It was yesterday (2009-10-09) at 07:21:41 UTC that an italian ISP AS9035 “ASN-WIND Wind Telecomunicazioni spa” started leaking no less than 90,358 prefixes to its italian upstream AS 1267. The last announcement happened at 07:23:42 UTC, a bit more than two minutes after the first announcement, and the routes were immediately withdrawn.

Several Cyclops users received “origin change” alerts like the following one:

————————————————–
Alert ID:                     7645041
Alert type:                   origin change
Monitored ASN,prefix:         128.97.0.0/16
Offending attribute:          128.97.0.0/16-9035
Date:                         2009-10-09 07:22:12 UTC
Duration:                     00:00:38 (hh:mm:ss)
No. monitors:                 3
Announced prefix:             128.97.0.0/16
Announced ASPATH:             12637 12637 3269 1267 9035
————————————————–

The alert clearly shows that only 3 monitors saw this alert which hints the event was very local, and when drilling down in the link we can see they reside in Italy:

Also, after inspecting the AS paths, it looks like only italian ISPs were involved. It seems this event was a result of an accidental misconfig of the router similar to the AS13214 also detected by Cyclops: http://cyclops.cs.ucla.edu/blog/?p=78. –Ricardo

It happened again, this time a router in the Caymans belonging to AS13214 (DCP Networks) decided to announce the global routing table to one of its providers (AS48285). Cyclops immediately started generating alerts for the registered users, an example of such alert would have looked like this:

————————————————–

Alert ID:                     3492061
Alert type:                   origin change
Monitored ASN,prefix:         192.35.225.0/24
Offending attribute:          192.35.225.0/24-13214
Date:                         2009-05-11 11:03:48 UTC
Duration:                     00:00:01 (hh:mm:ss)
No. monitors:                 1
Announced prefix:             192.35.225.0/24
Announced ASPATH:             48285 13214
————————————————–

As you can see from the text above, only a single monitor detected this incident, and that was a monitor belonging to AS48285 (ROBTEX) that have a BGP session with route-views4. Apparently AS48285 didn’t propagate the routes upstream, only to its other customers The customers started reaching the Internet using a much shorter path, and had their outbound traffic engineering completely disrupted. After looking at some neighbors of AS13214, it seems this router in the Caymans was the only one going  leaking the prefixes.  The first announcement of AS48285 was on 2009-05-11 11:03:11 UTC and the last on 2009-05-11 12:16:32 UTC, there were 266,289 prefixes leaked (they were withdrawn right afterwards).

This incident shows the advantage of having a wide set of peers for detection, it seems Cyclops was the only tool to detect this incident. Given the amount of banks and financial institutions in the Caymans, there would otherwise be a red flag, but it seems this case was an unintentional misconfiguration by AS13214. You can follow the NANOG thread here:
http://www.merit.edu/mail.archives/nanog/msg17928.html

–Ricardo