North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: prefix hijack by ASN 8997
Ahah, so my first theory was on the right track :) Thanks for sharing the info... Christian On Tue, Sep 23, 2008 at 2:33 AM, Andree Toonk <[email protected]> wrote: > Hi, > > .-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank Nussbacher wrote: > >> I too spotted this via PHAS for a large number of prefixes, but have not >> received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack: >> http://www.ris.ripe.net/perl-risapp/risearch.html I would have expected >> with so many RRC boxes that RIPE RIS would have caught it. I had thought >> it was a false positive from PHAS but now that you and others have seen >> it - I guess it is for real. > > Not a false positive, It actually was detected by the RIS box in Moscow (rrc13). Strange that it's not visible in RIS search website, but it's definitely in the raw data files. > Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a full table, i.e. : > * 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997) > * 250495 seen by routeviews (ASpath: 2895 3267 8997). > (results of quick query: where AS-path contained '3267 8997' update type = advertisement). > > I'm using another prefix monitoring tool and within a few minutes it notified me of this hijack for some of our prefixes: > <> > ==================== > Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed) > detected 1 updates for your prefix 128.189.0.0/16 AS271: > Update details: 2008-09-22 09:33 (UTC) > 128.189.0.0/16 > Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System), > Transit AS: AS3267 (RUNNET RUNNet) > ASpath: 2895 3267 8997 > ==================== > Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed) > detected 1 updates for your prefix 142.231.0.0/16 AS271: > Update details: 2008-09-22 09:34 (UTC) > 142.231.0.0/16 > Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System), > Transit AS: AS3267 (RUNNET RUNNet) > ASpath: 2895 3267 8997 > ==================== > </> > > Cheers, > Andree > >
|