Looking up some of my prefixes in PHAS and BGPPlay, I too see my prefixes being advertised by 8997 for a short time. It looks like it happened around 1222091563 according to PHAS.
Was this a mistake or something else?
Justin
Christian Koch wrote:
I received a phas notification about this today as well...
I couldn't find any relevant data confirming the announcement of one of my /19 blocks, until a few minutes ago when i checked the route views bgplay (ripe bgplay turns up nothing) and can now see 8997 announcing and quickly withdrawing my prefix
On Mon, Sep 22, 2008 at 9:06 PM, Scott Weeks <surfer@mauigateway.com> wrote:
I am hoping to confirm a short-duration prefix hijack of
72.234.0.0/15
(and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia).
Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay",
Agree on #2 as well. You can bet they're also reading Nanog right now to see who and how it was detected. Oh, well, on with the fight. Chuck -----Original Message----- From: Christian Koch [mailto:christian@broknrobot.com] Sent: Tuesday, September 23, 2008 12:58 AM To: Justin Shore; surfer@mauigateway.com; nanog@merit.edu Subject: Re: prefix hijack by ASN 8997 At first glance this morning not seeing any data between the gain and lost alerts from phas and inability to find a route in any of the many collectors and route servers out there I had thought it was a possibly a fat finger mistake by 8997 or a false positive. After locating the data in bgplay/rviews, and noticing how many more people this occured to I'm leaning towards 2 possible scenarios: 1 - bgp misconfigurations leading to leaks (Depends on the overall scale of how many other prefixes were possibly announced) 2 - 8997 began announcing prefixes as an experiment to "test the waters" for potential real hijacks in future... 'geography' hints towards #2 Or both theories could be way off :) I'd be interested to know if Renesys collected any data that might give some better insight to this... Christian On 9/23/08, Justin Shore <justin@justinshore.com> wrote: put
in prefix 72.234.0.0/15 and select the dates:
22/9/2008 9:00:00 and 22/9/2008 15:00:00
If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent).
If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected?
scott
-- Sent from my mobile device