This blog post discusses suspicious prefix announcements related to the A-Root, C-Root, and G-Root domain servers, which occurred simultaneously on May 19, 2023. We provide details of the announcements, including timestamps, prefixes, and AS paths, as captured by RIS Live. Interestingly, the suspicious announcements were only picked up by only one RIS Peer. The blog post raises concerns about the low visibility of these announcements and suggests the possibility of a RIS peer malfunction.
The Code BGP Platform identified that AS 209861 announced three prefixes belonging to Verisign, Cogent, and the US Department of Defense. These serve as the IPv6 prefixes for the A-Root, C-Root, and G-Root domain servers, respectively, three among the thirteen authoritative name servers for the DNS root zone.
The announcements were made simultaneously at 00:49:15 (UTC +3) on May 19, 2023, and each lasted slightly over two minutes before they were withdrawn. The announcements were repeated twice more at 01:16:23 and 02:12:26 (UTC +3).
Details of each announcement, including the timestamps, prefix, and AS path, are visible in the update logs screenshot from the Code BGP Platform. One of the platform's data services, RIS Live, captured these announcements. The Peer IP and Peer ASN of RIS Live are also displayed.
Short-lived events
The duration of the second set of announcements extended slightly beyond five minutes, while the third lasted an additional two minutes. The Code BGP Platform's email alerts for the second batch provide further details, such as the offending AS, the prefixes, as well as the trigger and resolution timestamps. It is noteworthy to observe the brief duration of these events, ranging from 2 to 5 minutes.
Contrary to the Code BGP Platform, which receives and processes all incoming streaming BGP updates from multiple sources, a monitoring platform that samples the BGP state every 15 minutes, for example, is incapable of detecting such ephemeral events.
Low visibility of suspicious route - possible RIS Peer malfunction?
The only RIS Peer which picked up these announcements has IP 2a0c:9a40:1031::504, is connected to RRC25 (a multihop Route Collector in Amsterdam) and belongs to AS 211380. Based on RIPE IPMap that we utilize for IP geolocation, this IP is situated in London, UK.
Kate Gerry, director of Global Networking at NetActuate, has shared with us that the same AS has also hijacked five IPv6 prefixes held by NetActuate. This incident is likewise visible in RIPEStat’s BGPlay.
Additionally, this AS was observed as the first-hop neighbor of AS 209861 at the time of the announcements. However, according to the Peerings table of the Code BGP Platform, this is no longer the case.
These questionable announcements were not detected anywhere else. For instance, our own Code BGP Monitor, a BGP streaming service with 218 peers across 72 cities, failed to detect the Root DNS announcements in question. Similarly, no other RIS peer identified them. Kate Gerry also mentioned that the announcements associated with NetActuate's network were not observed outside of RIPE RIS. These facts cause concern, suggesting the possibility of a RIS peer malfunction. We will keep an eye on this for any developments.