[tor-relays] Strange BGP activity with my node

Johan Nilsson jn at 9999.se
Fri May 11 11:53:30 UTC 2018


> Your prefix:          204.17.32.0/19 <http://204.17.32.0/19>:
> > Prefix Description:   GBLX-US-BGP Update time:          2018-05-09
> > 12:11 (UTC) Detected by #peers:   1 Detected prefix:
> > 204.17.56.42/32 <http://204.17.56.42/32> Announced by:
> > AS200005 (Asavie Technologies Limited) Upstream AS:
> > AS200005 (Asavie Technologies Limited) ASpath:               200005
> > 
> I took a look through our BGP data and peering routers, and I didn't
> see the /32 being announced.  I'm not saying it didn't happen, but
> rather it may not have carried very far.  /32 prefix announcements
> rarely propagate very far.  There are still a great many filters in
> place that restrict announcements more specific than /24 (or /21, or
> /19, or ...).
>
"#peers:   1" indicates only one of the peers with bgpmon.net saw it.

> It may be the case that this /32 prefix is a null route that leaked
> out, which we've seen happen somewhat frequently.  The most notorious
> example was an attempted, and unwittingly leaked, null route in
> Pakistan (/24s, IIRC) that impacted YouTube.
> 
> It appears Asavie does a bit of security and networking work, so
> possibly this is attributable to that?
> 
DFRI saw the same notification for one exit address at the exact
same time. We also got a second identical notfication at 2018-05-09 12:17
(UTC).

Regards,
Johan


More information about the tor-relays mailing list