13 Nov

bdNOG 4 – Presentation on Misused top ASNs

This week I presented in bdNOG 4 on “Misused top ASNs“. It was a study we at Hurricane Electric did to see how many times AS1, AS2 and AS3 appeared in global routing table between 2010 and 2015. This highlights cases where AS1, AS2 or AS3 appeared as a result of wrong prepend.


My presentation is embedded below:


Overall bdNOG 4 had been a great experience. It’s good to see a nice NOG community actively sharing technical know-how, sharing experiences, and much more. I must say that is something I greatly miss in India. More on bdNOG conference later on.

26 Oct

K root route leak by AS49505 – Selectel, Russia

There seems be an ongoing route leak by AS49505 (Selectel, Russia) for K root server.

K root server’s IP:
Origin Network: AS25152


Here’s trace from Airtel Looking Glass, Delhi PoP


The routing information (show route output) from their looking glass doesn’t seems useful since it shows that it’s learning K root Noida route via NIXI. This is likely because routing information is different from actual forwarding information in that device.

So the trace looks extremely weird. It’s leading traffic to K root which does has anycast instance in Noida, landing into Russia!


Why is that happening?

Let’s look at what Tata Communications (AS6453) routing table has for K root’s prefix. I am looking at feed of AS6453 which it’s putting into RIPE RIS RRC 03 collector.

anurag@server7:~/temp$ awk -F ‘|’ ‘$5==6453’ rrc03-table-26-Oct-2015.txt|grep
TABLE_DUMP_V2|10/26/15 08:00:03|A||6453||6453 20485 49505 25152|IGP


Let’s analyse this AS_PATH

  1. AS25152 is orignating prefix to AS49505 (Selectel Russia)
  2. AS49505 is “leaking” route to it’s upstream AS20485 (Trans Telecom, Russia)
  3. AS20485 is further propagating route to Tata Communications AS6453 making route visible globally via Tata Communications IP backbone


What impact of it?

Impact is much higher latency with K root from India. Here’s how RIPE Probe 170111 hosted at my home finds latency to K root:



As per graph change, leak started on 24th Oct at 9am UTC and this resulted in jump of latency of over 180ms.


Disclaimer: Post, comments, thoughts and analysis is in personal capacity and in no way linked to my employer.