--- tme@multicasttech.com wrote: From: Marshall Eubanks <tme@multicasttech.com> : You didn't specify the time zone you are in, : so I looked at +- 1 day around it. If the : hijack lasted 6 hours, we should have seen it. My apologies, I just used the time zone the tool (bgplay.routeviews.org/bgplay) was using when I said: 22/9/2008 9:00:00 and 22/9/2008 15:00:00 I'm sure it was in GMT. Seeing the many responses, we now know something happened and it was only about 15 minutes in duration. bgplay shows the problem with the above data and I was just wondering if I was understanding the impact correctly:
If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected?
I was not following the rules properly: never attribute to malice that which can be explained by human error. I thought there might be some testing-of-the-water in preparation for future 'events' and I guess I was starting to be trigger happy after all the talk about the new BGP attack. scott --- tme@multicasttech.com wrote: From: Marshall Eubanks <tme@multicasttech.com> To: surfer@mauigateway.com Cc: <nanog@merit.edu> Subject: Re: prefix hijack by ASN 8997 Date: Tue, 23 Sep 2008 07:51:36 -0400 On Sep 22, 2008, at 9:06 PM, Scott Weeks wrote:
I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North- West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia).
Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates:
22/9/2008 9:00:00 and 22/9/2008 15:00:00
If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent).
I cannot confirm that from the monitoring program at AS 16517 : [tme@lennon mcast]$ grep 72.234.0.0 bgp.full.Sep_2*2008 bgp.full.Sep_21_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_21_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_21_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_21_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_22_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_23_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? bgp.full.Sep_23_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ? You didn't specify the time zone you are in, so I looked at +- 1 day around it. If the hijack lasted 6 hours, we should have seen it. Regards Marshall
If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected?
scott