Home   |   Login   |   Blog   |   FAQ   |   About Cyclops

 Cyclops  beta
  open eye to your net
No. of BGP feeds: 792
« Don’t be afraid of AS3130
“Mark as False Alert” feature »

Cyclops detects global routing leak by AS13214

It happened again, this time a router in the Caymans belonging to AS13214 (DCP Networks) decided to announce the global routing table to one of its providers (AS48285). Cyclops immediately started generating alerts for the registered users, an example of such alert would have looked like this:

————————————————–

Alert ID:                     3492061
Alert type:                   origin change
Monitored ASN,prefix:         192.35.225.0/24
Offending attribute:          192.35.225.0/24-13214
Date:                         2009-05-11 11:03:48 UTC
Duration:                     00:00:01 (hh:mm:ss)
No. monitors:                 1
Announced prefix:             192.35.225.0/24
Announced ASPATH:             48285 13214
————————————————–

As you can see from the text above, only a single monitor detected this incident, and that was a monitor belonging to AS48285 (ROBTEX) that have a BGP session with route-views4. Apparently AS48285 didn’t propagate the routes upstream, only to its other customers The customers started reaching the Internet using a much shorter path, and had their outbound traffic engineering completely disrupted. After looking at some neighbors of AS13214, it seems this router in the Caymans was the only one going  leaking the prefixes.  The first announcement of AS48285 was on 2009-05-11 11:03:11 UTC and the last on 2009-05-11 12:16:32 UTC, there were 266,289 prefixes leaked (they were withdrawn right afterwards).

This incident shows the advantage of having a wide set of peers for detection, it seems Cyclops was the only tool to detect this incident. Given the amount of banks and financial institutions in the Caymans, there would otherwise be a red flag, but it seems this case was an unintentional misconfiguration by AS13214. You can follow the NANOG thread here:
http://www.merit.edu/mail.archives/nanog/msg17928.html

–Ricardo

This entry was posted on Wednesday, May 13th, 2009 at 8:55 pm and is filed under leaks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Cyclops detects global routing leak by AS13214”

  1. Russell Heilling Says:
    July 28th, 2009 at 2:45 am

    We (Viatel - AS8190) have just seen alerts start to come through that indicate it is happening again.

    Exactly the same origin (AS13214) is announcing our prefixes to ROBTEX (AS48285). I presume they are leaking a full table again…

  2. Paul Says:
    July 28th, 2009 at 3:21 am

    Looks like it’s happening again :(

    Date: 2009-07-28 08:30:28 UTC
    Duration: 00:00:01 (hh:mm:ss)
    No. monitors: 1 (http://cyclops.cs.ucla.edu/view_monitors.html?aid=4951247)
    Announced prefix: 203.144.16.0/21
    Announced ASPATH: 48285 13214
    BGP message: http://cyclops.cs.ucla.edu/show_myalert.html?aid=4951247

Leave a Reply

Security Code:
This page is maintained by Ricardo Oliveira @ UCLA. Please send questions/bugs/suggestions to cyclops at cs.ucla.edu