Todd Underwood wrote:
i said that *this* hijacking took place in an insignificant corner of the internet. i mean this AS-map wise rather than geographically. this hijacking didn't even spread beyond one or two ASes, one of whom just happened to be a RIPE RIS peer.
Yet for someone monitoring from their own perspective, what matters to them is what their own AS is seeing. If a hijacking makes it to their AS, they want to be concerned.
real hijackings leak into dozens or hundreds or thousands of ASNs. they spread far and wide. that's why people carry them out, when they do. this one was stopped in its tracks in a very small portion of one corner of the AS graph.
Wasn't there a dns hijack not long ago that only had the scope of one ISP (who just happened to be extremely large and carried a bunch of cell phones)? Just because a hijack only covers a small portion of the net doesn't make it any less effective. This is why we push to get as many access controls as far out to the edge as possible. If it only effects the person who tries it, then it has no bearing.
as such, i don't count it as a hijacking or leak of any great significance and wouldn't want to alert anyone about it. that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth.
Thresholds might be important, but different mileage, yada yada. Jack