Hi List
Yesterday I noticed a large number of 'bogon' IPv6 announcement.
I think it was about a 100 different (IPv6) bogon prefixes [1] [2] being
announced from a what looks a variety of origin ASns.
Being the administrator of one of these ASns, I'm quite confident that
we were not actually
Seems like they moved to Amazon a few hours ago:
$ whois -h whois.bgpmon.net wikileaks.org
Prefix: 46.51.128.0/18
Prefix description: Amazon EU AWS Dublin
Country code:IE
Origin AS: 39111
Origin AS Name: ADSI-AS Amazon EU DC AS
.-- My secret spy satellite
Hi,
Looking at the BGP announcements it seems that the problem started at
around 22:28 UTC.
Most of the Autonomous systems operating in Egypt are currently not
announcing any or at least significantly less prefixes.
The one exception seems to be AS20928 (Noor Data Networks).
For more
.-- My secret spy satellite informs me that at 11-01-30 1:22 PM Randy
Bush wrote:
So, what are peoples' routing policies on RPKI going to be? Are people
going to drop prefixes with no RPKI record? Or drop prefixes with an
incorrect RPKI record? Or drop prefixes with a revoked status?
Hi Randy,
.-- My secret spy satellite informs me that at 11-01-30 11:18 PM Randy
Bush wrote:
so i am not sure what your point is. please clarify with a concrete
example.
Adjusting a route's degree of preference in the selection algorithm
based on its validation state only works if it's
.-- My secret spy satellite informs me that at 11-01-31 12:11 PM
Christopher Morrow wrote:
I understand this is by design, but I can imagine some operators will be
reluctant to actually drop routes when they start testing RPKI deployments
in their networks.
yes, but what is the way forward?
Hi Danny,
.-- My secret spy satellite informs me that at 11-01-31 2:41 PM Danny
O'Brien wrote:
Does anyone has a list of routes that are still up, and seem to correlate
with Egyptian locations? Andree's last list is here:
http://bgpmon.net/egypt-routes-jan29-2011.txt
Here's an updated
Hi,
Here's a quick summary of what we saw at BGPMon.net.
At 2013-01-11 14:14:13 we saw announcements (seemingly) originated by
26347, for prefixes normally announced by other ASn's (origin change /
hijack).
This seems to have affected 112 prefixes for 110 ASn's [1], including
Rogers, Tata,
Hi Kenneth,
.-- My secret spy satellite informs me that at 2013-01-11 8:54 AM
Kenneth McRae wrote:
Thanks for that info Andree. The only valid peer I see on the list
would be HE. We do not peer with any of the others listed.
Could it be these ASns receive your routes via an IX route-server?
.-- My secret spy satellite informs me that at 2013-01-11 10:44 AM
Kenneth McRae wrote:
Yes, now that is possible (just no direct peering). So that takes me
back to my original statement about not announcing the 150.182.208.0/20
http://150.182.208.0/20 prefix to begin with.
Here's some more
.-- My secret spy satellite informs me that at 2013-03-06 12:59 AM
Matsuzaki Yoshinobu wrote:
According to RIPE RIS, AS26347 announced a bunch of prefixes again.
- http://www.ris.ripe.net/dashboard/26347
First suspicious announcement was started 2013-03-06 07:52:40 UTC, and
last seen
Hi Chris,
.-- My secret spy satellite informs me that at Mon, 25 May 2009, Chris Caputo
wrote:
Would going below 60-180 without first discussing it with your peers, tend
to piss them off?
60-180 is fairly conservative. 60-180 is the Cisco default I believe, however
Junipers defaults are
Hi Jason,
.-- My secret spy satellite informs me that at Fri, 04 Sep 2009, Olsen, Jason
wrote:
What I'm left thinking is that it would have been great if we'd had a
snapshot of our core routing table as it stood hours or even days prior
to this event occurring, so that I could compare it
Hi Eric,
.-- My secret spy satellite informs me that at Thu, 08 Oct 2009, Eric Gearhart
wrote:
Is anyone else seeing general routing weirdness on the Internets, or at
least can someone point me at a good BGP dashboard site that monitors the
state of routing tables at various places?
I have
Hi,
.-- My secret spy satellite informs me that at 11-12-20 11:16 AM Bret
Clark wrote:
Is http://cyclops.cs.ucla.edu/ still working? I don't seem to received
emails from them anymore when we stop announcing to one of our upstream
providers. On the other hand http://bgpmon.net/ does send me
Hi Vinny,
.-- My secret spy satellite informs me that at 11-12-21 5:17 AM Vinny
Abello wrote:
Unless I'm misunderstanding something, I'm concerned regarding the IPv4 bogon
list on http://bgpmon.net/showbogons.php?inet=4 . It clearly includes several
/8's that should not be there. The data
Hi Christopher,
.-- My secret spy satellite informs me that at 11-12-21 9:06 AM
Christopher J. Pilkington wrote:
I'm trying to edit my prefixes' AS path regex in BGPmon, and when I add a
'\s' in the Regular expression field, upon save, the '\' is stripped.
Is this expected behavior?
The
Hi Georgios,
.-- My secret spy satellite informs me that at 12-03-01 1:11 AM
Georgios Theodoridis wrote:
Has it been known the exact time of the incident?
I have found an article reporting that the cut occurred in the mid-day
of Saturday 25th but nothing more precise.
We would like to use
.-- My secret spy satellite informs me that at 12-07-19 10:00 PM George
Bonser wrote:
Can anyone confirm?
Yes confirmed, about 90% of the Syrian prefixes disappeared from the BGP
tables between 13:32 and 14:13 (UTC) earlier today (2012-07-19).
Cheers,
Andree
Hi,
.-- My secret spy satellite informs me that at 12-08-08 11:35 AM Darius
Jahandarie wrote:
On Wed, Aug 8, 2012 at 2:31 PM, Zachary McGibbon
zachary.mcgibbon+na...@gmail.com wrote:
Anyone at Bell Canada / Sympatico can tell us what's going on? Our routing
table is going nuts with Bell
informs me that at 12-08-08 12:50 PM Andree
Toonk wrote:
Hi,
.-- My secret spy satellite informs me that at 12-08-08 11:35 AM Darius
Jahandarie wrote:
On Wed, Aug 8, 2012 at 2:31 PM, Zachary McGibbon
zachary.mcgibbon+na...@gmail.com wrote:
Anyone at Bell Canada / Sympatico can tell us
Hi all,
.-- My secret spy satellite informs me that at Thu, 13 Nov 2008, Todd Underwood
wrote:
that's why i recommend that prefix hijacking detection systems do
thresholding of
peers to prevent a single, rogue, unrepresentative peer from reporting
a hijacking when none is really
Hi,
.-- My secret spy satellite informs me that at Fri, 20 Feb 2009, Giuliano
Peritore wrote:
I think that the case of AS47868 is the same, because I seed the
modulo was involved too.
For those interested, I made an overview of longest AS paths observed per day,
starting with
://www.toonk.nl/bogon-traffic-analysis.pdf
There's also a presentation http://www.toonk.nl/presentations.php
Cheers,
Andree
--
Andree Toonk
http://www.toonk.ca/blog/
Hi,
.-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank
Nussbacher wrote:
I too spotted this via PHAS for a large number of prefixes, but have not
received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack:
http://www.ris.ripe.net/perl-risapp/risearch.html
Hi Hank,
.-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank
Nussbacher wrote:
Looking at that raw data from both routeviews and Ripe, it looks like they
(AS8997) 'leaked' a full table, i.e. :
* 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895
Hi William,
.-- My secret spy satellite informs me that at Mon, 14 Dec 2009, William
Pitcock wrote:
Does anyone know of a webservice that converts a given IP into the
public CIDR range that belongs to? I am developing a tool where IP to
CIDR conversion based on RIR whois data would be
.-- My secret spy satellite informs me that at Mon, 11 Jan 2010, Mark Jackson
wrote:
I'd say that is a bogus route/AS announcement.
I see nothing in the address assignment for that. But I see traffic
started originating around 12/15/2009.
Actually d000::/8 has been around for 2 months
Hi Grzegorz,
.-- My secret spy satellite informs me that at 08/04/10 9:33 AM
Grzegorz Janoszka wrote:
Just half an hour ago China Telecom hijacked one of our prefixes:
Your prefix: X.Y.Z.0/19:
Prefix Description: NETNAME
Update time: 2010-04-08 15:58 (UTC)
Detected by #peers: 1
Detected
Hi Jul, list
.-- My secret spy satellite informs me that at 08/04/10 1:57 PM jul wrote:
So, how each one has assess the impact of this on his network ? How
could we check where route's propagation stop(ed) ?
Thanks to Renesys and Team Cymru for the stats of how many
prefixes/countries where
Hi Michael,
.-- My secret spy satellite informs me that at 12/05/10 9:09 AM Michael
Holstein wrote:
I am aware of sites that list all the netblocks associated with China
(for example) .. is there any place that publishes an updated list of
what netblocks are used by what countries? (all of
.-- My secret spy satellite informs me that at 2013-06-19 10:34 PM Paul
Ferguson wrote:
; DiG 9.7.3 @localhost yelp.com A
SNIP
;; ANSWER SECTION:
yelp.com. 300 IN A 204.11.56.20
Interesting to see that traffic to this IP addresses is going through
prolexic...
I guess they're considering
.-- My secret spy satellite informs me that at 2013-06-20 12:31 AM
Andree Toonk wrote:
.-- My secret spy satellite informs me that at 2013-06-19 10:34 PM Paul
Ferguson wrote:
; DiG 9.7.3 @localhost yelp.com A
SNIP
;; ANSWER SECTION:
yelp.com. 300 IN A 204.11.56.20
Interesting
Hi,
.-- My secret spy satellite informs me that at 2013-06-20 12:38 AM Paul
Ferguson wrote:
I have no knowledge of any DDoS -related activity involving Yelp! and
Prolexic. Even if there is one, the fact that their DNS records have
been poisoned has not direct relationship to any current DDoS
Hi Parthiv,
.-- My secret spy satellite informs me that at 2013-08-01 7:00 AM Shah,
Parthiv wrote:
My apology if I am asking for a repeat question on the list. On 7/29/13 I
read an incident about accidental BGP broadcast see article here
.-- My secret spy satellite informs me that at 2013-09-03 8:07 AM Jay
Ashworth wrote:
There are people who are manually stuck on the wrong network's servers, or
those who are configured to 4.4.4.4/8.8.8.8/4.2.2.1 by IT people (or
themselves)
or to OpenDNS or the like, but I'd be surprised
I can confirm that indosat appears to be hijacking many prefixes.
HE 6939 is one of the networks picking it up and distributing it
further. Here's an example for a Syrian prefix:
http://portal.bgpmon.net/data/indosat-hijack.png
Quick update from BGPmon:
We've detected 415,652 prefixes being hijacked by Indosat today. 8,233
of those were seen by more than 10 of our BGP collectors.
When receiving a BGPmon alerts, one of the metrics to look at that will
help with determining the scope and impact is the 'Detected by #peers'
.-- My secret spy satellite informs me that at 2014-09-03 10:27 AM Doug
Madory wrote:
http://www.bgpmon.net/using-bgp-data-to-find-spammers/
This blog post furthers this discussion, but it would have been appropriate
to cite my original analysis explicitly, rather than simply citing some
Yup seeing the same. Following examples all show same loss pattern
between ~ 3:30 and ~ 4:30 UTC:
syd ntt - nyc ntt
syd ntt - mia ntt
syd ntt - cdg ntt (paris)
syd ntt - ams ntt
One example:
http://i.imgur.com/TmCkd1B.png?1
Cheers,
Andree
.-- My secret spy satellite informs me that at
.-- My secret spy satellite informs me that at 2014-11-30 6:24 AM
Pierfrancesco Caci wrote:
Simon == Simon Leinen simon.lei...@switch.ch writes:
Simon Some suspicious paths I'm seeing right now:
Simon 133439 5
Simon 197945 4
my bet is on someone using the syntax prepend
Hi Christopher,
feel free to contact me with more details via andree at opendns com
Cheers
Andree
.-- My secret spy satellite informs me that at 2015-03-11 2:56 PM
Christopher Dye wrote:
Yea, sorry. DNS -- I was hammering that out before running out the door. DNS
is the issue -- as far as
Hi List,
this morning our BGPmon system picked up many new more specific
announcements by a variety of Origin ASns, the interesting part is that
the majority of them were classified as BGP Man In The middle attacks
(MITM).
A typical alert would look like:
Some more data from BGPmon.net:
This affected close to 28,000 prefixes from 4,477 unique Autonomous systems.
The hijacks were originated by AS58587 and propagated via AS45796
(15,002 prefixes) and AS6939 (25,841). The AS45796 paths were only seen
via one of our peers, while the AS6939 path had a
Hey!
New message, please read <http://industriatazca.com/beauty.php?ue>
Andree Toonk
Hey!
New message, please read <http://smbdigitals.com/possible.php?lvp1>
Andree Toonk
Hey!
New message, please read <http://donpnorthup.com/forced.php?gt0gw>
Andree Toonk
Hey!
New message, please read <http://boltonautomation.com.au/comfort.php?8h>
Andree Toonk
Hey!
New message, please read <http://ibew1003.org/all.php?9>
Andree Toonk
Hi Yang,
My secret spy satellite informs me that Yang Yu wrote On 2015-11-06,
10:19 AM:
Yes I saw the same thing. Level 3 customer space inside 8.0.0.0/8 got
leaked by AS9498 through 174, 4323, 5580 and 12989.
I did got alerts from bgpmon but the event is not shown on
bgpstream.com. What
It appears HE and others accepted 'hijacked' routes from AS200759.
A quick initial investigation shows close to 2,000 prefixes were
affected including prefixes normally announced by networks such as
Facebook, Google, Amazon, Twitter, Apple, Akamai, Time Warner Cable and
more.
Also see more
Hi Eric,
My secret spy satellite informs me that Eric Tykwinski wrote On
2016-10-12, 3:43 PM:
> IPv4 routes did a quick bounce to 600,949 around 9:30AM EST, than went back
> down to 599,241 shortly after.
> Seemed like a big jump so I setup an alert, just wondering if anyone else
> noticed
Hi David,
My secret spy satellite informs me that David Hubbard wrote On
2017-03-29, 12:21 PM:
> Anyone have recommendations for an alternative service that works like bgpmon
> (external reachability/peer monitoring, route hijack alerts, etc)? Since
> their OpenDNS acquisition, I’ve found the
Hi Chuck,
My secret spy satellite informs me that Chuck Anderson wrote On
2017-06-07, 5:21 PM:
> Apologies to Merit RADB, it was BGPmon that never responds. Merit
> RADB actually does respond--my frustration is more about the
> difficulty in getting them to delete stale objects that others
>
Yah as mentioned by others, lots of chatter on the outages list.
In short, starting at 17:47 utc level3 started leaking a whole bunch of
more specifics, mainly for various comcast ASns but also others like for
example AS10481 (Argentina)
Many of these more specific announcements for large
Hi Michel,
it looks likes you have RPKI validation enabled for this prefix in
BGPmon.net.
This will tell BGPmon to run the RPKI validation checks for the prefix
and alert you if there's no valid ROA found.
This bgpmon alert below is from July 20 which was right around the time
the ROA was
This is what looked happened:
There was a large scale BGP 'leak' incident causing about 20k prefixes
for 2400 network (ASNs) to be rerouted through AS396531 (a steel plant)
and then on to its transit provider: Verizon (AS701) Start time:
10:34:21 (UTC) End time: 12:37 (UTC)
All ASpaths had the
57 matches
Mail list logo