Re: Announcing a reserved ASN?

[Owen DeLong <owen () delong com>]

AS23456 is what you get if your system doesn't properly support 32-bit ASNs
and an AS-PATH (or peer) uses a 32-bit ASN.

There should be an extended attribute on the route that contains the full
32-bit AS-PATH called AS4_PATH associated with any such routes.

Arguably any route containing AS23456 without an AS4_PATH attribute is
invalid and could be filtered.

Unfortunately, routers that would display AS23456 instead of restoring the
full 32-bit AS_PATH may not be able to identify this.

A properly transmitted route from a 4-byte ASN will be recovered as follows:

91.217.86.0/23     *[BGP/170] 1w5d 09:11:37, MED 101, localpref 100
                      AS path: 8121 1299 3209 197269 I
                    > to 192.124.40.129 via ge-0/0/0.0

OTOH, you may occasionally see artifacts like this (I don't know why):

91.217.87.0/24     *[BGP/170] 1w5d 09:10:16, MED 101, localpref 100
                      AS path: 8121 1299 174 23456 197269 I
                    > to 192.124.40.129 via ge-0/0/0.0

But if you are seeing 23456 on an AS4 capable router without at least some
indication of a 4-byte ASN in the path, it's probably fishy.

On Feb 3, 2013, at 4:57 AM, Suresh Ramasubramanian <ops.lists () gmail com> wrote:

> At least the 103.x which are announced by airtel. The other netblocks (one
> Indian and two brazilian) appear unrelated though also showing as23456
>
> --srs (htc one x)
> On 03-Feb-2013 6:12 PM, "Suresh Ramasubramanian"
> <ops.lists () gmail com<javascript:_e({}, 'cvml',
> 'ops.lists () gmail com');>>
> wrote:
>
> > AS23456 is currently announcing a good few netblocks (which don't have a
> > very good smtp reputation, by the way).
> >
> > Funny thing is, that's a special use ASN as per rfc4893, something about
> > two octet ASNs that don't have a four octet representation.
> >
> > Only one upstream (airtelbroadband-as-ap, as24560) that I can see
> >
> > > > 103.7.204.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

> > > > 103.14.208.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

> > > > 103.23.124.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

> > > > 103.30.12.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

> > > > 103.245.112.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

> > > > 111.235.148.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

> > > > 177.55.249.0/24

Missing AS4_PATH -- Probably a spoofed/hijacked route

> > > > 186.251.192.0/21

Missing AS4_PATH -- Probably a spoofed/hijacked route

If you're motivated to pursue this, the best thing to do is probably to contact the last legitimate AS before 23456 in 
the AS-PATH and inquire.

Owen