Oddities in a bad route announcement

Sean_Donelan4 · May 29, 1999, 9:52am

At first I thought this was just another Bay router causing Warwick
Online (ASN11606) to leak routes between UUNET and Sprint. But when I
looked into it, I found a few oddities. Unlike most bad route incidents,
this seems to hijack a route for very specific site. Usually bad routes
blackhole in the provider, so suffer so much congestion it is quickly noticed.
In addition, usually a more specific announcement caused the problem. You
could still find the "correct" route somewhere. In this case, I can't find
the real 192.104.54.0/24 announcement on route-server.cerf.net, digex
looking glass, or my own bgp sessions.

Yes, I've already reported this to the providers involved. But in the
more general sense, anyone have a hypothesis why this would happened?
The blockage of the real announcement from the direct upstream provider
seems very strange.

traceroute to infoserver.FCC.gov (192.104.54.3), 30 hops max, 38 byte packets
1 StLouis22-fe6-0-0.dra.net (192.65.218.2) 10 ms 0 ms 10 ms
2 sl-gw2-kc-3-7.sprintlink.net (144.232.129.97) 10 ms 10 ms 10 ms
3 sl-bb2-kc-12-0.sprintlink.net (144.224.20.2) 10 ms 10 ms 10 ms
4 sl-bb10-kc-1-1.sprintlink.net (144.232.2.21) 10 ms 10 ms 10 ms
5 sl-bb11-chi-4-0.sprintlink.net (144.232.9.118) 20 ms 20 ms 20 ms
6 sl-bb5-chi-0-0-0.sprintlink.net (144.232.0.170) 20 ms 20 ms 20 ms
7 sl-bb7-pen-5-0-0.sprintlink.net (144.228.10.37) 40 ms 40 ms 30 ms
8 sl-bb11-pen-1-3.sprintlink.net (144.232.5.57) 30 ms 40 ms 40 ms
9 sl-gw24-pen-4-0-0.sprintlink.net (144.232.5.182) 40 ms 50 ms 40 ms
10 sl-warwick-3-0-0.sprintlink.net (144.232.188.214) 40 ms 70 ms 60 ms
11 208.228.101.2 (208.228.101.2) 50 ms 50 ms 50 ms
12 905.Hssi2-0.GW3.NYC1.ALTER.NET (157.130.6.237) 50 ms 50 ms 50 ms
13 104.ATM3-0.XR1.NYC1.ALTER.NET (146.188.177.138) 60 ms 50 ms 60 ms
14 195.ATM3-0.TR1.NYC1.ALTER.NET (146.188.178.182) 60 ms 50 ms 50 ms
15 104.ATM5-0.TR1.DCA1.ALTER.NET (146.188.136.213) 60 ms 50 ms 50 ms
16 199.ATM6-0.XR1.DCA1.ALTER.NET (146.188.161.129) 50 ms 50 ms 50 ms
17 195.ATM9-0-0.GW2.DCA3.ALTER.NET (146.188.163.185) 50 ms 50 ms 50 ms
18 fcc.gov-gw.customer.alter.net (157.130.39.150) 60 ms 50 ms 60 ms
19 infoserver.fcc.gov (192.104.54.3) 50 ms * 50 ms

M_David_Leonard · May 29, 1999, 1:35pm

Sean-

It looks OK from here right now:

traceroute to infoserver.fcc.gov (192.104.54.3), 30 hops max, 40 byte packets
1 ShaysNet-gw.shaysnet.com (199.170.68.2) 3 ms 3 ms 3 ms
2 Loopback0.GW2.BOS1.Alter.Net (137.39.2.208) 9 ms 9 ms 9 ms
3 124.ATM2-0.XR1.BOS1.ALTER.NET (146.188.176.242) 8 ms 9 ms 8 ms
4 291.ATM2-0.TR1.NYC1.ALTER.NET (146.188.179.90) 14 ms 13 ms 14 ms
5 104.ATM7-0.TR1.DCA8.ALTER.NET (146.188.138.117) 21 ms 20 ms 20 ms
6 152.63.32.165 (152.63.32.165) 20 ms 19 ms 20 ms
7 195.ATM9-0-0.GW2.DCA3.ALTER.NET (146.188.163.185) 21 ms 21 ms 24 ms
8 fcc.gov-gw.customer.alter.net (157.130.39.150) 21 ms 22 ms 22 ms
9 infoserver.fcc.gov (192.104.54.3) 26 ms * 24 ms

But (IIRC) Warwick Online hosed UUNet a few months back by
injecting BGP bogons into their backbone. It appeared to be a router
misconfiguration at the time. Maybe this was just another typo (JAT).
Regards,

David Leonard
ShaysNet