On Sat, Jun 9, 2012 at 11:13 AM, Joe Provo <[email protected]> wrote: > On Fri, Jun 08, 2012 at 04:27:29PM -0400, Christopher Morrow wrote: >> err, last 3 times I asked this I was shown the error of my ways, but >> here goes... >> >> 209.250.228.241 - seems to not have any records in ARIN's WHOIS >> database, everythign seems to roll up to the /8 record :( >> >> I see this routed as a /23: (from routeviews) >> BGP routing table entry for 209.250.228.0/23, version 2072545487 >> Paths: (33 available, best #19, table Default-IP-Routing-Table) >> Not advertised to any peer >> 3277 3267 174 27431 14037 >> 194.85.102.33 from 194.85.102.33 (194.85.4.4) >> Origin IGP, localpref 100, valid, external >> Community: 3277:3267 3277:65321 3277:65323 3277:65330 >> >> If I look at the ASN in particular: AS14037 >> no records exist for that in ARIN's WHOIS database either ;( If I look >> at all the networks announced by AS14037: >> 14037 | 204.8.216.0/21 | >> 14037 | 209.250.224.0/19 | >> 14037 | 209.250.228.0/23 | >> 14037 | 209.250.242.0/24 | >> 14037 | 209.250.247.0/24 | > > If you query filtergen.level3.com, they are expecting to see it from > this ASN: > > Prefix list for policy as14037 = > LEVEL3::AS14037 > > 204.8.216.0/21 > 209.250.224.0/20 > >> 14037 | 64.18.128.0/19 | >> 14037 | 64.18.159.0/24 | > > ...but not those, which are registered in ALTDB (as the /19)along > with the squatted 204.8.216.0/21 and 209.250.224.0/20 > > > route: 64.18.128.0/19 > descr: RackVibe LLC > origin: AS14037 > admin-c: GC373-ARIN > tech-c: GC373-ARIN > notify: [email protected] > mnt-by: MNT-6GTECH > changed: [email protected] 20081007 > source: ALTDB > > >> none of them have any records in the ARIN WHOIS database :( The >> upstream for this network is AS 27431 - JTL Networks >> who seems to get transit/peer with 3356/174. > > Amusingly, AS27431 is still the RR contacts cording to the IRR. Score > another one in the 'inaccurate IRR' column.
yea, automated filter generation from IRR's ... not always good :( >> It's nice to see folk who use IRR databases to filter their customers >> still permit this sort of thing to go on though: AS3356 I'm looking at >> you... > > Here's a clue of future prefixes to watch for 3356 allowing from > this particular nest: > > % whois -h filtergen.level3.com -- "-searchpath=ARIN;RIPE;RADB;ALTDB;LEVEL3 > as27431" > Prefix list for policy as27431 = > ARIN::AS27431 LEVEL3::AS27431 ALTDB::AS27431 RADB::AS27431 > RIPE::AS27431 > > 66.132.44.0/24 > 66.132.45.0/24 > 66.132.47.0/24 > 69.36.0.0/20 > 209.41.200.0/24 > 209.41.202.0/24 > 209.115.40.0/24 > 209.115.41.0/24 > 209.115.42.0/24 > 209.115.43.0/24 > 209.115.108.0/24 > 216.28.47.0/24 > 216.28.134.0/24 > 216.29.53.0/24 > 216.29.115.0/24 > 216.29.116.0/24 > 216.29.117.0/24 > 216.29.121.0/24 > 216.29.122.0/24 > 216.29.152.0/24 > 216.29.194.0/24 > 216.29.247.0/24 > % > most (by random sample of queries to whois.arin.net) of these at least still had entries in the db. >> I think first: "Where are the records for this set of ip number resources?" >> and second: "Why are we still seeing this on the network with no way >> to contact the operators of the resources?" > > You can try and contact the entities that are called 'RackVibe' accordin > and '6G Tech' according to the various IRR registry entries for 14037 and > 46496. Sketchy things which geolocate to Seacaucus? Whoda thunk. yea :( I'd sort of prefer if the transit here would just stop accepting the announcement(s) in question (which they do today , several filter-gen runs since friday). -chris > -- > RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
