Professional Documents
Culture Documents
Sanog8 Aspath Analysis Vijay
Sanog8 Aspath Analysis Vijay
Sanog8 Aspath Analysis Vijay
Version 1.1
August, 2006
Vijay Kumar Adhikari
Gaurab Raj Upadhaya, Bill Woodcock
Packet Clearing House
Background
Autonomous systems which claim tier-1
status differentiate themselves from
others by claiming that they do not
receive transit from any other
autonomous system.
Background
Autonomous systems which do not
receive transit may reach other ASes by
selling transit to them or by peering with
them.
Background
All AS-paths take one of two forms:
One in which the center is an AS which
provides transit to two down-stream
ASes:
7823
7823 /
/ 1239
1239 \
\ 7132
7132 \
\ 27291
27291
7823
7823 / 1239
/ 1239 \\ 7132
7132 \\ 27291
27291
7823 / 1239 \ 7132 \ 27291
Dupont buys Sprint sells SBC sells Frys
Background
All AS-paths take one of two forms:
Or one in which the center is a peering
session between two ASes, each of
which provides transit to one down-
stream AS:
3856 / 2914 | 1239 \ 7132 \ 27291
3856
3856 // 2914
2914 || 1239
1239 \\ 7132
7132 \\ 27291
27291
3856
3856 // 2914
2914 || 1239
1239 \\ 7132
7132 \\ 27291
27291
PCH buys Verio peers Sprint sells SBC sells Frys
Proposition
Since there can exist no more than one
peering session in any AS-path,
No more than two ASNs can make a
legitimate claim to tier-1 status with
respect to any valid AS-path.
Seed-list to test
For an arbitrary starting-point to test our
proposition, we took the intersection of
the lists of most commonly-occurring
transit ASes from a number of routers:
701 UUNet / MCI 1239 Sprint
3356 Level 3 2914 NTT / Verio
7018 AT&T 6461 MFN
209 Qwest 2828 XO Communications
3549 Global Crossing 4637 Reach
Testing the Proposition
We find anomalous cases, in which three
or more ASNs from our test list occur in
the same AS-path:
65.215.36.0/24 3549 6221 3356 701 22907
Global Cybersites Level 3 UUNET
Crossing
Leaked Routes
(more than 2 Tier1 ASNs)
200
160
120
80
40
0
June 1 June 2 June 3 June 4 June 5 June 6
More Anomalies
Inconsistent ASNs
Non-contiguous Repeats
Private ASNs
Unallocated ASNs
Inconsistent Prefix Announcements
Examples
12.33.218.0/24
Announced by more than 1 ASNs:
22057, 23181
12.64.255.0/24
Announced by more than 1 ASNs:
4264, 17228, 17229, 17233
0
12
24
36
48
60
A
S
A 48
S2 08
A 925
S
A 70 7
S1 18
A 91
S1 5
7
A 911
S6 5
A 140
A S70
S3 1
A 05
S2 3
3
A 391
S
A 47 8
S1 55
A 859
S8 2
A 15
S1 1
A 23
S9 9
A 39
S3 4
A 356
S
A 17
S 4
A 20
S1 48
A 13
S1 4
0
A 002
S
A 41 9
S1 34
A 777
S9 2
A 81
S 1
A 64
S3 53
A 36
S1 9
86 7
18
Inconsistent Prefix Announcements
Inconsistent Prefix Announcements
1500
1200
900
600
300
0
June 1 June 2 June 3 June 4 June 5 June 6
Non-contiguous Repeats
Examples:
2800
2100
1400
700
0
June 1 June 2 June 3 June 4 June 5 June 6
0
300
600
900
1200
1500
A
S9
A 49
S4 8
A 80
S3 2
A 26
S1 7
A 21
S1 63
A 469
S8 7
A 69
S7 7
A 01
S3 8
A 281
S9 4
A 05
S3 0
A 00
S1 71
A 853
S8 4
A 55
S3 3
A 237
S7 4
Non-contiguous Repeats
A 10
S3 6
A 90
S3 66
02
78
Private AS Number Leak
S2 1
A 71
S2 8
2
A 19
S1 4
85 7
92
Private AS Number Leak
600
450
300
150
0
June 1 June 2 June 3 June 4 June 5 June 6
Using and Leaking Unallocated ASN
24587 is the only ASN leaking an unallocated ASN
81.17.39.128/27 3333 24587 64500
5
4
3
2
1
0
June 1 June 2 June 3 June 4 June 5 June 6
Adding a Candidate
The arbitrary method by which we
seeded our list does not find content
providers, only transit providers.
bgp-anomalies@pch.net