AS23456 is currently announcing a good few netblocks (which don't have a
very good smtp reputation, by the way).
Funny thing is, that's a special use ASN as per rfc4893, something about
two octet ASNs that don't have a four octet representation.
Only one upstream (airtelbroadband-as-ap, as24560) that I can see
> 103.7.204.0/22
> 103.14.208.0/22
> 103.23.124.0/22
> 103.30.12.0/22
> 103.245.112.0/22
> 111.235.148.0/22
> 177.55.249.0/24
> 186.251.192.0/21
--srs (htc one x)
At least the 103.x which are announced by airtel. The other netblocks (one
Indian and two brazilian) appear unrelated though also showing as23456
--srs (htc one x)
To say the least. A quick rDNS scan reveals that those netblocks include:
8448 addresses
6932 return nxdomain
512 return servfail
1004 with rDNS entries
Those 1004 hosts with rDNS account for 36 domains:
ainoutserver.net
alphainfonet.com
boxmatter.org
clickcabin.com
cloud-core.com
contrymail.com
coremail4you.org
dealatmail.org
deliver8mail.org
deliverbox.org
deliveryalive.org
deliveryaverage.org
emailadvisir.org
emailpacts.com
emailservercore.com
emailvalue.co.in
emailvalue.in
fairmail4you.org
financeofferpros.com
globalmaildelivery.org
inboxdelivery.org
livemailservices.in
nayasa.net
newwaygain.com
paydayloanforyou.net
payloantoyou.com
quickpaydaytoyou.net
ready4deal.org
realemail.org
realemaildelivery.org
sandeshdelivery.org
sandeshfour.com
sandeshone.com
sandeshonline.org
truemaildelivery.org
warmmailcampaign.com
I'm sure they're all perfectly legitimate businesses.
---rsk
AS23456 is what you get if your system doesn't properly support 32-bit ASNs
and an AS-PATH (or peer) uses a 32-bit ASN.
There should be an extended attribute on the route that contains the full
32-bit AS-PATH called AS4_PATH associated with any such routes.
Arguably any route containing AS23456 without an AS4_PATH attribute is
invalid and could be filtered.
Unfortunately, routers that would display AS23456 instead of restoring the
full 32-bit AS_PATH may not be able to identify this.
A properly transmitted route from a 4-byte ASN will be recovered as follows:
91.217.86.0/23 *[BGP/170] 1w5d 09:11:37, MED 101, localpref 100
AS path: 8121 1299 3209 197269 I
> to 192.124.40.129 via ge-0/0/0.0
OTOH, you may occasionally see artifacts like this (I don't know why):
91.217.87.0/24 *[BGP/170] 1w5d 09:10:16, MED 101, localpref 100
AS path: 8121 1299 174 23456 197269 I
> to 192.124.40.129 via ge-0/0/0.0
But if you are seeing 23456 on an AS4 capable router without at least some
indication of a 4-byte ASN in the path, it's probably fishy.
At least the 103.x which are announced by airtel. The other netblocks (one
Indian and two brazilian) appear unrelated though also showing as23456--srs (htc one x)
AS23456 is currently announcing a good few netblocks (which don't have a
very good smtp reputation, by the way).Funny thing is, that's a special use ASN as per rfc4893, something about
two octet ASNs that don't have a four octet representation.Only one upstream (airtelbroadband-as-ap, as24560) that I can see
103.7.204.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.14.208.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.23.124.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.30.12.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
103.245.112.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
111.235.148.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
177.55.249.0/24
Missing AS4_PATH -- Probably a spoofed/hijacked route
186.251.192.0/21
Missing AS4_PATH -- Probably a spoofed/hijacked route
If you're motivated to pursue this, the best thing to do is probably to contact the last legitimate AS before 23456 in the AS-PATH and inquire.
Owen