It happened again, this time a router in the Caymans belonging to AS13214 (DCP Networks) decided to announce the global routing table to one of its providers (AS48285). Cyclops immediately started generating alerts for the registered users, an example of such alert would have looked like this:

————————————————–

Alert ID:                     3492061
Alert type:                   origin change
Monitored ASN,prefix:         192.35.225.0/24
Offending attribute:          192.35.225.0/24-13214
Date:                         2009-05-11 11:03:48 UTC
Duration:                     00:00:01 (hh:mm:ss)
No. monitors:                 1
Announced prefix:             192.35.225.0/24
Announced ASPATH:             48285 13214
————————————————–

As you can see from the text above, only a single monitor detected this incident, and that was a monitor belonging to AS48285 (ROBTEX) that have a BGP session with route-views4. Apparently AS48285 didn’t propagate the routes upstream, only to its other customers The customers started reaching the Internet using a much shorter path, and had their outbound traffic engineering completely disrupted. After looking at some neighbors of AS13214, it seems this router in the Caymans was the only one going  leaking the prefixes.  The first announcement of AS48285 was on 2009-05-11 11:03:11 UTC and the last on 2009-05-11 12:16:32 UTC, there were 266,289 prefixes leaked (they were withdrawn right afterwards).

This incident shows the advantage of having a wide set of peers for detection, it seems Cyclops was the only tool to detect this incident. Given the amount of banks and financial institutions in the Caymans, there would otherwise be a red flag, but it seems this case was an unintentional misconfiguration by AS13214. You can follow the NANOG thread here:
http://www.merit.edu/mail.archives/nanog/msg17928.html

–Ricardo