North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: prefix hijack by ASN 8997
- From: Larry Blunk
- Date: Tue Sep 23 14:05:45 2008
Scott Weeks wrote:
------ [email protected] wrote: ----------
From: Marshall Eubanks <[email protected]>
So, do you think this was lots of little tests / hijacks / mistakes ?
Or did it just not propagate very far ?
---------------------------------------------
According to Andree Toonk (and someone confirmed privately) ASN 8997 leaked a full table to ASN 3267 (who didn't filter!). The only upstream of ASN 3267 I saw in bgplay was ASN 174 (Cogent) who seems to have filtered, but I can't confirm. So I guess that the impact would've only been to the peers downstream of ASN 3267.
scott
---------------------------------------------
Andree Toonk <[email protected]>
Not a false positive, It actually was detected by the RIS box in Moscow
(rrc13). Strange that it's not visible in RIS search website, but it's
definitely in the raw data files.
Looking at that raw data from both routeviews and Ripe, it looks like
they (AS8997) 'leaked' a full table, i.e. :
----------------------------------------------
I did some analysis of updates on routeviews.
The only routeviews peer I saw leaking the routes
was AS3277 (out of 42 peers). There were roughly
117,000 prefixes with origin AS8997 with the path
going through AS3267 to AS3277. The initial
announcements were seen at 09:29:32 UTC and
updates with the correct path were seen starting
at about 09:36:42 UTC (last ones seen at 09:43:42).
-Larry
|