nanog mailing list archives
Re: Route leaks from AS9498 (BHARTI Airtel)?
From: Andree Toonk <andree+nanog () toonk nl>
Date: Fri, 06 Nov 2015 11:31:47 -0800
Hi Yang,My secret spy satellite informs me that Yang Yu wrote On 2015-11-06, 10:19 AM:
Yes I saw the same thing. Level 3 customer space inside 8.0.0.0/8 got leaked by AS9498 through 174, 4323, 5580 and 12989. I did got alerts from bgpmon but the event is not shown on bgpstream.com. What are the criteria for listing on bgpstream.com?
Great question!We set out to build a tool that would provide a 'clean' feed of BGP events. The goal of bgpstream.com is to give folks an idea of what's going on in the world of BGP and in large scale cases like this, to show that you're not alone, instead many other networks were affected as well. So you'd go there to see if others see the same.
We're still tuning the system, the hardest part is to figure out what is a 'suspicious' origin AS change and what is 'probably' ok. We have several checks and balances in place, for example GEO based info (expected ASn in US, new ASn in India). Historical info (did the AS ever announce other prefixes for the expected AS). Peering relations (customer - upstream relationship?). Obvious we check the several RIR/IRR databases, check for overlapping names / email addresses in those records. And a bunch more. All those heuristic combined determine if this is a 'suspicious' origin AS change (hijack) or not.
With this we have a fairly good list of events that are worth looking into as a human. It's very easy to create a list of hundreds of events a day, but many will be perfectly fine and the goal was to have a handful of actionable events. As a result we do throttle the number of events that are published on bgpstream.com in cases of large scale incidents. That's what happened to the events this morning. We have 130 AS9498 events in BGPstream today, that's all that's the admin max today for a given AS.
Just to be clear: we did detect many more events, alerted all our users, but only publish 130 per AS per day on bgpstream.com to prevent cluttering. At least for now :)
Cheers, Andree (BGPmon.net)
Current thread:
- Route leaks from AS9498 (BHARTI Airtel)? Andrew Duey (Nov 06)
- Re: Route leaks from AS9498 (BHARTI Airtel)? Job Snijders (Nov 06)
- Re: Route leaks from AS9498 (BHARTI Airtel)? Anurag Bhatia (Nov 06)
- Re: Route leaks from AS9498 (BHARTI Airtel)? Yang Yu (Nov 06)
- Re: Route leaks from AS9498 (BHARTI Airtel)? Andree Toonk (Nov 06)
- Re: Route leaks from AS9498 (BHARTI Airtel)? Job Snijders (Nov 06)