    - Re: AS16387 leaking routes Christopher Morrow (Feb 15)