North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: /24s run amuck again

  • From: Richard A. Steenbergen
  • Date: Sat Jun 09 14:13:24 2001

On Sat, 9 Jun 2001, Philip Smith wrote:

> I was working on almost the same thing... :-) As from next Friday, my
> routing report will include the top 20 ASes which are announcing
> prefixes more specific than the registry minimum allocation (/20),
> more specific than a /24 from 192/8 space, more specific than a /16
> from former B space, more specific than a /8 from former A space...

I've always been suspicious of using registry allocation boundaries, there
are too many legitimate ways to set it off. There are lots of reasons to
have some diverse /22 announcements in your network for example. On the
other hand, if you have 200 seperate /24s announced from the same /16,
with the same aspath, and the origin owns the entire block, there is
simply no reason for this.

>  11371      307      Rhythms NetConnections
>   3491      651      CAIS Internet

DSL providers are becoming very bad about this. Someone pointed out to me
off list that CAIS had carved up PSI's /8 into over 500 /24s.

>    690      502      Merit Network

Well at least we don't have to go too far to find the guilty party. :P

>  18994      468      Global Crossing
>  15870      436      Global Center Frankfurt
>  18993      325      Global Crossing

Those are the GlobalCenter datacenters being converted into the Exodus
network. It looks like they are leaking a sizable number of /32s /30s etc,
and since its GBLX space I'm assuming its stuff that used to be aggregated
into a single announcement.

> There is no attempt to measure aggregation - that's the job of the
> CIDR Report. This simply looks at the prefix announced and if it is
> outside the above limits, it is counted. Makes very interesting
> reading...

The one interesting pattern I noticed in the rampant /24 abuse was non-
contiguous announcements. It's likely that this kept them off the CIDR
Report and any other scans which only looked for contiguous announcements.
For example:

1.2.3.0/24
1.2.5.0/24
1.2.7/0.24

-- 
Richard A Steenbergen <[email protected]>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)