Dear Job, all, First, thanks fo you and Andree for that e-mail and for those informations.
On Sun, 2020-04-05 at 18:29 +0000, Job Snijders wrote: > > (...) > If we take the intersection of Andree's list with the list of missing > VRPs, we have the IP addresses that were affected by both the RIPE > NCC RPKI Deletion incident and the Rostelecom BGP incident. The > following 12 prefixes (4352 IP addresses): > > peer_count start_time alert_type base_prefix base_as > announced_prefix src_AS Affected_ASname example_ASPath > 49 2020-04-01 19:30:34 more_spec_by_other 91.195.240.0/23 47846 > 91.195.240.0/24 12389 SEDO-AS, DE 24751 20764 12389 > 12 2020-04-01 19:29:55 more_spec_by_other 62.122.168.0/21 50245 > 62.122.170.0/24 12389 SERVEREL-AS, NL 18356 38794 4651 4651 20764 12389 > 11 2020-04-01 19:30:34 more_spec_by_other 91.203.184.0/22 41064 > 91.203.187.0/24 12389 SKYROCK, FR 29430 13030 20764 12389 > > (...) It seems that I know at least one of those prefixes, as 91.203.187.0/24 is part of one of my customer's network. That specific /24 out of all their allocation is the one having the most of my customer's production (a french MF Radio, which has its own streaming produced indoor, and some other related online applications). I would be quite surprised that it would have some significant traffic within RU networks, but if we assume it's yet another bgp optimizer leak, and since all those "BGP Optimizer blackbox" algorithms are quite obscure, we cannot say. But, it wouldn't surprise me much if they would optimize that specific one out of all AS41064's announcements. > If we assume the generation & propagation of these hijacks was the > result of operator error, I imagine the change could've been reverted > almost immediately but we'd still see a bit of sloshing for a few > minutes through the routing system. Or perhaps the 'waves' we can see > in Oracle's 3D rendering of the incident are the effects of Maximum > Prefix limits kicking in and various timers firing off at different > times. > > Were these prefixes just unlucky because some BGP optimiser algorithm > had chosen them for the purpose of traffc engineering? Was this the > result of sophisticated planning? In any case, I can't judge the > impact this routing incident had on the three above listed ASNs. I > don't know what the victim IPs are used for. As I said earlier: We didn't really notice any drop within AS41064's network statistics. But since it's mostly FR and not RU traffic, this could have been completely invisible for us. Fortunately the leak was quite brief... it's just bad luck, indeed :( Kind regards, -- Clément Cavadore
