Re: Cyclops Down?

2009-12-15 Thread Ricardo Oliveira 

Hi all,

We're having an issue with an UPS here at UCLA where one of the  
Cyclops servers is connected to. It should be fixed very soon, will  
keep you posted..


Thanks,

--Ricardo

On Dec 15, 2009, at 8:00 AM, sjk wrote:


Is anyone else seeing cyclops down -- or is it just me?

mtr -c10 -r 131.179.96.253

4. osh-2828-peer.onshore.net 0.0%101.3   1.3   1.2
1.6   0.1
 5. ip65-47-181-105.z181-47-65.c  0.0%101.4   2.0   1.3
3.7   0.8
 6. ge11-1-4d0.mcr2.chicago-il.u  0.0%102.1   1.7   1.4
2.1   0.3
 7. ae1d0.mcr1.chicago-il.us.xo.  0.0%102.7  11.8   1.8   
34.9  13.4
 8. 216.156.0.161.ptr.us.xo.net   0.0%10   62.2  62.3  62.0   
62.8   0.3
 9. te-3-2-0.rar3.dallas-tx.us.x  0.0%10   61.1  61.8  61.0   
64.2   1.0
10. 207.88.12.46.ptr.us.xo.net0.0%10   61.6  61.6  60.7   
63.8   1.1
11. 207.88.12.158.ptr.us.xo.net   0.0%10   60.7  61.0  60.7   
61.7   0.4
12. lax-px1--xo-ge.cenic.net  0.0%10   60.5  60.8  60.4   
61.4   0.4
13. dc-lax-core1--lax-peer1-ge.c  0.0%10   61.5  61.5  61.1   
62.1   0.4
14. dc-lax-agg1--lax-core1-ge.ce  0.0%10   61.1  61.6  60.8   
63.5   0.9
15. dc-ucla--lax-agg1-ge-2.cenic  0.0%10   62.0  62.6  61.7   
65.1   1.3
16. border-2--core-1-ge.backbone  0.0%10   62.4  62.4  61.8   
63.4   0.5
17. core-1--mathsci-10ge.backbon  0.0%10   61.9  61.7  61.4   
62.1   0.2
18. ???  100.0100.0   0.0   0.0
0.0   0.0

Re: AS3.196 [91.213.29.0/24] IM-AS Info-Media Ltd

2009-10-13 Thread Ricardo Oliveira 
It seems Team Cymru needs to update its whois db to use 4-byte ASNs  
and remove AS_TRANS (23456)


--Ricardo

On Oct 12, 2009, at 11:41 PM, Paul Ferguson wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm a bit confused (nothing really new here) with this BGP  
announcement,

but following up on some cyber crime activity I stumbled on this:

[Querying v4.whois.cymru.com]
[v4.whois.cymru.com]
AS  | IP   | AS Name
23456   | 91.213.29.250| -Reserved AS-

Is this legitimate?

route-views2.routeviews.org sho ip bgp 91.213.29.250
BGP routing table entry for 91.213.29.0/24
Paths: (42 available, best #33, table Default-IP-Routing-Table)
 Not advertised to any peer
 6939 9002 40965 196804
   216.218.252.164 from 216.218.252.164 (216.218.252.164)
 Origin IGP, localpref 100, valid, external
 Last update: Mon Oct 12 17:18:08 2009

 13030 9002 40965 196804
   213.144.128.203 from 213.144.128.203 (213.144.128.203)
 Origin IGP, metric 1, localpref 100, valid, external
 Community: 13030:1 13030:1016
 Last update: Mon Oct 12 13:10:14 2009

 14608 4323 9002 40965 196804
   209.161.175.4 from 209.161.175.4 (209.161.175.4)
 Origin IGP, localpref 100, valid, external
 Community: no-export
 Last update: Mon Oct 12 08:06:19 2009

 286 9002 40965 196804
   134.222.87.3 from 134.222.87.3 (134.222.85.108)
 Origin IGP, metric 0, localpref 100, valid, external
 Community: 286:18 286:19 286:28 286:29 286:800 286:888 286:3044
286:4019
 Last update: Sat Oct 10 22:44:50 2009

 1299 3549 9002 40965 196804
   213.248.83.252 from 213.248.83.252 (213.248.83.252)
 Origin IGP, localpref 100, valid, external
 Last update: Thu Oct  8 15:43:18 2009

 3303 9002 40965 196804
   164.128.32.11 from 164.128.32.11 (164.128.32.11)
 Origin IGP, localpref 100, valid, external
 Community: 1120:2 3303:1004 3303:1006 3303:3056
 Last update: Thu Oct  8 15:06:42 2009

 2905 702 9002 40965 196804
   196.7.106.245 from 196.7.106.245 (196.7.106.245)
 Origin IGP, metric 0, localpref 100, valid, external
 Last update: Thu Oct  8 15:42:42 2009

 31500 3267 9002 40965 196804
   95.140.80.254 from 95.140.80.254 (1.0.0.10)
 Origin IGP, metric 0, localpref 100, valid, external
 Last update: Tue Oct 13 00:33:35 2009

 1221 4637 3549 9002 40965 196804
   203.62.252.186 from 203.62.252.186 (203.62.252.186)
 Origin IGP, localpref 100, valid, external
 Last update: Thu Oct  8 14:43:32 2009

 5056 1239 3549 9002 40965 196804
   167.142.3.6 from 167.142.3.6 (167.142.225.101)
 Origin IGP, localpref 100, valid, external
 Last update: Thu Oct  8 15:10:31 2009

 7660 2516 3549 9002 40965 196804
   203.181.248.168 from 203.181.248.168 (203.181.248.168)
 Origin IGP, localpref 100, valid, external
 Community: 2516:1030
 Last update: Thu Oct  8 14:44:01 2009

 6762 3549 9002 40965 196804
   195.22.216.188 from 195.22.216.188 (195.22.216.188)
 Origin IGP, metric 100, localpref 100, valid, external
 Community: 6762:31
 Last update: Thu Oct  8 14:43:28 2009

 16150 9002 40965 196804
   217.75.96.60 from 217.75.96.60 (217.75.96.60)
 Origin IGP, metric 0, localpref 100, valid, external
 Community: 16150:63392 16150:65215 16150:65320
 Last update: Thu Oct  8 14:43:26 2009

 6453 3549 9002 40965 196804
   207.45.223.244 from 207.45.223.244 (66.110.0.124)
 Origin IGP, localpref 100, valid, external
 Last update: Thu Oct  8 14:43:25 2009

 2152 11164 9002 40965 196804
   137.164.16.12 from 137.164.16.12 (137.164.16.196)
 Origin IGP, localpref 100, valid, external
 Community: 2152:65299 2152:65506 11164:1130 11164:7880
 Last update: Sat Oct 10 13:52:50 2009

 6453 3549 9002 40965 196804
   195.219.96.239 from 195.219.96.239 (195.219.96.239)
 Origin IGP, localpref 100, valid, external
 Last update: Thu Oct  8 14:43:22 2009

 3277 3267 9002 40965 196804
   194.85.4.55 from 194.85.4.55 (194.85.4.16)
 Origin IGP, localpref 100, valid, external
 Community: 3277:3267 3277:65321 3277:65323
 Last update: Thu Oct  8 14:43:51 2009

 852 3561 9002 40965 196804
   154.11.98.225 from 154.11.98.225 (154.11.98.225)
 Origin IGP, metric 0, localpref 100, valid, external
 Community: 852:180
 Last update: Thu Oct  8 14:43:21 2009

 3356 9002 40965 40965 196804
   4.69.184.193 from 4.69.184.193 (4.68.3.50)
 Origin IGP, metric 0, localpref 100, valid, external
 Community: 3356:2 3356:22 3356:100 3356:123 3356:507 3356:2076
65000:0
 Last update: Tue Oct 13 06:09:59 2009

 701 3549 9002 40965 196804
   157.130.10.233 from 157.130.10.233 (137.39.3.60)
 Origin IGP, localpref 100, valid, external
 Last update: Thu Oct  8 14:43:48 2009

 8492 9002 40965 196804
   85.114.0.217 from 85.114.0.217 (85.114.0.2)
 Origin IGP, localpref 100, valid, external
 Community: 8492:1101 9002:0 9002:64677
 Last update: Thu Oct  8 14:43:16 2009

 5413 9002 40965 196804
   62.72.136.2 from

Re: Use of Default in the DFZ: banned in philly, see it now on the net!

2009-06-24 Thread Ricardo Oliveira 

Hi,
The classification we have is one possible classification, it's hard  
(if not impossible) to capture the diversity of the network in 4  
classes without having mislabels. We noticed that there were a  
considerable number of networks with special arrangements (i.e. a very  
small number of local downstreams mostly non-profit), specially in  
academic campus networks. Because these networks are not ISPs in the  
traditional sense (not their main business), we relaxed the stub  
threshold  at the cost of including some other cases of networks that  
are actual ISPs (e.g. Jack Bates).  Looking forward to see Randy's  
survey results to see how often this happened.


Thanks,

--Ricardo

On Jun 24, 2009, at 12:26 PM, Pete Templin wrote:


Lixia Zhang wrote:

On Jun 24, 2009, at 11:04 AM, Pete Templin wrote:
In (your) theory, your paper may hold up.  In practice, your  
definition of stub network is most likely considered wrong, and  
that likely shifts a lot of the assumptions in your paper.
But I also believe that there are a few common practical patterns  
that cover majority of reality.
We need to be mindful of diversity in real world but also capture  
basic common patterns (I'd agree that the paper perhaps should have  
said a few more words about the former).


Skimming the paper turns up a key sentence, Stub networks, on the  
other hand, do not forward packets for other networks.  What part  
of that led you to think that stub networks forward packets for 1-4  
downstream ASNs?


pt

Re: how many BGP routers, how many ASes

2009-05-13 Thread Ricardo Oliveira 

you might want to have a look at:
http://irl.cs.ucla.edu/topology

--Ricardo   

On May 13, 2009, at 8:53 AM, Irfan Zakiuddin wrote:


Hi all,

I have scouted around for this information, but not get very far.  I'm
hoping someone will have answers at hand.

What I want to know is roughly how many :

1.  ASes there are in the world today?
2.  BGP routers there are, for intra-domain as well as inter-domain  
routing,

in total in the world?
3.  BGP routers do the largest ASes have?


Really interesting would then be to say either how fast the above  
numbers
are growing, or to give estimates for what the answers to 1-3 will  
be in 5

years time.

An Internet source that provides the above information would be most  
useful

- though I can't seem to find it with google.

I'd be grateful for answer to be sent to me directly, whether you  
also post

to NANOG is up to you.

thanks in advance.

irfan

Re: Anomalies with AS13214 ?

2009-05-11 Thread Ricardo Oliveira 

Hi all,

First, thanks for using Cyclops, and thanks for all the Cyclops users  
that drop me a message about this.


It seems some router in AS13214 decided to originate all the prefixes  
and send them to AS48285 in the Caymans, all the ASPATHs are 48285  
13214.
The first announcement was on 2009-05-11 11:03:11 UTC and last on  
2009-05-11 12:16:32 UTC, there were 266,289 prefixes leaked (they were  
withdrawn afterwards)


As indicated in the Cyclops alerts, only a single monitor(AS48285) in  
route-views4 detected this leak. I checked on other neighbors of  
AS13214 and they seem fine, so it seems it was only a single router  
issue.


This incident shows the advantage of having a wide set of peers for  
detection, it seems Cyclops was the only tool to detect this incident.  
Given the amount of banks and financial institutions in the Caymans, i  
would otherwise have raised a red flag, but it seems this case was an  
unintentional misconfig by AS13214.


Would appreciate any further comment on the tool, and happy cyclopying!

--Ricardo
the Cyclops guy
http://cyclops.cs.ucla.edu


On May 11, 2009, at 8:30 AM, Jay Hennigan wrote:

We're getting cyclops[1] alerts that AS13214 is advertising itself  
as origin for all of our prefixes.  Their anomaly report shows  
thousands of prefixes originating there.


Anyone else seeing evidence of this or being affected?


[1] http://cyclops.cs.ucla.edu/


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Re: Can you see these AS links:)

2009-04-01 Thread Ricardo Oliveira 

And you might want to have a look at:
http://www.cs.ucla.edu/~rveloso/papers/completeness.pdf
http://www.cs.ucla.edu/~rveloso/papers/completeness_tr.pdf

--Ricardo

On Mar 31, 2009, at 7:56 PM, Kai Chen wrote:


Hello folks,
As part of a research project here at Northwestern, we have found  
quite a
few unexpected AS-level links that do not appear in public available  
BGP
tables. We really need your help in validating them; for anyone who  
knows
links associated with any AS, if you can assist us with this please  
contact

us off list.

Thanks!
- Kai

Cyclops: an open eye to your network (beta release)

2009-03-11 Thread Ricardo Oliveira 

Hi,

Just to let you know about Cyclops (beta for now), a tool for topology  
visibility and real-time routing anomaly detection/alerting for  
service providers and enterprise networks. Cyclops uses real time data  
from hundreds of vantage points of route-views, ripe-ris, packet  
clearing house and Univ. of Colorado bgpmon to assess how the rest of  
the world is reaching your network.


Cyclops features include:
- real-time alerting of prefix hijacks and misconfigured announcements
- alerting of next-hop changes, AS in the middle (transit) and new  
prefix

- alerting of new AS neighbor (false link announcement/leakages)
- Global visibility on AS connectivity and prefix origins
- Monitoring of routes to critical infrastructure, e.g. DNS TLDs
- Anomaly listings (anomalous depeerings, bogus ASNs, bogon prefixes,  
long/short prefixes)


To register for Cyclops please visit:
http://cyclops.cs.ucla.edu/?l=reg

To start configuring your network go to:
http://cyclops.cs.ucla.edu/?v=matab=1
(need to be logged in)

You need to tell cyclops what are your prefixes, your ASNes and your  
neighbor ASNs.


Please do not hesitate to contact me in case you have questions/ 
comments/bug reports.


Thanks for being a Cycloper!

--Ricardo
In name of the Cyclops Team

Road Runner DNS servers

2009-02-26 Thread Ricardo Oliveira 
Is there anyone clueful in this list from Road Runner(Time Warner  
Cable) that can explain what's going on with their DNS servers - just  
contacted their tech support and heard their DNS servers have been  
under attack over the last 3 days..

thanks,

--Ricardo

Re: Global Blackhole Service

2009-02-13 Thread Ricardo Oliveira 

Nuno et all,
Count me in for this..
Cheers,

--Ricardo
http://www.cs.ucla.edu/~rveloso

On Feb 13, 2009, at 8:41 AM, Nuno Vieira - nfsi telecom wrote:

Ok, however, what i am talking about is a competelly diferent thing,  
and i think that my thoughts are alligned with Jens.


We want to have a Sink-BGP-BL, based on Destination.

Imagine, i as an ISP, host a particular server that is getting nn  
Gbps of DDoS attack.  I null route it, and start advertising a /32  
to my upstream providers with a community attached, for them to null  
route it at their network.
However, the attacks continue going, on and on, often flooding  
internet exchange connections and so.


A solution like this, widelly used, would prevent packets to leave  
their home network, mitigating with effective any kind of DDoS (or  
packet flooding).


Obviously, we need a few people to build this (A Website, an  
organization), where when a new ISP connects is added to the system,  
a prefix list should be implemented, preventing that ISP to announce  
IP addresses that DON'T belong to him.


The Sink-BGP-BL sends a full feed of what it gots to Member ISP's,  
and those member ISP's, should apply route-maps or whatever they  
want, but, in the end they want to discard the traffic to those  
prefixes (ex: Null0 or /dev/null).


This is a matter or getting enough people to kick this off, to build  
a website, to establish one or two route-servers and to give use to.


Once again, i am interested on this, if others are aswell, let  
know.  This should be a community-driven project.


regards,
---
Nuno Vieira
nfsi telecom, lda.

nuno.vie...@nfsi.pt
Tel. (+351) 21 949 2300 - Fax (+351) 21 949 2301
http://www.nfsi.pt/



- Valdis Kletnieks valdis.kletni...@vt.edu wrote:


How do you vet proposed new entries to make sure that some miscreant
doesn't
DoS a legitimate site by claiming it is in need of black-holing?   
Note

that
it's a different problem space than a bogon BGP feed or a spam-source
BGP
feed - if the Cymru guys take another 6 hours to do a proper  
paperwork

and
background check to verify a bogon, or if Paul and company take
another day
to verify something really *is* a cesspit of spam sources, it doesn't
break the
basic concept or usability of the feed.

You usually don't *have* a similar luxury if you're trying to deal
with a
DDoS, because those are essentially a real-time issue.

Oh, and cleaning up an entry in a timely fashion is also important,
otherwise
an attacker can launch a DDoS, get the target into the feed, and walk
away...

Re: question on BGP aggregation

2008-10-22 Thread Ricardo Oliveira 
the ASes in the AS_SET resulted from merging 2 or more AS_PATHS, you  
only know at least one of them is connected to AS3 ...

more details at rfc4271:
http://www.ietf.org/rfc/rfc4271.txt

An AS_SET implies that the destinations listed in the NLRI can
 be reached through paths that traverse at least some of the
 constituent autonomous systems.  AS_SETs provide sufficient
 information to avoid routing information looping; however,
 their use may prune potentially feasible paths because such
 paths are no longer listed individually in the form of
 AS_SEQUENCEs.  In practice, this is not likely to be a problem
 because once an IP packet arrives at the edge of a group of
 autonomous systems, the BGP speaker is likely to have more
 detailed path information and can distinguish individual paths
 from destinations.


--Ricardo

On Oct 22, 2008, at 8:17 PM, Kai Chen wrote:


Hi,

I observe some BGP AS paths collected from Routeview having the AS-set
in the last hop. According to my understanding, this is BGP route
aggregation. However, my question is as follows:
Suppose, there is a path AS1 AS2 AS3 {AS4 AS5 AS6}, how AS4 AS5 AS6
connect to AS3?
Does it necessarily mean that AS4 AS5 AS6 are direct neighbors of AS4,
and AS4 aggregate the routes from AS4 AS5 AS6 then exporting outside.
or, it could be other cases such as AS4 aggregate AS5 AS6 first, and
then AS3 aggregate AS4?

Thanks in advance,

Re: why not AS number based prefixes aggregation

2008-09-08 Thread Ricardo Oliveira 
Topological aggregation based on ASN is often too course granularity,  
see this paper:

http://www.cs.ucla.edu/~rveloso/papers/giro.pdf
specifically Fig4 is a good example, and sec 4C.
Cheers,

--Ricardo

On Sep 8, 2008, at 6:20 AM, yangyang. wang wrote:


Hi, everyone:

 For routing scalability issues, I have a question: why not  
deploy AS
number based routing scheme?  BGP is path vector protocol and the  
shortest
paths are calculated based on traversed AS numbers. The prefixes in  
the same

AS almost have the same AS_PATH associated, and aggregating prefixes
according to AS will shrink BGP routing table significantly. I  
don't know

what comments the ISPs make on this kind of routing scheme.


-yang

Re: BGP Scalability Simulation

2008-09-02 Thread Ricardo Oliveira 

Moazzam,

Do you have something specific in mind you want to measure? e.g.  
convergence times, table size, update count, etc? the scope of your  
study seems to broad as you describe it..

Cheers,

--Ricardo

On Sep 1, 2008, at 12:57 PM, Moazzam Khan wrote:


Thanks Stefan for your reply.

Basically the goal of this testing is to study the BGP scalability  
issues in
the internet sometime in future lets say 10 years from now and try  
to find
out what problems it could face . I am trying to use ns2 as my  
simulation

environment.

Can you suggest how I can set up the envrionment for this kind of  
study and

what parameters should I try to caputre.

Regards
MAK

On Mon, Sep 1, 2008 at 3:51 PM, Fouant, Stefan  
[EMAIL PROTECTED]wrote:


 Topology and setup of these kinds of tests largely depend on  
whether you
are testing iBGP or eBGP. In my experience, eBGP testing is fairly  
straight
forward as you are almost always testing reconvergence of the BGP  
next-hop.
iBGP testing scenarios on the other hand can be quite a bit more  
complex as
you may also be testing the reconvergence of the underlying IGP if  
the BGP

next-hop remains unchanged. Can you describe your testing goals and
environment in a bit more detail?

Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D


- Original Message -
From: Moazzam Khan [EMAIL PROTECTED]
To: nanog@nanog.org nanog@nanog.org
Sent: Mon Sep 01 15:37:19 2008
Subject: BGP Scalability Simulation

Hi

I am trying to simulate BGP for scalability testing. I have few  
queries.



1) What sort of topology I should try out ?

2) What parameters should I test?

I am trying to simulate it in ns-2  and i would appreciate reply  
from you

guys.

Regards

MAK

Re: BGP Scalability Simulation

2008-09-02 Thread Ricardo Oliveira 
The topos you mentioned are synthetic (e.g. generated based on math),  
you might want to check these ones instead, based on bgp tables from  
public sources:

http://irl.cs.ucla.edu/topology/

Also, i don't think using a full internet topology is the way to go  
to do measure convergence time. The reason is that convergence time  
is highly dependent on ibgp architecture, router timers, etc and  
modeling things as one router per AS is at most unrealistic for this  
purpose. I would suggest to look at a small yet realistic topology of  
a few ISPs, e.g. as given by rocket fuel:

http://www.cs.washington.edu/research/networking/rocketfuel/

For routing table size, you just need to grab the existing available  
routing tables, e.g.

http://www.routeviews.org/
and do an extrapolation of the number of prefixes in RIB  n years  
from now


--Ricardo



On Sep 2, 2008, at 10:43 AM, Moazzam Khan wrote:


Hi Ricardo,

Basically I want to measure the Convergence times and routing table  
sizes. But I am not able to find a good topology of internet which  
I can utilize for my experimentations. I am looking at GT-ITM,  
BRITE and IGen but don't know what kind of abstraction they provide  
and if these topologies are feasible to test the above mentioned  
parameters.


What challenges I can face if I want to measure all those  
parameters convergence times ,table sizes , update count, signal  
sizes etc.



Regards
Moazzam

On Tue, Sep 2, 2008 at 1:35 PM, Ricardo Oliveira  
[EMAIL PROTECTED] wrote:

Moazzam,

Do you have something specific in mind you want to measure? e.g.  
convergence times, table size, update count, etc? the scope of your  
study seems to broad as you describe it..

Cheers,

--Ricardo


On Sep 1, 2008, at 12:57 PM, Moazzam Khan wrote:

Thanks Stefan for your reply.

Basically the goal of this testing is to study the BGP scalability  
issues in
the internet sometime in future lets say 10 years from now and try  
to find
out what problems it could face . I am trying to use ns2 as my  
simulation

environment.

Can you suggest how I can set up the envrionment for this kind of  
study and

what parameters should I try to caputre.

Regards
MAK

On Mon, Sep 1, 2008 at 3:51 PM, Fouant, Stefan  
[EMAIL PROTECTED]wrote:


 Topology and setup of these kinds of tests largely depend on  
whether you
are testing iBGP or eBGP. In my experience, eBGP testing is fairly  
straight
forward as you are almost always testing reconvergence of the BGP  
next-hop.
iBGP testing scenarios on the other hand can be quite a bit more  
complex as
you may also be testing the reconvergence of the underlying IGP if  
the BGP

next-hop remains unchanged. Can you describe your testing goals and
environment in a bit more detail?

Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D


- Original Message -
From: Moazzam Khan [EMAIL PROTECTED]
To: nanog@nanog.org nanog@nanog.org
Sent: Mon Sep 01 15:37:19 2008
Subject: BGP Scalability Simulation

Hi

I am trying to simulate BGP for scalability testing. I have few  
queries.



1) What sort of topology I should try out ?

2) What parameters should I test?

I am trying to simulate it in ns-2  and i would appreciate reply  
from you

guys.

Regards

MAK