On (2014-08-31 14:04 -0400), Doug Madory wrote: Hi,
FWIW, this is from an IP squatting operation I came across in recent weeks. I encounter these things regularly in the course of working with BGP data - probably others do too. Usually I look up the ASN or prefix and often it has already been added to someone's spam source list. When I see that, I assume the "system is working" and move on.
Some seem to avoid BGP analysis by exposing their attack only to their target. We recently saw MSFT getting our customer's more specific announcement from 60937 originated ostensibly by 35886. No on else (~200 vantage points) was receiving this more specific. Companies who are likely target for this, like MSFT and GOOG, might want to monitor DFZ and see if they are receiving prefixes no one else is receiving. -- ++ytti