On Wed, Nov 20, 2013 at 01:54:00PM -0500, Christopher Morrow <morrowc.lists@gmail.com> wrote a message of 11 lines which said:
someone has already parsed out all route announcements from ris/routeviews for the 2 specific incidents in question in the article? and posted the contents somewhere for review? I didn't see Renesys do that :(
Indeed. But the data is public. Let's use RouteViews. Renesys gave us the exact time (0736 UTC) and the origin AS. From the time, let's find the relevant RouteViews file, whose URL is made of date and time: ftp://archive.routeviews.org/route-views.linx/bgpdata/2013.07/UPDATES/updates.20130731.0730.bz2 Download, bunzip2, bgpdump to translate the MRT to text, then Control-S in emacs to find announces by AS 48685. And here it is: TIME: 07/31/13 07:36:46 TYPE: BGP4MP/MESSAGE/Update FROM: 195.66.236.35 AS6067 TO: 195.66.237.222 AS6447 ORIGIN: IGP ASPATH: 6067 6677 48685 NEXT_HOP: 195.66.236.35 ANNOUNCE 64.81.96.0/24 64.81.97.0/24 64.81.101.0/24 64.81.103.0/24 64.81.110.0/24 64.81.112.0/24 64.81.113.0/24 64.81.115.0/24 64.81.116.0/24 64.81.122.0/24 64.81.125.0/24 64.81.127.0/24 64.81.161.0/24 64.81.162.0/24 64.81.163.0/24 64.81.164.0/24 64.81.166.0/24 64.81.167.0/24 64.81.169.0/24 64.81.170.0/24 64.81.171.0/24 64.81.172.0/24 64.81.177.0/24 64.81.192.0/19 64.81.199.0/24 64.81.203.0/24 64.81.204.0/24 64.81.205.0/24 64.81.208.0/24 64.81.209.0/24 64.81.212.0/24 64.81.214.0/24 64.105.6.0/23 64.105.14.0/23 64.105.20.0/23 64.105.24.0/21 64.105.32.0/21 64.105.52.0/23 64.105.54.0/23 64.105.56.0/23 64.105.58.0/23 64.105.60.0/23 64.105.62.0/23 64.105.66.0/23 64.105.70.0/23 64.105.72.0/21 64.105.82.0/23 64.105.88.0/21 64.105.114.0/23 64.105.128.0/21 64.105.144.0/21 64.105.160.0/23 64.105.162.0/23 64.105.176.0/23 64.105.180.0/22 64.105.192.0/23 64.105.194.0/23 64.105.202.0/23 64.105.210.0/23 64.105.212.0/23 64.105.218.0/23 64.105.220.0/23 64.105.226.0/23 64.105.230.0/23 64.105.240.0/23 64.105.242.0/23 64.105.244.0/22 64.105.252.0/23 66.92.20.0/24 66.92.22.0/24 66.92.46.0/24 66.92.52.0/22 66.92.64.0/19 66.92.99.0/24 66.92.100.0/24 66.92.106.0/24 66.92.144.0/24 66.92.145.0/24 66.92.147.0/24 66.92.149.0/24 66.92.152.0/24 66.92.159.0/24 66.92.160.0/24 66.92.161.0/24 66.92.162.0/24 66.92.176.0/23 66.92.213.0/24 66.92.215.0/24 66.92.224.0/20 66.92.240.0/23 66.92.241.0/24 66.93.24.0/24 66.93.25.0/24 66.93.38.0/24 66.93.39.0/24 66.93.40.0/24 66.93.49.0/24 66.93.56.0/24 66.93.59.0/24 66.93.62.0/24 66.93.74.0/24 66.93.81.0/24 66.93.82.0/24 66.93.83.0/24 66.93.84.0/23 66.93.88.0/22 66.93.99.0/24 66.93.100.0/24 66.93.103.0/24 66.93.106.0/24 66.93.107.0/24 66.93.115.0/24 66.93.168.0/23 66.93.174.0/24 66.93.176.0/23 66.93.214.0/24 66.93.216.0/24 66.93.216.0/21 66.93.224.0/24 66.93.224.0/22 66.93.228.0/24 66.93.232.0/22 66.93.240.0/24 66.93.241.0/24 66.93.242.0/24 66.93.243.0/24 66.93.244.0/24 66.93.246.0/24 66.93.248.0/24 66.93.251.0/24 66.93.252.0/23 66.134.2.0/23 66.134.18.0/23 66.134.36.0/23 66.134.38.0/23 66.134.40.0/21 66.134.48.0/21 66.134.58.0/23 66.134.60.0/23 66.134.64.0/21 66.134.76.0/23 66.134.78.0/23 66.134.98.0/23 66.134.106.0/23 66.134.116.0/23 66.134.118.0/23 66.134.136.0/21 66.134.150.0/23 66.134.152.0/21 66.134.168.0/21 66.134.176.0/23 66.134.178.0/23 66.134.182.0/23 66.134.184.0/21 66.134.208.0/21 66.134.216.0/23 66.134.220.0/23 66.134.224.0/21 66.134.232.0/21 66.134.240.0/21 66.166.10.0/23 66.166.46.0/23 66.166.64.0/21 66.166.94.0/23 66.166.112.0/23 66.166.114.0/23 66.166.136.0/23 66.166.138.0/23 66.166.144.0/21 66.166.160.0/23 66.166.162.0/23 66.166.176.0/23 66.166.180.0/23 66.166.184.0/23 66.166.200.0/21 66.166.216.0/21 66.166.244.0/23 66.166.246.0/23 66.166.248.0/23 66.166.254.0/23 66.167.0.0/21 66.167.10.0/23 66.167.26.0/23 66.167.32.0/21 66.167.50.0/23 66.167.60.0/23 66.167.62.0/23 66.167.64.0/21 66.167.72.0/21 66.167.80.0/21 66.167.96.0/21 66.167.104.0/21 66.167.118.0/23 66.167.136.0/22 66.167.152.0/21 66.167.170.0/23 66.167.176.0/21 66.167.196.0/23 66.167.208.0/23 66.167.216.0/21 66.167.224.0/21 66.167.252.0/23 66.167.254.0/23 66.253.10.0/24 66.253.20.0/24 66.253.21.0/24 66.253.22.0/24 66.253.28.0/22 66.253.40.0/22 66.253.44.0/24 66.253.45.0/24 66.253.46.0/24 66.253.47.0/24 66.253.52.0/22 66.253.56.0/24 66.253.81.0/24 66.253.82.0/24 66.253.83.0/24 66.253.84.0/24 66.253.92.0/24 66.253.93.0/24 66.253.118.0/24 67.100.0.0/23 67.100.4.0/23 67.100.48.0/21 67.100.56.0/21 67.100.72.0/21 67.100.80.0/21 67.100.96.0/21 67.100.104.0/21 67.100.112.0/21 67.100.124.0/22 67.100.128.0/23 67.100.136.0/23 67.100.138.0/23 67.100.144.0/21 67.100.168.0/21 67.100.184.0/21 67.100.192.0/21 67.100.220.0/23 67.101.14.0/23 67.101.16.0/21 67.101.72.0/21 67.101.92.0/23 67.101.94.0/23 67.101.124.0/22 67.101.128.0/21 67.101.140.0/23 67.101.142.0/23 67.101.152.0/21 67.101.176.0/21 67.101.192.0/21 67.101.200.0/21 67.101.224.0/23 67.101.230.0/23 67.101.240.0/21 67.101.248.0/21 67.102.0.0/21 67.102.8.0/23 67.102.32.0/21 67.102.40.0/21 67.102.48.0/21 67.102.60.0/23 67.102.96.0/21 67.102.112.0/21 67.102.120.0/23 67.102.124.0/23 67.102.144.0/21 67.102.152.0/21 67.102.166.0/23 67.102.168.0/21 67.102.176.0/21 67.102.200.0/21 67.102.234.0/23 67.102.240.0/21 67.102.248.0/21 67.103.0.0/21 67.103.8.0/21 67.103.24.0/21 67.103.64.0/21 67.103.102.0/23 67.103.110.0/23 67.103.112.0/21 67.103.160.0/23 67.103.162.0/23 67.103.192.0/21 67.103.200.0/23 67.103.202.0/23 67.103.226.0/23 67.103.250.0/23 67.103.252.0/23 67.103.254.0/23 68.164.24.0/21 68.164.32.0/21 68.164.44.0/23 68.164.78.0/23 68.164.80.0/20 68.164.96.0/21 68.164.126.0/23 68.164.160.0/21 68.164.192.0/21 68.164.208.0/23 These addresses have no relationship with Iceland so we can say it's a hijacking. But do note there is no AS prepending in the announce (the trick described by Kapela & PIlosov to create a clean return path). Finding the other announces in RouteViews is left as an exercice (hint: use a RouteViews collector close from the announce, here in England, because the hijacking announce did not propagate everywhere).