About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
Agreed. Our prefixes at AS40060 were announced as well. I received a
notification around 7:00am EDT that our prefixes were detected announced
from AS9035 with the same upstream AS1267.
Lots of people were affected, but none significantly. They originated
86,747 networks very briefly (less than a minute at 7:23 UTC), and I don't
think anyone outside Telecom Italia's customer cone even saw them. So the
impact was really, really limited. The correct origins were being
reasserted even before the last of the announcements came over the wire.
It always irks me when I see "routing alerts" that arrive hours after the
event is over, without any of the context that would allow you to know
whether it had any real impact. Your instinct to check looking glasses is
the right one, but you have to move quickly and know where to look.
Does anyone know why it takes BGPMon so long to send out an email. It looks like it BGPMon detected the AS9035 announcements at the right time (around 7:00 UTC) but I didn't get a notification until around 13:00 UTC. It seems like many people rely on BGPMon to do this type of detection, so the long delay is frustrating.
Usually I get alerts from BGPMon within about 20 minutes of an event being detected. Not so much with the event this morning. I'm guessing that the orgination of 86,747 prefixes from the wrong AS probably got their MTA pretty busy...
I thought that may be the case as well. Do people know of other services like BGPMon that may be able to keep up with the load better? Does anyone know how cyclops faired this morning with the additional load?
I actually got origin change alerts from Cyclops about 2 minutes after the announcements started.
your email address starts with an A...
So one of Jim's subtle hints here is that for folks willing to pay for
alerting, they(renesys) can (not that I have any data to support this)
alert 'in a timely fashion'.
I suspect when your depending upon a machine under someone's desk
that's not getting revenue support you get what you pay for. Note
well, that I (personally) don't subscribe to any of these services...
About 4 hours ago BGPmon picked up a rogue announcement of 129.77.0.0 from AS9035 (ASN-WIND Wind Telecomunicazioni spa) with an upstream of AS1267 (ASN-INFOSTRADA Infostrada S.p.A.). I don't see it now on any looking glass sites. Hopefully this was just a typo that was quickly corrected. I would appreciate if people have time and can double check let me know if any announcements are active except from our AS6128/AS6395 upstreams.
If this were to persist, what would be the best course of action to resolve it, especially given that the AS was within RIPE.
----
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
Was there an explanation for the leak posted?
Maybe this was a coincidence but the only prefixes I received alerts on were prefixes I only advertise to Level3. There was one exception. There was a leaked prefix that is the next /24 above on our Level3 only prefixes.
on a side note, has anyone that's running any of these type of
monitoring services
performed any analysis or compiled any metrics on leaks? (renesys maybe?)
personally, i'd be sort of interested in seeing some stats on leaks such as:
origin (asn/network, country, common/exchange point)
duration of leak
size of leak
# of upstream networks that accepted the leaked prefixes
asn of networks that accepted the leak
# of incidents per network/repeat offenders