search

nitefood / asn

ASN / RPKI validity / BGP stats / IPv4v6 / Prefix / URL / ASPath / Organization / IP reputation / IP geolocation / IP fingerprinting / Network recon / lookup API server / Web traceroute server
MIT License
1.31k stars 159 forks source link

Last AS missing in AS path information #41

Closed paulmenzel closed 1 year ago

paulmenzel commented 1 year ago

I am using

$ git log --oneline --no-decorate -1
1f794b9 Add installation instructions for RHEL 7 and 8 (#38)

Then:

$ ./asn charite.de

────────────────────────────────────────────────────────────
            WARNING 

No IPQualityScore token found, so disabling in-depth threat 
analysis and IP reputation lookups. Please visit 
https://github.com/nitefood/asn#ip-reputation-api-token 
for instructions on how to enable it. 
────────────────────────────────────────────────────────────

╭───────────────────────────╮
│ ASN lookup for charite.de │
╰───────────────────────────╯

- Resolving "charite.de"... 1 IP address found:

 141.42.206.113 ┌PTR charite.de
                ├ASN 680 (DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE)
                ├ORG DFN
                ├NET 141.42.0.0/16 (CHARITE-NET)
                ├ABU abuse@charite.de / abuse@dfn.de
                ├ROA ✓ VALID (1 ROA found)
                ├GEO Berlin, Land Berlin (DE)
                ├CPE [APP: php:php] [APP: apache:http_server] [APP: typo3:typo3]
                ├POR Open ports: 80, 443
                └REP ✓ NONE

╭─────────────────────╮
│ Trace to charite.de │
╰─────────────────────╯

 Hop IP Address         Loss%      Ping avg     AS Information                  
  1. o2.box (192.168.1.1)    80%        0.7 ms    BOGON  rfc1918 (Private Space)
  2. loopback1.0002.acln.01.ber.de.net.telefonica.de (62.52.201.185)    80%        6.9 ms   [AS6805] TDDE-ASN1, DE
  3. bundle-ether16.0003.dbrx.01.ber.de.net.telefonica.de (62.53.2.84)    80%        7.0 ms   [AS6805] TDDE-ASN1, DE
  4. ae1-0.0001.prrx.01.ber.de.net.telefonica.de (62.53.11.125)    80%        9.2 ms   [AS6805] TDDE-ASN1, DE
  5. dfn.bcix.de (193.178.185.42)    20%       17.1 ms    IXP  BCIX (Berlin Commercial Internet Exchange)
  6. kr-charit1.x-win.dfn.de (188.1.235.78)    80%       17.2 ms   (WIN-IP / IP networking on DFN's Wissenschaftsnetz "X-WiN")
  7. ???                 100%             *   (No reply)                        
  8. ???                 100%             *   (No reply)                        
  9. ???                 100%             *   (No reply)                        
 10. charite.de (141.42.206.113)    20%       19.3 ms   (CHARITE-NET / Charite - Universitaetsmedizin Berlin)

Trace completed in 37 seconds on 2023-02-20 14:22:40 CET

╭───────────────────────╮
│ AS path to charite.de │
╰───────────────────────╯

  6805   TDDE-ASN1 (Local AS)
 ╭╯
 ╰ IXP   BCIX (Berlin Commercial Internet Exchange)

The AS path information is missing the last AS680. It’s present in the mtr output:

$ mtr -z -s 10 -r -c 10 charite.de
Start: 2023-02-20T14:43:23+0100
HOST: ersatz                      Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. AS???    o2.box              90.0%    10    2.5   2.5   2.5   2.5   0.0
  2. AS???    loopback1.0002.acln 90.0%    10    7.0   7.0   7.0   7.0   0.0
  3. AS???    bundle-ether16.0003 90.0%    10    7.3   7.3   7.3   7.3   0.0
  4. AS6805   ae1-0.0001.prrx.01. 90.0%    10    6.4   6.4   6.4   6.4   0.0
  5. AS???    dfn.bcix.de         10.0%    10   16.7  17.0  16.7  17.7   0.4
  6. AS???    kr-charit1.x-win.df 90.0%    10   17.2  17.2  17.2  17.2   0.0
  7. AS???    ???                 100.0    10    0.0   0.0   0.0   0.0   0.0
  8. AS???    ???                 100.0    10    0.0   0.0   0.0   0.0   0.0
  9. AS???    ???                 100.0    10    0.0   0.0   0.0   0.0   0.0
 10. AS680    charite.de          10.0%    10   19.1  19.0  18.6  19.2   0.2
nitefood commented 1 year ago

Hey @paulmenzel,

apparently you get no AS resolution after the BCIX hop (n.5), which is odd. From your trace I reckon the script fails to output AS info for both AS680 hops (n.6 and n.10). Is this behavior reproducible with other paths/AS numbers that you can tell, or does it happen only for AS680? Was this a one-off error or does it keep happening?

I tried locally and am unable to reproduce the behavior, plus all AS680 hops resolve fine:

╭─────────────────────╮
│ Trace to charite.de │
╰─────────────────────╯

 Hop IP Address                                                                                  Loss%      Ping avg     AS Information
  1. 172.18.112.1                                                                                   0%        0.2 ms    BOGON  rfc1918 (Private Space)
  2. 192.168.10.1                                                                                   0%        0.5 ms    BOGON  rfc1918 (Private Space)
  3. 10.0.0.1                                                                                       0%        1.1 ms    BOGON  rfc1918 (Private Space)
  4. 93-43-50-65.ip90.fastwebnet.it (93.43.50.65)                                                   0%        6.2 ms   [AS12874] FASTWEB, IT
  5. 93-61-50-1.ip145.fastwebnet.it (93.61.50.1)                                                    0%        2.5 ms   [AS12874] FASTWEB, IT
  6. ???                                                                                          100%             *   (No reply)
  7. ???                                                                                          100%             *   (No reply)
  8. 10.254.20.241                                                                                  0%        7.5 ms    BOGON  rfc1918 (Private Space)
  9. 89-97-200-190.ip19.fastwebnet.it (89.97.200.190)                                               0%        6.6 ms   [AS12874] FASTWEB, IT
 10. 62-101-124-25.fastres.net (62.101.124.25)                                                      0%       16.0 ms   [AS12874] FASTWEB, IT
 11. cr-erl2-be1.x-win.dfn.de (80.81.193.222)                                                       0%       28.0 ms    IXP  DE-CIX Frankfurt ()
 12. cr-tub2-be10.x-win.dfn.de (188.1.146.210)                                                      0%       37.2 ms   [AS680] DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE
 13. kr-charit1.x-win.dfn.de (188.1.235.78)                                                         0%       37.9 ms   [AS680] DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE
 14. barrier.charite.de (193.175.73.8)                                                              0%       44.1 ms   [AS680] DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE
 15. fw-keeep-globaltransit.charite.de (141.42.5.249)                                               0%       41.2 ms   [AS680] DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE
 16. s-www-gw.charite.de (141.42.206.113)                                                           0%       42.1 ms   [AS680] DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE

Trace completed in 15 seconds on 2023-02-20 20:30:08 CET

╭───────────────────────╮
│ AS path to charite.de │
╰───────────────────────╯

  207013 WIFLY-AS (Local AS)
 ╭╯
 ╰12874  FASTWEB
 ╭╯
 ╰ IXP   DE-CIX Frankfurt ()
 ╭╯
 ╰680    DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
paulmenzel commented 1 year ago

Yesterday it only happened with a few more domains but with others – also in DFN – it was fine.

╭────────────────────────────╮
│ Trace to www.mpimet.mpg.de │
╰────────────────────────────╯

 Hop IP Address                                                                               Loss%      Ping avg     AS Information               
  1. o2.box (192.168.1.1)                                                                       60%        0.8 ms    BOGON  rfc1918 (Private Space)
  2. loopback1.0002.acln.01.ber.de.net.telefonica.de (62.52.201.185)                            80%       21.7 ms   [AS6805] TDDE-ASN1, DE
  3. bundle-ether16.0003.dbrx.01.ber.de.net.telefonica.de (62.53.2.84)                          80%        6.8 ms   [AS6805] TDDE-ASN1, DE
  4. ae1-0.0001.prrx.01.ber.de.net.telefonica.de (62.53.11.125)                                 80%        7.2 ms   [AS6805] TDDE-ASN1, DE            
  5. dfn.bcix.de (193.178.185.42)                                                               40%       17.1 ms    IXP  BCIX (Berlin Commercial Internet Exchange)
  6. cr-ham1-be8.x-win.dfn.de (188.1.144.57)                                                    60%       20.1 ms   (WIN-IP / IP networking on DFN's Wissenschaftsnetz "X-WiN")
  7. ???                                                                                       100%             *   (No reply)            
  8. ???                                                                                       100%             *   (No reply)            
  9. ???                                                                                       100%             *   (No reply)                        
 10. www.mpimet.mpg.de (136.172.142.6)                                                          60%       23.2 ms   (RIPE-ERX-136-172-0-0 / RIPE Network Coordination Centre)

Trace completed in 36 seconds on 2023-02-20 08:17:44 CET

╭──────────────────────────────╮                                                                                                                      
│ AS path to www.mpimet.mpg.de │                                                                                                                      
╰──────────────────────────────╯                                                                                                                      

  6805   TDDE-ASN1 (Local AS)
 ╭╯                                                                                                                                                   
 ╰ IXP   BCIX (Berlin Commercial Internet Exchange)
╭─────────────────────────────────────╮
│ Trace to amerika.zedat.fu-berlin.de │
╰─────────────────────────────────────╯

 Hop IP Address                                                                               Loss%      Ping avg     AS Information
  1. o2.box (192.168.1.1)                                                                       80%        0.5 ms    BOGON  rfc1918 (Private Space)
  2. loopback1.0002.acln.01.ber.de.net.telefonica.de (62.52.201.185)                            80%        6.8 ms   [AS6805] TDDE-ASN1, DE         
  3. bundle-ether16.0004.dbrx.01.ber.de.net.telefonica.de (62.53.2.94)                          80%        6.8 ms   [AS6805] TDDE-ASN1, DE
  4. ae2-0.0001.prrx.01.ber.de.net.telefonica.de (62.53.11.127)                                 80%        6.3 ms   [AS6805] TDDE-ASN1, DE
  5. dfn.bcix.de (193.178.185.42)                                                               20%       16.9 ms    IXP  BCIX (Berlin Commercial Internet Exchange)
  6. kr-tub272-0.x-win.dfn.de (188.1.235.242)                                                   80%       17.2 ms   (WIN-IP / IP networking on DFN's Wissenschaftsnetz "X-WiN")
  7. ???                                                                                       100%             *   (No reply)                        
  8. ???                                                                                       100%             *   (No reply)
  9. ???                                                                                       100%             *   (No reply)      
 10. s51-7010-core-eth1-1.router.fu-berlin.de (160.45.246.38)                                   20%       17.3 ms   (FULAN / Freie Universitaet Berlin)
 11. amerika.router.fu-berlin.de (130.133.2.1)                                                  80%       16.9 ms   (RIPE-ERX-130-133-0-0 / RIPE Network Coordination Centre)

Trace completed in 44 seconds on 2023-02-20 08:43:26 CET                                                                                           

╭───────────────────────────────────────╮                                                                                                             
│ AS path to amerika.zedat.fu-berlin.de │                                                                                                             
╰───────────────────────────────────────╯                                                                                                 

  6805   TDDE-ASN1 (Local AS)
 ╭╯                                                                                                                                       
 ╰ IXP   BCIX (Berlin Commercial Internet Exchange)
╭───────────────────────────╮
│ Trace to www.tu-berlin.de │
╰───────────────────────────╯

 Hop IP Address                                                                               Loss%      Ping avg     AS Information
  1. o2.box (192.168.1.1)                                                                       80%        0.7 ms    BOGON  rfc1918 (Private Space)
  2. loopback1.0002.acln.01.ber.de.net.telefonica.de (62.52.201.185)                            80%        6.5 ms   [AS6805] TDDE-ASN1, DE
  3. ???                                                                                       100%             *   (No reply)
  4. ae2-0.0001.prrx.01.ber.de.net.telefonica.de (62.53.11.127)                                 80%        6.2 ms   [AS6805] TDDE-ASN1, DE
  5. dfn.bcix.de (193.178.185.42)                                                               20%       16.7 ms    IXP  BCIX (Berlin Commercial Internet Exchange)
  6. kr-tub248.x-win.dfn.de (188.1.235.118)                                                     80%       16.8 ms   (WIN-IP / IP networking on DFN's Wissenschaftsnetz "X-WiN")
  7. ???                                                                                       100%             *   (No reply)
  8. ???                                                                                       100%             *   (No reply)      
  9. ???                                                                                       100%             *   (No reply)                     
 10. tu-berlin.de (130.149.7.201)                                                               20%       18.1 ms   (RIPE-ERX-130-138-0-0 / RIPE Network Coordination Centre)

Trace completed in 36 seconds on 2023-02-20 08:44:17 CET

╭─────────────────────────────╮                                                                                                                       
│ AS path to www.tu-berlin.de │
╰─────────────────────────────╯                                                                                                     

  6805   TDDE-ASN1 (Local AS)
 ╭╯                                                                                                                                       
 ╰ IXP   BCIX (Berlin Commercial Internet Exchange)

Others worked:

╭──────────────────────────────────────╮
│ Trace to bigbluebutton.molgen.mpg.de │
╰──────────────────────────────────────╯

 Hop IP Address                                                                               Loss%      Ping avg     AS Information                  
  1. o2.box (192.168.1.1)                                                                       80%        0.6 ms    BOGON  rfc1918 (Private Space)   
  2. loopback1.0002.acln.01.ber.de.net.telefonica.de (62.52.201.185)                            80%       14.2 ms   [AS6805] TDDE-ASN1, DE            
  3. bundle-ether16.0004.dbrx.01.ber.de.net.telefonica.de (62.53.2.94)                          80%        7.2 ms   [AS6805] TDDE-ASN1, DE            
  4. ae2-0.0001.prrx.01.ber.de.net.telefonica.de (62.53.11.127)                                 80%        5.9 ms   [AS6805] TDDE-ASN1, DE            
  5. dfn.bcix.de (193.178.185.42)                                                               20%       17.2 ms    IXP  BCIX (Berlin Commercial Internet Exchange)
  6. ???                                                                                       100%             *   (No reply)                        
  7. ???                                                                                       100%             *   (No reply)                        
  8. ???                                                                                       100%             *   (No reply)                        
  9. ???                                                                                       100%             *   (No reply)                        
 10. bigbluebutton.molgen.mpg.de (141.14.15.170)                                                20%       18.7 ms   [AS680] DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE

Trace completed in 14 seconds on 2023-02-20 08:13:21 CET

╭────────────────────────────────────────╮
│ AS path to bigbluebutton.molgen.mpg.de │
╰────────────────────────────────────────╯

  6805   TDDE-ASN1 (Local AS)
 ╭╯
 ╰ IXP   BCIX (Berlin Commercial Internet Exchange)
 ╭╯
 ╰680    DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
╭───────────────────────────────╮
│ Trace to www.mpim-bonn.mpg.de │
╰───────────────────────────────╯

 Hop IP Address                                                                               Loss%      Ping avg     AS Information
  1. o2.box (192.168.1.1)                                                                       80%        0.8 ms    BOGON  rfc1918 (Private Space)
  2. loopback1.0002.acln.01.ber.de.net.telefonica.de (62.52.201.185)                            80%        7.0 ms   [AS6805] TDDE-ASN1, DE         
  3. bundle-ether16.0003.dbrx.01.ber.de.net.telefonica.de (62.53.2.84)                          80%        7.2 ms   [AS6805] TDDE-ASN1, DE
  4. ae1-0.0001.prrx.01.ber.de.net.telefonica.de (62.53.11.125)                                 80%        7.2 ms   [AS6805] TDDE-ASN1, DE         
  5. dfn.bcix.de (193.178.185.42)                                                               20%       16.9 ms    IXP  BCIX (Berlin Commercial Internet Exchange)
  6. cr-han2-be7.x-win.dfn.de (188.1.144.137)                                                   80%       18.4 ms   (WIN-IP / IP networking on DFN's Wissenschaftsnetz "X-WiN")
  7. ???                                                                                       100%             *   (No reply)                        
  8. ???                                                                                       100%             *   (No reply)                        
  9. ???                                                                                       100%             *   (No reply)            
 10. 195.37.234.33                                                                              20%       19.6 ms   [AS680] DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE
 11. out (195.37.209.187)                                                                       80%       26.2 ms   [AS680] DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V., DE

Trace completed in 31 seconds on 2023-02-20 08:18:44 CET                                                                                              

╭─────────────────────────────────╮
│ AS path to www.mpim-bonn.mpg.de │
╰─────────────────────────────────╯                                                                                                                   

  6805   TDDE-ASN1 (Local AS)                                                                                                                         
 ╭╯                                                                                                                                                   
 ╰ IXP   BCIX (Berlin Commercial Internet Exchange)                                                                                                   
 ╭╯
 ╰680    DFN Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
nitefood commented 1 year ago

Would you mind sharing the output of:

whois 188.1.144.57 | grep -i -E "^netname:|^orgname:|^org-name:|^owner:|^descr:|^country:" | grep -i -E "^orgname:|^org-name:|^owner:" | cut -d ':' -f 2 | sed 's/^[ \t]*//' | while read -r line; do echo -n "$line / "; done | sed 's/ \/ $//'

and

host -t TXT "57.144.1.188.origin.asn.cymru.com" | awk -F'"' 'NR==1{print $2}' | sed 's/\ *|\ */|/g'

from the machine you ran the traces from?

I'm under the impression you're getting different whois / Team Cymru DNS lookup results than I am. For example in your first trace, when I run it locally I also pass through the hop cr-ham1-be8.x-win.dfn.de (188.1.144.57), but unlike your output (which appears to be a fallback whois lookup), my asn maps that correctly to AS680 (and that happens through a DNS lookup using Team Cymru).

Also (shooting in the dark here), but is that high packet loss percentage in your traces normal?

paulmenzel commented 1 year ago 
$ whois 188.1.144.57 | grep -i -E "^netname:|^orgname:|^org-name:|^owner:|^descr:|^country:" | grep -i -E "^orgname:|^org-name:|^owner:" | cut -d ':' -f 2 | sed 's/^[ \t]*//' | while read -r line; do echo -n "$line / "; done | sed 's/ \/ $//'
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.

$ host -t TXT "57.144.1.188.origin.asn.cymru.com" | awk -F'"' 'NR==1{print $2}' | sed 's/\ *|\ */|/g'
680|188.1.0.0/16|DE|ripencc|1994-08-05
paulmenzel commented 1 year ago

Also (shooting in the dark here), but is that high packet loss percentage in your traces normal?

No idea, where that comes from.

$ mtr -z -s 10 -r -c 10 bigbluebutton.molgen.mpg.de
Start: 2023-03-08T21:54:34+0100
HOST: ersatz                      Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. AS???    o2.box              90.0%    10    0.6   0.6   0.6   0.6   0.0
  2. AS6805   loopback1.0003.acln 90.0%    10    6.5   6.5   6.5   6.5   0.0
  3. AS6805   ae14-0.0002.dbrx.02 90.0%    10    6.7   6.7   6.7   6.7   0.0
  4. AS6805   ae1-0.0002.prrx.02. 90.0%    10    6.4   6.4   6.4   6.4   0.0
  5. AS???    dfn.bcix.de         10.0%    10   17.0  17.3  17.0  17.6   0.2
  6. AS???    ???                 100.0    10    0.0   0.0   0.0   0.0   0.0
  7. AS???    ???                 100.0    10    0.0   0.0   0.0   0.0   0.0
  8. AS???    ???                 100.0    10    0.0   0.0   0.0   0.0   0.0
  9. AS???    ???                 100.0    10    0.0   0.0   0.0   0.0   0.0
 10. AS680    bigbluebutton.molge 10.0%    10   17.5  17.5  17.1  18.1   0.3

There is no packet loss with ping.

$ ping -c10 o2.box
PING o2.box(_gateway (fe80::1%eno1)) 56 data bytes
64 bytes from _gateway (fe80::1%eno1): icmp_seq=1 ttl=64 time=0.615 ms
64 bytes from _gateway (fe80::1%eno1): icmp_seq=2 ttl=64 time=0.720 ms
64 bytes from _gateway (fe80::1%eno1): icmp_seq=3 ttl=64 time=0.673 ms
64 bytes from _gateway (fe80::1%eno1): icmp_seq=4 ttl=64 time=0.577 ms
64 bytes from _gateway (fe80::1%eno1): icmp_seq=5 ttl=64 time=0.589 ms
64 bytes from _gateway (fe80::1%eno1): icmp_seq=6 ttl=64 time=0.573 ms
64 bytes from _gateway (fe80::1%eno1): icmp_seq=7 ttl=64 time=0.550 ms
64 bytes from _gateway (fe80::1%eno1): icmp_seq=8 ttl=64 time=0.575 ms
64 bytes from _gateway (fe80::1%eno1): icmp_seq=9 ttl=64 time=0.680 ms
64 bytes from fe80::1%eno1: icmp_seq=10 ttl=64 time=0.603 ms

--- o2.box ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 13499ms
rtt min/avg/max/mdev = 0.550/0.615/0.720/0.053 ms
nitefood commented 1 year ago

Hello @paulmenzel,

have there been any changes lately to your results? I still find this puzzling, because I cannot reproduce this behavior in any way on any of my test boxes.

Curious if it was just a temporary network hiccup (those latencies), or Cymru fault (the missing output), or the behavior is consistent.

Have a nice day!