nanog mailing list archives

Re: prefix hijack by ASN 8997

From: "Christian Koch" <christian () broknrobot com>
Date: Tue, 23 Sep 2008 02:50:48 -0400

Ahah, so my first theory was on the right track :)

Thanks for sharing the info...

Christian



On Tue, Sep 23, 2008 at 2:33 AM, Andree Toonk <andree+nanog () toonk nl> wrote:

Hi,

.-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank Nussbacher wrote:

I too spotted this via PHAS for a large number of prefixes, but have not
received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack:
http://www.ris.ripe.net/perl-risapp/risearch.html I would have expected
with so many RRC boxes that RIPE RIS would have caught it.  I had thought
it was a false positive from PHAS but now that you and others have seen
it - I guess it is for real.


Not a false positive, It actually was detected by the RIS box in Moscow (rrc13). Strange that it's not visible in RIS 
search website, but it's definitely in the raw data files.
Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a  full table,  i.e. :
* 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997)
* 250495 seen by routeviews (ASpath: 2895 3267 8997).
(results of quick query: where AS-path contained '3267 8997' update type = advertisement).

I'm using another prefix monitoring tool and within a few minutes it notified me of this hijack for some of our 
prefixes:
<>
====================
Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed)
detected 1 updates for your prefix 128.189.0.0/16 AS271:
Update details: 2008-09-22 09:33 (UTC)
128.189.0.0/16
Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System),
Transit AS: AS3267 (RUNNET RUNNet)
ASpath: 2895 3267 8997
====================
Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed)
detected 1 updates for your prefix 142.231.0.0/16 AS271:
Update details: 2008-09-22 09:34 (UTC)
142.231.0.0/16
Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System),
Transit AS: AS3267 (RUNNET RUNNet)
ASpath: 2895 3267 8997
====================
</>

Cheers,
 Andree

Current thread:

Re: prefix hijack by ASN 8997, (continued)
- Re: prefix hijack by ASN 8997 Christian Koch (Sep 22)
  - Re: prefix hijack by ASN 8997 Justin Shore (Sep 22)
    - Re: prefix hijack by ASN 8997 Christian Koch (Sep 22)
    - RE: prefix hijack by ASN 8997 Church, Charles (Sep 23)
  - Re: prefix hijack by ASN 8997 Hank Nussbacher (Sep 22)
    - Re: prefix hijack by ASN 8997 Christian Koch (Sep 22)
- Re: prefix hijack by ASN 8997 Jim Popovitch (Sep 22)
  - Re: prefix hijack by ASN 8997 Jim Popovitch (Sep 23)
- Re: prefix hijack by ASN 8997 Hank Nussbacher (Sep 22)
  - Re: prefix hijack by ASN 8997 Andree Toonk (Sep 22)
    - Re: prefix hijack by ASN 8997 Christian Koch (Sep 22)
    - Re: prefix hijack by ASN 8997 Hank Nussbacher (Sep 22)
    - Re: prefix hijack by ASN 8997 Andree Toonk (Sep 23)
    - Re: prefix hijack by ASN 8997 Ingo Flaschberger (Sep 23)
    - Re: prefix hijack by ASN 8997 Ingo Flaschberger (Sep 23)
- Re: prefix hijack by ASN 8997 Marshall Eubanks (Sep 23)
- Re: prefix hijack by ASN 8997 Scott Weeks (Sep 22)
  - Re: prefix hijack by ASN 8997 Christian Koch (Sep 22)
- Re: prefix hijack by ASN 8997 Scott Weeks (Sep 23)
  - Re: prefix hijack by ASN 8997 Marshall Eubanks (Sep 23)
- Re: prefix hijack by ASN 8997 Scott Weeks (Sep 23)

(Thread continues...)