AS 8437 announced a quarter of the net for half of an hour

Josh_Karlin · August 14, 2006, 7:36pm

Greetings,

Today (Aug 14th 2006) AS 8437 announced 63 /8 nets from 14:30 to 15:00
UTC. I don't believe that this is normal, but please correct me if I
am wrong.

More info can be found at the Internet Alert Registry here:
http://cs.unm.edu/~karlinjf/IAR/prefix.php?filter=most

If you come to this 24 hours of the event, you can go here:
http://cs.unm.edu/~karlinjf/IAR/search.php and do an Hijacker AS search on 8437.

If you would like to see the routes as they happened from a RIPE
viewpoint, please check out this very cool site:
http://stats.sunet.se/bgpsearch/

Following is the list of announced nets:

1/8
2/8
5/8
7/8
23/8
27/8
31/8
36/8
37/8
39/8
42/8
49/8
50/8
77/8
78/8
79/8
92/8
93/8
94/8
95/8
96/8
97/8
98/8
99/8
100/8
101/8
102/8
103/8
104/8
105/8
106/8
107/8
108/8
109/8
110/8
111/8
112/8
113/8
114/8
115/8
116/8
117/8
118/8
119/8
120/8
173/8
174/8
175/8
176/8
177/8
178/8
179/8
180/8
181/8
182/8
183/8
184/8
185/8
186/8
187/8
197/8
198/8
223/8

Bandy_Rush1 · August 14, 2006, 7:40pm

Today (Aug 14th 2006) AS 8437 announced 63 /8 nets from 14:30 to 15:00
UTC. I don't believe that this is normal, but please correct me if I
am wrong.

have you written to tele2uta in asutria?

randy

Josh_Karlin · August 15, 2006, 1:02am

Yes but no response yet.

Richard_A_Steenbegen · August 15, 2006, 2:56am

Note they're all unallocated blocks, so probably someone's attempt at
bogon filtering got leaked inadvertently. Since they're all unallocated
blocks, it shouldn't have done any harm, and anyone with reasonably
intelligent routing policies should have blocked those routes anyways.

And may there be a special circle of hell reserved for the weenies who do
stupid unnecessary shit that breaks more than it fixes in the name of
security.

Josh_Karlin · August 15, 2006, 3:23am

Ah, I believe you're right. Thanks for clearing it up! I had looked
up a couple of the prefixes to see if they had owners and I thought I
had seen one, but I must have made a typo.

I like my swimming pool of lava thank you very much

Josh

Valdis_Kletnieks · August 15, 2006, 5:03pm

Anybody announced 127/8 lately? Did anybody actually notice/care?

Gadi_Evron1 · August 15, 2006, 7:48pm

Indeed, it seems like human error.

1. To state the obvious, human error on the Internet can cause a
catastrophe. It's not really "secure".

2. Why assume human error? I always ask "why assume malice?", that does
not deny us the posibility of the oposite.
It sure would be interesting to see what traffic unallocated space gets
beyond some dark matter that floats into honey nets of sorts here and
there.

Gadi.

Chris_L_Morrow · August 15, 2006, 7:55pm

if you route 127.0.0.0/8 to a host you sometimes get interesting syslog
messages (sent to 127.0.0.1 on hosts with loopback misconfig'd or
'down').

At one point I'd seen 'default' advertised on a network suck down 600kpps
... that was 'entertaining'.

JD1 · August 15, 2006, 8:10pm

If someone _really_ wants the junk addressed to 127/8, they are welcome to have it

John