Cogent leaking /32s?

ML11 · October 2, 2009, 11:23am

I received an alert from Cyclops telling me a probe in AS513 had seen a /32 that I announce to Cogent for one of our BGP sessions.

Did anyone else see this?

Zak_Thompson1 · October 2, 2009, 12:54pm

We had a problem with cogent about a year ago. Somehow.. cymru was
announcing a /32 of ours and black holing it for whatever reason. It
was removed but wasn't happy that cogent was allowing cymru to do this
sort of action. To this date we do not have a valid reason from cogent
on why they allowed this to happen.

Cheers,
Zak Thompson

Mikael_Abrahamsson · October 2, 2009, 3:36pm

Are you relying on the /24 filtering "everybody" does, or did you announce it to them with NO-EXPORT set?

Clue_Store · October 2, 2009, 3:54pm

Yes, I absolutely love the /24 filtering "everybody" does. Internet
littering at its best.

http://thyme.apnic.net/current/data-badpfx-nos
Clue

Alex_H_Ryu · October 2, 2009, 4:01pm

If there is DDoS attack going on from/to specific /32, sometimes they do
that to avoid too much overload for the network.
Cogent should give the answer for what's going on.

Alex

Zak Thompson wrote:

seph · October 2, 2009, 8:19pm

ML <ml@kenweb.org> writes:

I received an alert from Cyclops telling me a probe in AS513 had seen
a /32 that I announce to Cogent for one of our BGP sessions.

Did anyone else see this?

cyclops alerted me that the /32s my routers use got announced. I'm still
tying to figure out what's up. They're not routes I announce, and as far
as I can tell, they were announced with a cern next hop.

seph

Michael_Hallgren1 · October 2, 2009, 8:35pm

Yes, I absolutely love the /24 filtering "everybody" does. Internet
littering at its best.

http://thyme.apnic.net/current/data-badpfx-nos

Yes, nice...

mh

Michael_Hallgren1 · October 2, 2009, 8:37pm

If there is DDoS attack going on from/to specific /32, sometimes they do
that to avoid too much overload for the network.
Cogent should give the answer for what's going on.

Generally, such is kept in-AS (null-routing or routing to some other
sink of choice).

mh

seph · October 2, 2009, 8:48pm

I called cogent. Best guess is that they leaked the /32 announcements
that people do for the peer a/b stuff. They normally filter them, and
don't have any recommendation about whether or not to set no export.

seph

seph <seph@directionless.org> writes:

Richard_A_Steenbegen · October 2, 2009, 10:17pm

There is no rule that says you have to filter at /24, or that no other
network may ever advertise something longer. This issue is probably best
expressed as "you are highly unlikely to have full global Internet
reachability if you announce something longer than a /24", not "you are
highly unlikely to have anyone accept your announcement if it are longer
than a /24".

ML11 · October 3, 2009, 3:36am

Richard A Steenbergen wrote: