31 Aug
2014
31 Aug
'14
3:47 p.m.
Ah yes BusinessTorg (AS60937). I have also seen this one doing what you are describing. Not to MSFT or GOOG, but another major technology company that we peer with. In fact, it is going on right now but only visible if you receive routes directly from them. A while ago, I sent them a note describing what was happening and suggested they might want to stop accepting routes from that AS, but they still do.
Some seem to avoid BGP analysis by exposing their attack only to their target. We recently saw MSFT getting our customer's more specific announcement from 60937 originated ostensibly by 35886. No on else (~200 vantage points) was receiving this more specific.