Re: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]

Tue, 26 May 2015 18:44:54 -0700

I guess AS18978 didn't learn from their mistake. Got a slew of identical bgpmon alerts for withdrawals and more specifics within the last 30 minutes. Worse than last time. Some still active, like:
update time (UTC) Update Type Probe ASn Probe Location Prefix AS path Cleared Duration 2015-03-26 12:18:41 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 Active 

On 03/26/2015 8:26 pm, ML wrote:

Wouldn't it be a BCP to set no-export from the Noction device too?


On 3/26/2015 6:20 PM, Nick Rose wrote:

Several people asked me off list for more details, here is what I have 
regarding it.



This morning a tier2 isp that connects to our network made an error in 
their router configuration causing the route leakage. The issue has 
been addressed and we will be performing a full post mortem to ensure 
this does not happen again.
While investigating the issue we did find that the noction appliance 
stopped advertising the no export community string with its 
advertisements which is why certain prefixes were also seen.


Regards,
Nick Rose
CTO @ Enzu Inc.

-----Original Message-----
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Rose
Sent: Thursday, March 26, 2015 3:49 PM
To: a...@djlab.com; Peter Rocca
Cc: nanog@nanog.org

Subject: RE: More specifics from AS18978 [was: Prefix hijack by 
INDOSAT AS4795 / AS4761]



This should be resolved from AS18978. If you experience anything else 
please let me know and I will get it addressed immediately.


Regards,
Nick Rose
CTO @ Enzu Inc.

-----Original Message-----
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy
Sent: Thursday, March 26, 2015 12:14 PM
To: Peter Rocca
Cc: nanog@nanog.org

Subject: RE: More specifics from AS18978 [was: Prefix hijack by 
INDOSAT AS4795 / AS4761]


On 03/26/2015 9:00 am, Peter Rocca wrote:

+1

The summary below aligns with our analysis as well.

We've reached out to AS18978 to determine the status of the leak but
at this time we're not seeing any operational impact.

+2, after the morning coffee sunk in and helpful off list replies I 
can

finally see it's probably not INDOSAT involved at all.

FYI, the more specifics are still active:

2015-03-26 13:56:11     Update  AS4795  ID      198.98.180.0/23 4795 4795 4761
9304 40633 18978 6939 29889     Active
2015-03-26 13:56:11     Update  AS4795  ID      198.98.182.0/23 4795 4795 4761
9304 40633 18978 6939 29889     Active

--
~Randy























					Reply via email to