Interesting study of what seems to be real BGP shunts:
someone has already parsed out all route announcements from
ris/routeviews for the 2 specific incidents in question in the
article? and posted the contents somewhere for review? I didn't see
Renesys do that 
So, they've got some unsupported conclusions that
are tough to get behind absent that data.
a message of 11 lines which said:
someone has already parsed out all route announcements from
ris/routeviews for the 2 specific incidents in question in the
article? and posted the contents somewhere for review? I didn't see
Renesys do that
Indeed. But the data is public. Let's use RouteViews. Renesys gave us
the exact time (0736 UTC) and the origin AS. From the time, let's find
the relevant RouteViews file, whose URL is made of date and time:
ftp://archive.routeviews.org/route-views.linx/bgpdata/2013.07/UPDATES/updates.20130731.0730.bz2
Download, bunzip2, bgpdump to translate the MRT to text, then
Control-S in emacs to find announces by AS 48685. And here it is:
TIME: 07/31/13 07:36:46
TYPE: BGP4MP/MESSAGE/Update
ORIGIN: IGP
ASPATH: 6067 6677 48685
NEXT_HOP: 195.66.236.35
ANNOUNCE
64.81.96.0/24
64.81.97.0/24
64.81.101.0/24
64.81.103.0/24
64.81.110.0/24
64.81.112.0/24
64.81.113.0/24
64.81.115.0/24
64.81.116.0/24
64.81.122.0/24
64.81.125.0/24
64.81.127.0/24
64.81.161.0/24
64.81.162.0/24
64.81.163.0/24
64.81.164.0/24
64.81.166.0/24
64.81.167.0/24
64.81.169.0/24
64.81.170.0/24
64.81.171.0/24
64.81.172.0/24
64.81.177.0/24
64.81.192.0/19
64.81.199.0/24
64.81.203.0/24
64.81.204.0/24
64.81.205.0/24
64.81.208.0/24
64.81.209.0/24
64.81.212.0/24
64.81.214.0/24
64.105.6.0/23
64.105.14.0/23
64.105.20.0/23
64.105.24.0/21
64.105.32.0/21
64.105.52.0/23
64.105.54.0/23
64.105.56.0/23
64.105.58.0/23
64.105.60.0/23
64.105.62.0/23
64.105.66.0/23
64.105.70.0/23
64.105.72.0/21
64.105.82.0/23
64.105.88.0/21
64.105.114.0/23
64.105.128.0/21
64.105.144.0/21
64.105.160.0/23
64.105.162.0/23
64.105.176.0/23
64.105.180.0/22
64.105.192.0/23
64.105.194.0/23
64.105.202.0/23
64.105.210.0/23
64.105.212.0/23
64.105.218.0/23
64.105.220.0/23
64.105.226.0/23
64.105.230.0/23
64.105.240.0/23
64.105.242.0/23
64.105.244.0/22
64.105.252.0/23
66.92.20.0/24
66.92.22.0/24
66.92.46.0/24
66.92.52.0/22
66.92.64.0/19
66.92.99.0/24
66.92.100.0/24
66.92.106.0/24
66.92.144.0/24
66.92.145.0/24
66.92.147.0/24
66.92.149.0/24
66.92.152.0/24
66.92.159.0/24
66.92.160.0/24
66.92.161.0/24
66.92.162.0/24
66.92.176.0/23
66.92.213.0/24
66.92.215.0/24
66.92.224.0/20
66.92.240.0/23
66.92.241.0/24
66.93.24.0/24
66.93.25.0/24
66.93.38.0/24
66.93.39.0/24
66.93.40.0/24
66.93.49.0/24
66.93.56.0/24
66.93.59.0/24
66.93.62.0/24
66.93.74.0/24
66.93.81.0/24
66.93.82.0/24
66.93.83.0/24
66.93.84.0/23
66.93.88.0/22
66.93.99.0/24
66.93.100.0/24
66.93.103.0/24
66.93.106.0/24
66.93.107.0/24
66.93.115.0/24
66.93.168.0/23
66.93.174.0/24
66.93.176.0/23
66.93.214.0/24
66.93.216.0/24
66.93.216.0/21
66.93.224.0/24
66.93.224.0/22
66.93.228.0/24
66.93.232.0/22
66.93.240.0/24
66.93.241.0/24
66.93.242.0/24
66.93.243.0/24
66.93.244.0/24
66.93.246.0/24
66.93.248.0/24
66.93.251.0/24
66.93.252.0/23
66.134.2.0/23
66.134.18.0/23
66.134.36.0/23
66.134.38.0/23
66.134.40.0/21
66.134.48.0/21
66.134.58.0/23
66.134.60.0/23
66.134.64.0/21
66.134.76.0/23
66.134.78.0/23
66.134.98.0/23
66.134.106.0/23
66.134.116.0/23
66.134.118.0/23
66.134.136.0/21
66.134.150.0/23
66.134.152.0/21
66.134.168.0/21
66.134.176.0/23
66.134.178.0/23
66.134.182.0/23
66.134.184.0/21
66.134.208.0/21
66.134.216.0/23
66.134.220.0/23
66.134.224.0/21
66.134.232.0/21
66.134.240.0/21
66.166.10.0/23
66.166.46.0/23
66.166.64.0/21
66.166.94.0/23
66.166.112.0/23
66.166.114.0/23
66.166.136.0/23
66.166.138.0/23
66.166.144.0/21
66.166.160.0/23
66.166.162.0/23
66.166.176.0/23
66.166.180.0/23
66.166.184.0/23
66.166.200.0/21
66.166.216.0/21
66.166.244.0/23
66.166.246.0/23
66.166.248.0/23
66.166.254.0/23
66.167.0.0/21
66.167.10.0/23
66.167.26.0/23
66.167.32.0/21
66.167.50.0/23
66.167.60.0/23
66.167.62.0/23
66.167.64.0/21
66.167.72.0/21
66.167.80.0/21
66.167.96.0/21
66.167.104.0/21
66.167.118.0/23
66.167.136.0/22
66.167.152.0/21
66.167.170.0/23
66.167.176.0/21
66.167.196.0/23
66.167.208.0/23
66.167.216.0/21
66.167.224.0/21
66.167.252.0/23
66.167.254.0/23
66.253.10.0/24
66.253.20.0/24
66.253.21.0/24
66.253.22.0/24
66.253.28.0/22
66.253.40.0/22
66.253.44.0/24
66.253.45.0/24
66.253.46.0/24
66.253.47.0/24
66.253.52.0/22
66.253.56.0/24
66.253.81.0/24
66.253.82.0/24
66.253.83.0/24
66.253.84.0/24
66.253.92.0/24
66.253.93.0/24
66.253.118.0/24
67.100.0.0/23
67.100.4.0/23
67.100.48.0/21
67.100.56.0/21
67.100.72.0/21
67.100.80.0/21
67.100.96.0/21
67.100.104.0/21
67.100.112.0/21
67.100.124.0/22
67.100.128.0/23
67.100.136.0/23
67.100.138.0/23
67.100.144.0/21
67.100.168.0/21
67.100.184.0/21
67.100.192.0/21
67.100.220.0/23
67.101.14.0/23
67.101.16.0/21
67.101.72.0/21
67.101.92.0/23
67.101.94.0/23
67.101.124.0/22
67.101.128.0/21
67.101.140.0/23
67.101.142.0/23
67.101.152.0/21
67.101.176.0/21
67.101.192.0/21
67.101.200.0/21
67.101.224.0/23
67.101.230.0/23
67.101.240.0/21
67.101.248.0/21
67.102.0.0/21
67.102.8.0/23
67.102.32.0/21
67.102.40.0/21
67.102.48.0/21
67.102.60.0/23
67.102.96.0/21
67.102.112.0/21
67.102.120.0/23
67.102.124.0/23
67.102.144.0/21
67.102.152.0/21
67.102.166.0/23
67.102.168.0/21
67.102.176.0/21
67.102.200.0/21
67.102.234.0/23
67.102.240.0/21
67.102.248.0/21
67.103.0.0/21
67.103.8.0/21
67.103.24.0/21
67.103.64.0/21
67.103.102.0/23
67.103.110.0/23
67.103.112.0/21
67.103.160.0/23
67.103.162.0/23
67.103.192.0/21
67.103.200.0/23
67.103.202.0/23
67.103.226.0/23
67.103.250.0/23
67.103.252.0/23
67.103.254.0/23
68.164.24.0/21
68.164.32.0/21
68.164.44.0/23
68.164.78.0/23
68.164.80.0/20
68.164.96.0/21
68.164.126.0/23
68.164.160.0/21
68.164.192.0/21
68.164.208.0/23
These addresses have no relationship with Iceland so we can say it's a
hijacking. But do note there is no AS prepending in the announce (the
trick described by Kapela & PIlosov to create a clean return path).
Finding the other announces in RouteViews is left as an exercice
(hint: use a RouteViews collector close from the announce, here in
England, because the hijacking announce did not propagate everywhere).
first, awesome, thanks...
<snip>
68.164.80.0/20
68.164.96.0/21
68.164.126.0/23
68.164.160.0/21
68.164.192.0/21
68.164.208.0/23These addresses have no relationship with Iceland so we can say it's a
hijacking. But do note there is no AS prepending in the announce (the
trick described by Kapela & PIlosov to create a clean return path).
yea.. so this smells, to me, like a leak from a 'route optomization'
box (netvmg or whatever they eventually became). These are all pretty
small prefixes and there are covering routes for these as well: (for
one: 68.164.24.0/21 - from the RV data)
18566 | 68.164.0.0/14 | MEGAPATH5-US - MegaPath Corporation
18566 | 68.164.24.0/21 | MEGAPATH5-US - MegaPath Corporation
so... err... potentially:
1) route-optomization-box sends routes into iBGP with local origin-as
2) routes aren't properly managed (community/etc) from local ISP ->
transits/peers
3) peers/transits didn't filter (some of them did apparently)
4) routes make it into the larger DFZ (or parts of the dfz at least, clearly)
Traffic comes to 68.164.24.1 along a 'false path' in the dfz, in to
the icelandic ISP and follows the iBGP learned path exiting
(fortunately) out the isp that filtered...
I'm sure you could construct lots of other pathological cases, but
this seems plausible enough to me...
first, awesome, thanks...
<snip>
68.164.80.0/20
68.164.96.0/21
68.164.126.0/23
68.164.160.0/21
68.164.192.0/21
68.164.208.0/23These addresses have no relationship with Iceland so we can say it's a
hijacking. But do note there is no AS prepending in the announce (the
trick described by Kapela & PIlosov to create a clean return path).yea.. so this smells, to me, like a leak from a 'route optomization'
box (netvmg or whatever they eventually became). These are all pretty
So, I was thinking over dinner that there's a simpler explanation
(that fails if this was a more full-table-ish leak) that the Icelandic
provider could have done something like putting external-bgp data into
their IGP then pulling back out to bgp ... which is a lot more like
AS7007-like problems than netvmg-like problems.
I would expect that ospf/isis would barf with ~400k paths though, so
i'm still betting on netvmg-ish issues.