Kevin,
I am seeking avenues to investigate a possible case of IP address spoofing.
I've recently received complaints which suggest that in the recent past (but not right now), somebody may have announced a more specific prefix, effectively hijacking "unused" address space within our allocated range.
As it happens, the address space is not unused, just not visible on the public Internet.
I am aware of route reflectors and other options to manually review what prefixes are currently announced, but have not been able to find a *searchable* archive of historical data, either overall BGP tables or just "unusual" announcements. The closest thing I've found so far is Route Views (http://www.routeviews.org/), however there is no obvious way to search the (huge) archived data files for substring matches?
We're involved in trying to build database front ends for the data so you can do just this sort of thing. But right now, we're a little stuck. One thing you might try is using BGPlay to watch what happens to your prefix.
Alternately, are there any existing mechanisms for monitoring route announcements which can provide near real-time alerting when any prefixes within specific subnet ranges are announced?
Not that I know of. You can log into route-views.routeviews.org and use the cli to watch it, but that is a manual process. Hope this helps, Dave