[dns-operations] BGP anomalies related to root DNS prefixes

[Lefteris Manassakis]

Hello,

My name is Lefteris Manassakis, Internet researcher and COO of Code BGP.

 

Since January 20, 2023, we have been monitoring the root DNS prefixes using
our product, the Code BGP Platform, and we have identified multiple BGP
anomalies related to these prefixes, some of which I will present in this
email.

 

1.        January 27, 2023: AS 24028 appeared as origin of prefix
2001:500:2f::/48 of F-Root. The event as seen by BGPlay:
https://stat.ripe.net/widget/bgplay#w.resource=2001:500:2f::/48
<https://stat.ripe.net/widget/bgplay#w.resource=2001:500:2f::/48&w.ignoreRea
nnouncements=false&w.starttime=1674752397&w.endtime=1674925197&w.rrcs=0,1,5,
6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp>
&w.ignoreReannouncements=false&w.starttime=1674752397&w.endtime=1674925197&w
.rrcs=0,1,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp

 

2.       February 25, 2023: AS 17639 appeared as origin of prefix
2001:500:a8::/48 of E-Root. At the exact same time, appeared as origin of
2001:500:2f::/48 of F-Root:

a.       BGPlay for E-Root:
https://stat.ripe.net/widget/bgplay#w.resource=2001:500:a8::/48%20
<https://stat.ripe.net/widget/bgplay#w.resource=2001:500:a8::/48%20&w.ignore
Reannouncements=false&w.starttime=1677322776&w.endtime=1677409176&w.rrcs=0,1
,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp>
&w.ignoreReannouncements=false&w.starttime=1677322776&w.endtime=1677409176&w
.rrcs=0,1,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp

 

b.       BGPlay for F-Root:
https://stat.ripe.net/widget/bgplay#w.resource=2001:500:2f::/48
<https://stat.ripe.net/widget/bgplay#w.resource=2001:500:2f::/48&w.ignoreRea
nnouncements=false&w.starttime=1677347997&w.endtime=1677434397&w.rrcs=0,1,5,
6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp>
&w.ignoreReannouncements=false&w.starttime=1677347997&w.endtime=1677434397&w
.rrcs=0,1,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp

 

The offending network (AS 17639 Converge ICT Solutions) is mentioned in a
report by Aftab Siddiqui for events that took place in 2020:
https://www.manrs.org/2021/02/bgp-rpki-and-manrs-2020-in-review/

 

3.       April 28, 2023. AS 137661 appeared as origin of prefix
199.7.83.0/24 of L-Root. This event has very low visibility due to the very
long AS path. However, it had been active for 2 months:
https://stat.ripe.net/widget/bgplay#w.resource=199.7.83.0/24
<https://stat.ripe.net/widget/bgplay#w.resource=199.7.83.0/24&w.ignoreReanno
uncements=false&w.starttime=1682589576&w.endtime=1688205576&w.rrcs=0,1,5,6,7
,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp>
&w.ignoreReannouncements=false&w.starttime=1682589576&w.endtime=1688205576&w
.rrcs=0,1,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp

 

4.       June 12, 2023. AS 201333 appeared as origin of prefix 193.0.14.0/24
of K-Root: https://stat.ripe.net/widget/bgplay#w.resource=193.0.14.0/24
<https://stat.ripe.net/widget/bgplay#w.resource=193.0.14.0/24&w.ignoreReanno
uncements=false&w.starttime=1686528000&w.endtime=1686614399&w.rrcs=0,1,5,6,7
,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp>
&w.ignoreReannouncements=false&w.starttime=1686528000&w.endtime=1686614399&w
.rrcs=0,1,5,6,7,10,11,13,14,15,16,18,20&w.instant=null&w.type=bgp

 

If you have any questions of comments, feel free to message me.

 

Best regards,

 

Lefteris

 




Lefteris Manassakis

COO & Co-founder
 <http://www.codebgp.com> www.codebgp.com  |  +30 281 039 1248

Monitor . Detect . Protect

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230701/b4d1ced6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1304 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230701/b4d1ced6/attachment.png>