AS16387 leaking routes

Ernest_Andrew_McCrac · February 15, 2010, 10:32pm

Has anyone seen the strange activity from AS16387? Did they leak their entire table? Our route collectors are showing AS16387 originating large numbers of prefixes. It looks like we caught the tail end of this activity as they are now announcing updates with massive amounts of prepending.

Here's an example. We have several pages worth of this.

20100215|15:17:58|1266268678678|164.128.32.11|3303|ORIGIN_CHANGE|95.79.192/19|34533|16387

20100215|15:18:58|1266268738707|164.128.32.11|3303|BGPMON_PATH|3303,3303,3303,3303,3303,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6 453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453, 6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453 ,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,6453,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,8744,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,34533,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387,16387

Ernest McCracken
Research Assistant
Networking Research Laboratory
http://netlab.cs.memphis.edu
Computer Science Department
University of Memphis

Christopher_Morrow · February 15, 2010, 10:46pm

16387 is a uunet customer, it seems, who's only annoucing (now) 2
prefixes... Robtex seems to support them only having a single upstream
(701). I think 701 still prefix-lists all their customers.

You saw this through 3303 without 701 (it seems?) in the path, The
orignal prefix looks actually like 95.79.192.0/19 in the path: 34533
16387
that looks like ESamara trying to poison their paths toward 'healthy
directions, LLC".

maybe ESamara saw something they disliked from this part of the network?

-Chris

Ernest_Andrew_McCrac · February 15, 2010, 11:13pm

There are other ASN changes as well as from other peers. Here are some just a few minutes old.

20100215|17:11:13|1266275473183|164.128.32.11|3303|ORIGIN_CHANGE|192.156.97/24|5651|16387
20100215|17:11:13|1266275473309|164.128.32.11|3303|PING REQUEST|198.133.160.1
20100215|17:11:14|1266275474310|164.128.32.11|3303|PING RESPONSE|198.133.160.1|NO RESPONSE
20100215|17:11:14|1266275474310|164.128.32.11|3303|PING REQUEST|198.133.160.2
20100215|17:11:15|1266275475311|164.128.32.11|3303|PING RESPONSE|198.133.160.2|NO RESPONSE

20100215|17:10:05|1266275405989|164.128.32.11|3303|ORIGIN_CHANGE|91.200.172/22|43929|16387
20100215|17:05:13|1266275113867|164.128.32.11|3303|ORIGIN_CHANGE|193.169.44/23|49381|16387
20100215|16:59:02|1266274742071|154.11.11.113|852|ORIGIN_CHANGE|20.132.1/24|21877|16387
20100215|16:55:23|1266274523372|154.11.98.225|852|ORIGIN_CHANGE|91.210.10/24|47245|16387
20100215|16:50:47|1266274247250|154.11.11.113|852|ORIGIN_CHANGE|141.197.8/23|22764|16387

all with ridiculously long paths ofc.

-Ernest McCracken

Christopher_Morrow · February 16, 2010, 2:19am

don't know what to tell ya... I only see 2 routes from 16387 in
routeviews or other places I can view routing info This isn't some
off-by-one error type thing in your collector code?

-Chris

Christopher_Morrow · February 16, 2010, 2:21am

Oh, robtex seems uncomplete, or RIS thinks there are other Transits for 16387:

<http://www.ris.ripe.net/dashboard/16387>

sprint + 701 transit...(both filter customers)

-Chris