Friday Distraction: Who's Leaking >/24 to Global BGP?
[It occurred to me after finishing this that I should have done everything based on ASN, but play time is over for the day...]
An interesting conversation with my friend @denise_donohue led to this question: what providers are leaking prefixes longer than /24 to the global Internet?
Following my continuing theme of "fun stuff you can do by combining IOS and Bash", I ran a two step process via one of my BGP routers to get the answer:
$ ssh routername 'show ip bgp prefix-list GT24' > /tmp/gt24.txt
$ grep "^*" /tmp/gt24.txt | awk '{print $1}' | sed 's/\*>i//g' | awk -F. '{OFS=".";print $1,$2 ".0.0"}' | sort -u | xargs -i whois {} | grep netname | sort -u
Here's the breakdown:
Extract just valid BGP prefixes from the router output:
grep "^*" /tmp/gt24.txt | awk '{print $1}'
Extract just the prefix itself and substitute ".0.0" for the last two octets, normalizing to the parent /16, then remove duplicates:
| awk '{print $1}' | sed 's/\*>i//g' | awk -F. '{OFS=".";print $1,$2 ".0.0"}' | sort -u
Send those prefixes one-by-one to the "whois" command, extract the "netname" field, and remove duplicates again:
| xargs -i whois {} | grep netname | sort -u
Note that this takes a while to run because of the time it takes the Whois server to respond.
The prefix-list that I used to get the output from the first step is as follows:
ip prefix-list GT24 permit 0.0.0.0/0 ge 25
Note that I used this as an argument to "show ip bgp", not as part of the config!
Now, this obviously isn't entirely accurate, because it only shows the providers that are leaking long prefixes that aren't being filtered by any of my providers, but it's interesting. I also searched based only on the parent /16, so there could be lower-level providers that I'm missing.
Some of them are clearly the same provider tagged with different whois records (e.g., "TBROAD" and "TBROAD-KR").
etc. Run it yourself to get the full list from your router's perspective!
An interesting conversation with my friend @denise_donohue led to this question: what providers are leaking prefixes longer than /24 to the global Internet?
Following my continuing theme of "fun stuff you can do by combining IOS and Bash", I ran a two step process via one of my BGP routers to get the answer:
$ ssh routername 'show ip bgp prefix-list GT24' > /tmp/gt24.txt
$ grep "^*" /tmp/gt24.txt | awk '{print $1}' | sed 's/\*>i//g' | awk -F. '{OFS=".";print $1,$2 ".0.0"}' | sort -u | xargs -i whois {} | grep netname | sort -u
Here's the breakdown:
Extract just valid BGP prefixes from the router output:
grep "^*" /tmp/gt24.txt | awk '{print $1}'
Extract just the prefix itself and substitute ".0.0" for the last two octets, normalizing to the parent /16, then remove duplicates:
| awk '{print $1}' | sed 's/\*>i//g' | awk -F. '{OFS=".";print $1,$2 ".0.0"}' | sort -u
Send those prefixes one-by-one to the "whois" command, extract the "netname" field, and remove duplicates again:
| xargs -i whois {} | grep netname | sort -u
Note that this takes a while to run because of the time it takes the Whois server to respond.
The prefix-list that I used to get the output from the first step is as follows:
ip prefix-list GT24 permit 0.0.0.0/0 ge 25
Note that I used this as an argument to "show ip bgp", not as part of the config!
Now, this obviously isn't entirely accurate, because it only shows the providers that are leaking long prefixes that aren't being filtered by any of my providers, but it's interesting. I also searched based only on the parent /16, so there could be lower-level providers that I'm missing.
Some of them are clearly the same provider tagged with different whois records (e.g., "TBROAD" and "TBROAD-KR").
netname: AFRINIC-NET-TRANSFERRED-200909
netname: ASI
netname: ASIANET
netname: AquaRaySARL-2
netname: BIDCMain
(about 100 more)
(about 100 more)
etc. Run it yourself to get the full list from your router's perspective!