BGP Update Report

Geoff_Huston · November 28, 2014, 10:00pm

BGP Update Report
Interval: 20-Nov-14 -to- 27-Nov-14 (7 days)
Observation Point: BGP Peering with AS131072

TOP 20 Unstable Origin AS
Rank ASN Upds 1 - AS12897 1394574 20.6% 2 - AS23752 300478 4.4% 3 - AS9829 266609 3.9% 4 - AS53249 78168 1.2% 5 - AS28642 63900 0.9% 6 - AS14840 60699 0.9% 7 - AS20940 49912 0.7% 8 - AS23688 44891 0.7% 9 - AS52828 44476 0.7% 10 - AS8402 43028 0.6% 11 - AS5 38861 0.6% 12 - AS28573 37224 0.6% 13 - AS46573 36961 0.6% 14 - AS7545 32539 0.5% 15 - AS35819 32391 0.5% 16 - AS45271 31119 0.5% 17 - AS3 30043 0.4% 18 - AS53175 30030 0.4% 19 - AS38197 28599 0.4% 20 - AS39891 27349 0.4% % Upds/Pfx AS-Name
199224.9 -- HEAGMEDIANET HSE Medianet GmbH,DE
2659.1 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP
169.1 -- BSNL-NIB National Internet Backbone,IN
39084.0 -- LAWA-AS - Los Angeles World Airport,US
1879.4 -- Contato Internet Ltda EPP,BR
1785.3 -- COMMCORP COMUNICACOES LTDA,BR
102.9 -- AKAMAI-ASN1 Akamai International B.V.,US
760.9 -- LINK3-TECH-AS-BD-AP Link3 Technologies Ltd.,BD
1482.5 -- Netpal Internet Palmares Ltda.,BR
29.3 -- CORBINA-AS OJSC "Vimpelcom",RU
7.0 -- SYMBOLICS - Symbolics, Inc.,US
27.0 -- NET Servi�os de Comunica��o S.A.,BR
82.1 -- GLOBAL-FRAG-SERVERS - Global Frag Networks,US
13.4 -- TPG-INTERNET-AP TPG Telecom Limited,AU
60.3 -- MOBILY-AS Etihad Etisalat Company (Mobily),SA
103.4 -- ICLNET-AS-AP Idea Cellular Limited,IN
3185.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US
968.7 -- Unetvale Servicos e Equipamentos LTDA,BR
27.4 -- SUNHK-DATA-AS-AP Sun Network (Hong Kong) Limited,HK
98.0 -- ALJAWWALSTC-AS Saudi Telecom Company JSC,SA

TOP 20 Unstable Origin AS (Updates per announced prefix)
Rank ASN Upds % Upds/Pfx AS-Name
1 - AS12897 1394574 20.6% 199224.9 -- HEAGMEDIANET HSE Medianet GmbH,DE
2 - AS53249 78168 1.2% 39084.0 -- LAWA-AS - Los Angeles World Airport,US
3 - AS23342 22191 0.3% 22191.0 -- UNITEDLAYER - Unitedlayer, Inc.,US
4 - AS3181 10938 0.2% 10938.0 -- ASN-MATRIXMOBILE CJSC "Matrix Mobile",RU
5 - AS18135 9065 0.1% 9065.0 -- BTV BTV Cable television,JP
6 - AS3 23868 0.3% 1306.0 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US
7 - AS37425 15898 0.2% 7949.0 -- Somcable,SO
8 - AS60725 22790 0.3% 7596.7 -- O3B-AS O3b Limited,JE
9 - AS62174 4824 0.1% 4824.0 -- INTERPAN-AS INTERPAN LTD.,BG
10 - AS25003 19994 0.3% 3998.8 -- INTERNET_BINAT Internet Binat Ltd,IL
11 - AS16065 2702 0.0% 2702.0 -- AS16065 Redimi AS,NL
12 - AS23752 300478 4.4% 2659.1 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP
13 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US
14 - AS55657 2147 0.0% 2147.0 -- XNS-AS-ID Xtreme Network System, PT,ID
15 - AS4 21237 0.3% 871.0 -- ISI-AS - University of Southern California,US
16 - AS28642 63900 0.9% 1879.4 -- Contato Internet Ltda EPP,BR
17 - AS58599 5559 0.1% 1853.0 -- CYBERGATE-BD Cybergate Limited,BD
18 - AS14840 60699 0.9% 1785.3 -- COMMCORP COMUNICACOES LTDA,BR
19 - AS4 5345 0.1% 1437.0 -- ISI-AS - University of Southern California,US
20 - AS4 8784 0.1% 2303.0 -- ISI-AS - University of Southern California,US

TOP 20 Unstable Prefixes
Rank Prefix Upds % Origin AS -- AS Name
1 - 94.16.72.0/21 200960 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE
2 - 94.16.64.0/21 200914 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE
3 - 94.16.80.0/20 200901 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE
4 - 194.99.108.0/23 199280 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE
5 - 194.127.204.0/23 199121 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE
6 - 194.45.104.0/23 197850 2.9% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE
7 - 185.9.28.0/22 195548 2.8% AS12897 -- HEAGMEDIANET HSE Medianet GmbH,DE
8 - 202.70.88.0/21 150476 2.2% AS23752 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP
9 - 202.70.64.0/21 146967 2.1% AS23752 -- NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services,NP
10 - 198.140.114.0/24 39116 0.6% AS53249 -- LAWA-AS - Los Angeles World Airport,US
11 - 198.140.115.0/24 39052 0.6% AS53249 -- LAWA-AS - Los Angeles World Airport,US
12 - 196.43.157.0/24 38349 0.6% AS5 -- SYMBOLICS - Symbolics, Inc.,US
13 - 130.0.192.0/21 23862 0.3% AS3 -- MIT-GATEWAYS - Massachusetts Institute of Technology,US
14 - 64.29.130.0/24 22191 0.3% AS23342 -- UNITEDLAYER - Unitedlayer, Inc.,US
15 - 192.115.44.0/22 19986 0.3% AS25003 -- INTERNET_BINAT Internet Binat Ltd,IL
16 - 162.249.183.0/24 11921 0.2% AS60725 -- O3B-AS O3b Limited,JE
17 - 5.8.168.0/23 10938 0.2% AS3181 -- ASN-MATRIXMOBILE CJSC "Matrix Mobile",RU
18 - 185.26.155.0/24 10851 0.2% AS60725 -- O3B-AS O3b Limited,JE
19 - 14.0.59.0/24 10546 0.1% AS36408 -- CDNETWORKSUS-02 - CDNetworks Inc.,US
20 - 192.58.232.0/24 10407 0.1% AS6629 -- NOAA-AS - NOAA,US

Details at http://bgpupdates.potaroo.net

Simon_Leinen · November 30, 2014, 1:57pm

cidr-report writes:

BGP Update Report
Interval: 20-Nov-14 -to- 27-Nov-14 (7 days)
Observation Point: BGP Peering with AS131072

TOP 20 Unstable Origin AS
Rank ASN Upds % Upds/Pfx AS-Name

[...]

11 - AS5 38861 0.6% 7.0 -- SYMBOLICS - Symbolics, Inc.,US

Disappointing to see Symbolics (AS5) on this list. I would expect these
Lisp Machines to have very stable BGP implementations, especially given
the leisurely release rhythm for Genera for the past few decades. Has
the size of the IPv4 unicast table started triggering global GCs?

Seriously, all these low-numbered ASes in the report look fishy. I
would have liked this to be an artifact of the reporting software (maybe
an issue with 4-byte ASes?), but I do see some strange paths in the BGP
table that make it look like (accidental or malicious) hi-hacking of
these low-numbered ASes.

Now the fact that these AS numbers are low makes me curious. If I
wanted to hijack other folks' ASes deliberately, I would probably avoid
such numbers because they stand out. Maybe these are just non-standard
"private-use" ASes that are leaked?

Some suspicious paths I'm seeing right now:

133439 5
197945 4

Hm, maybe 32-bit ASes do have something to do with this...

Any ideas?

Pierfrancesco_Caci1 · November 30, 2014, 2:24pm

Some suspicious paths I'm seeing right now:

> 133439 5
> 197945 4

my bet is on someone using the syntax "prepend asnX timesY" on a router
that instead wants "prepend asnX asnX...."

Paul_S · November 30, 2014, 3:53pm

Do these people never check what exactly they end up originating outbound due to a config change, if that's really the case?

Valdis_Kletnieks · November 30, 2014, 7:26pm

You're new here, aren't you?

Joe_Provo4 · November 30, 2014, 7:43pm

Of course not because their neighbors are allowing it to
pass; so as with all hijacks, deaggregation, and other
unfiltered noise, the only care is traffic going in and
out. QA (let alone automated sanity checks) are alien
concepts to many, and "well it works" is the answer from
some when contacted.

It smells like this is as PF surmises and might just be
folks amenable to fixing it when contacted. We'll see...

Cheers!

Joe

Stephen_Satchell · November 30, 2014, 7:54pm

Thank you, I needed the laugh.

Sometimes, getting the idea that checking one's work is necessary proves
to be a hard lesson to teach to some of those young whippersnappers. I
live and work in Reno NV, so I put the lesson in terms they can understand:

"A triple check beats a double-cross."

This is sufficiently annoying to people that they do indeed check their
work...so they don't have to listen to me spout this cliche when things
get screwed up.

Andree_Toonk · November 30, 2014, 7:57pm

.-- My secret spy satellite informs me that at 2014-11-30 6:24 AM
Pierfrancesco Caci wrote:

    > Some suspicious paths I'm seeing right now:

    > 133439 5
    > 197945 4

my bet is on someone using the syntax "prepend asnX timesY" on a router
that instead wants "prepend asnX asnX...."

I agree. When looking at distribution of ASns that appear to be
hijacking prefixes, the lower number ASns stand out. AS1,2,3,4,5 are
common. When looking closer, the next-hop AS is typically the 'expected'
AS, which would confirm the prepend theory.

185.78.114.0/24 was announced as ".* 47551 5" and but now as ".*
47551". I guess they found out the 5x prepending didn't work as expected.

AS3 (MIT) seems to be particularly popular, probably by folks who
attempt to prepend 3 times. Here's a current example:

212.69.8.0/23 [BGP/170] 6d 05:45:32, MED 22007, localpref 100
AS path: 3356 15958 52116 3 I

This is a prefix in Serbia, routes to Serbia and doesn't seem to be
related to MIT (AS3) at all.

Another example: AS35819, Etihad Etisalat was originating some of its
prefixes as AS1 earlier this week as well.
https://twitter.com/bgpmon/status/537062576002064385

Just a few examples.

Cheers,
Andree

Jay_Ashworth · November 30, 2014, 8:37pm

That's sort of the BGP equivalent to BCP38 filtering, isn't it?

Cheers,
-- jra

Jason_Bothe · November 30, 2014, 8:57pm

I’m not new here but the thread caught my eye, as I am one of the lower ASs being mentioned. I guess there isn’t really anything one can do to prevent these things other than listening to route servers, etc. I guess it’s all on what the upstream decides to allow-in and re-advertise.

Jason

Jason Bothe, Manager of Networking

                               o +1 713 348 5500
                               m +1 713 703 3552
              jason@rice.edu