When BGP lies, the internet believes!

Earlier in the day, I came across Liberty Global (AS6830) originating several Vodafone Romania (AS12302) prefixes.

Source: https://bgp.he.net/AS6830#_prefixes

This is highly unusual because AS6830 is a large transit-free network. I have seen some transit-free networks leaking routes, but originating a large number of prefixes is not common. It has massive stakes from Belgium-based Telenet to Virgin Media, etc. To verify if they are actually originating these or not, let’s check from their looking glass for one of the prefixes here: 46.97.104.0/24 via their PoP at Interxion FRA6 Frankfurt:

This clearly shows that their own router is learning it from Vodafone C&W AS1273 and not holding the fake route. The origin is AS12302 (Vodafone Romania). So why does that prefix appear in bgp.he.net?

Let’s look at real-time lookup from super-lg:

Reading this AS_PATH: 35505 44682 8751 6830

So RIPE RIS RRC22 in Bucharest, Romania “learns” this from AS35505 (Pronet Solutii IT SRL) which learns it from AS44682 (SIL-MIRO COM SRL) which learns it from AS8751 (MEDIA SAT SRL) which “claims” to have learnt it from AS6830. This very much smells like a “fake route” generated by someone here likely from a route optimiser. From the Liberty Global looking glass, it’s clear that AS6830 does not have it. So it has to be either AS8751 or AS44682 or AS35505 having this route in their table. It’s hard to verify and be 100% sure who since those three ASNs don’t have a looking glass or a RIPE Atlas probe for me to see their routing. Thus when BGP lies, the internet believes!

Disclaimer: This is my personal blog, and hence, posts made here are in my personal capacity. These do not represent the views of my employer.