I looked at some RIS (and routeviews) MRT data. First I looked at BGP updates: * There were no BGP updates captured by RIPE RIS between 2025-08-12..2025-08-26 for 2400::/12. * The largest prefix in 2400::/12 for which updates/withdraws were seen in that period was 2400:2000::/20.
When I look at the combined RIS+routeviews RIBS at 08:00 UTC on 2025-08-30, these are the largest prefixes in 2400::/12 and their visibility: ┌────────────────┬────────────┐ │ prefix │ visibility │ │ │ (peers) │ ├────────────────┼────────────┤ │ 2400:2000::/20 │ 689 │ │ 2400:4000::/22 │ 690 │ │ 2400:6280::/30 │ 268 │ │ 2400:7b80::/30 │ 799 │ │ 2400:a840::/31 │ 795 │ │ 2400:a842::/31 │ 795 │ │ 2400:a844::/31 │ 795 │ │ 2400:a846::/31 │ 795 │ │ 2400:a848::/31 │ 795 │ │ 2400:a84a::/31 │ 795 │ │ 2400:a84c::/31 │ 795 │ │ 2400:a84e::/31 │ 795 │ │ 2400:a980::/29 │ 777 │ │ 2400:ca00::/28 │ 792 │ │ 2400:d800::/30 │ 780 │ │ 2400:d800::/31 │ 780 │ │ 2400:dd00::/28 │ 693 │ If 2400::/12 was widely visible, it indicates a gap in the coverage of routeviews and RIS. I can’t speak for routeviews, but as RIS project we would be very happy to add peers that cover such a blindspot. We want to make data analysis like I just did easier. We have a prototype for a new way to search in MRT data. It started as an internal research/debugging aid, but we want to start releasing pre-processed data soon. If things work out I will do a talk on this at the next RIPE and NANOG meetings on this way to search in BGP data - the talk is about to be submitted. Kind regards, Ties On Sat, 30 Aug 2025 at 14:56, Tom Beecher via NANOG <[email protected]> wrote: > According to RIPEStat, 2400::/12 hasn't been seen since Oct 2023, from > AS13030 (Init7). > > I also cannot seem to see any recent announcement of that anywhere in the > usual sources, or my internal data. I would say this was an error on > Qrator's part. > > In that case, what more do I must do? > > > Although it didn't seem to happen here, best practice is to always announce > 100% of your allocated IPs at all times. This provides protection against > someone announcing an umbrella and pulling traffic for any uncovered space. > It's not perfect , but protects against general stupid. > > On Sat, Aug 30, 2025 at 2:59 AM Pirawat WATANAPONGSE via NANOG < > [email protected]> wrote: > > > Dear Gurus, > > > > > > Radar tool by Qrator [Reference: https://radar.qrator.net ] claims that > > Zenlayer Inc. [AS4229] is “umbrella-ing” me by announcing ‘2400::/12’ on > > top of my more-specific address block. > > The tool classifies it as a type of hijacking. > > [Disclaimer: apologies to Zenlayer if you didn’t do it; but that’s the > > information I received] > > My neighboring organization also has a more-specific block that falls > under > > The Umbrella too. > > > > However, other tools (https://stat.ripe.net , > > https://irrexplorer.nlnog.net > > , https://bgp.he.net , etc.) seem unable to see that particular > > announcement. > > > > Questions: > > 1. Is Qrator claim true? (because I have already tried but cannot verify) > > 2. If so, should I be concerned? > > Even though I already ROA-ed *and* IRR-ed my own block, but if “the other > > end” doesn’t validate, it won’t do any good, correct? > > (Oh, yeah, the other end also has to somehow “not see” my longer-prefix. > > But that can happen as well, no?) > > 3. In that case, what more do I must do? > > > > I would extremely appreciate someone helping me out on this matter. > > > > > > Best Regards, > > > > Pirawat. > > _______________________________________________ > > NANOG mailing list > > > > > https://lists.nanog.org/archives/list/[email protected]/message/GT2M54NGQQHRE7IU63ECEOMVTGH7FRIW/ > _______________________________________________ > NANOG mailing list > > https://lists.nanog.org/archives/list/[email protected]/message/47LPGUEA2E2LV3RIRZGEF35KC6SPQ53L/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/FCMDVDY6D3WVWQC4GYNZIBTTNOHDIGHD/
