North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Kenyan Route Hijack

  • From: Suresh Ramasubramanian
  • Date: Mon Mar 17 03:44:58 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=FNmvRCzvcfJcYuVllNakCtw4LimRUhYzCsN5beFt5Ng=; b=Lyq1EVZR4sod2Vt3a3XIaEF3psk95Df/yxQwYeIlHXlQCe5VxnWjK/yRM4HYCugb1qIr2WD4jtSJceZtOCTIZEJzWAqkoO34txXCYI0i39Gd0eGLHl15mvNBop0rU8K7DxNXAQM9fAmyOzOxieWOjX7TBH71O91pWCi6p0X41WI=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=miXiejtXQ3dLYfBiwIdwtoIXKAt5814kIeG7RwywVdsEFQiX7W9hmO4gt2LK4zQuSSa32hMDqCRyf6mPqkQa8gxP5m88M7LdKoGmuUEnr9G2vveInB9uY73hVfkJCXahVPwVS7mK14Uw3ZNq+Is4F60ZSrywSV5esVKjxrrm6mo=

On 17 Mar 2008 04:12:13 +0000, Paul Vixie <[email protected]> wrote:
>  i think, at this stage and at this date, that bringing up the ORBS/abovenet
>  debacle constitutes a "canard", and should be avoided, for the good of all.

Completely unrelated to l'affaire ORBS of course, but in this more
recent example, was uunet kenya a transit customer (or customer of a
customer) of abovenet?  And quoting from a previous email -


An interesting bit is that the current announcement on routeviews
directly from AS 6461 has Community 6461:5999 attached:
  6461 from (
      Origin IGP, metric 0, localpref 100, valid, external, best
      Community: 6461:5999

According to this, that community is used for "internal prefixes":

"6461:5999 internal prefix"

A "sh ip bgp community 6461:5999" currently yields 130 prefixes
with Origin AS of 6461 and that community.  Nothing more specific
than a /24, although many many adjacent prefixes that would
presumably be aggregated normally are announced as well.


anybody see similar routing loops for those other prefixes that'd make
it look like 5999 is a blackhole community at abovenet, so this dude
is seeing what ORBS saw way back when (2000, right) - that is, he had
abuse issues, was downstream of a downstream of abovenet and got his
/24 blackholed?