[Tfug] Comcast Anomaly

Adrian choprboy at dakotacom.net
Mon Apr 17 16:12:12 MST 2006 

On Monday 17 April 2006 14:30, evorrie at comcast.net wrote:
> This is somewhat off the topic but I thought Comcast customers in Tucson and 
around the country would get a kick out this.
[snip]
> 
> traceroute to 10.6.90.159 (10.6.90.159), 64 hops max, 40 byte packets
>  1  172.30.125.241 (172.30.125.241)  1.717 ms  0.677 ms  1.544 ms
>  2  192.168.15.1 (192.168.15.1)  3.026 ms  2.131 ms  2.045 ms
>  3  73.109.0.1 (73.109.0.1)  14.727 ms  7.498 ms  8.656 ms
>  4  68.87.172.197 (68.87.172.197)  8.945 ms  9.005 ms  8.396 ms
[snip]
> 15  12-220-1-93.client.insightbb.com (12.220.1.93)  62.426 ms  84.802 ms  
62.683 ms
> 16  * * *
> 17  10.6.90.159 (10.6.90.159)  67.088 ms  69.857 ms  72.274 ms
> 


Yep... I have seen this before. Quite often you will be able to trace 
in/around Comcast/Cox/etc. in private IP space. All use it extensively for 
internal routing. But most block RFCd space at the border... but some router 
admins seem to forget that 10.x.x.x includes 10.1-255.x.x.

Interestingly, in this case it goes a bit beyond that as well!!! Digging into 
it a bit more, seems some genius in the Czech republic has decided.... that 
in addition to their own network they are going to BGP announce 10.0.0.0/8!!!

Ah... how wonderful... Checking the announcements:
[ajensen at vagabond ny_db]$ whois -h whois.cymru.com -v 10.6.90.159
[Querying whois.cymru.com]
[whois.cymru.com]
AS      | IP               | AS Name
16215   | 10.6.90.159      | ASN-GENOTEC Genotec Internet C

And the nearest peer is:
PEER_AS | IP               | AS Name
12654   | 10.6.90.159      | RIPE-NCC-RIS-AS RIPE NCC RIS P

So Genotec Internet Consulting has decided to request routing of all 10.x.x.x 
traffic to itself... How cute. Ought to be a pretty sight when the next major 
Wndows virus hits... taking the load a a few hundred thousand machines all 
trying to infect 10.x.x.x address space. :)

To give them a little credit... It appears to be only 1 router, of what 
appears to be border routers total, that has the error. It looks like they 
have an internal 10/8 network. 3 of the 4 routers report (if I understand BGP 
correctly) that 10/8 it not shared with any external peer. But their 4th 
router "Frankfurt" (gic-bgp-fra-001.as16215.net) is announcing 10/8 to a 
German exchange (DE-CIX-FRA-IXP) which is passing it on.

Adrian

More information about the tfug mailing list