RE: prefix hijack by ASN 8997

["Church, Charles" <cchurc05 () harris com>]

Agree on #2 as well.  You can bet they're also reading Nanog right now
to see who and how it was detected.  Oh, well, on with the fight.


Chuck

-----Original Message-----
From: Christian Koch [mailto:christian () broknrobot com] 
Sent: Tuesday, September 23, 2008 12:58 AM
To: Justin Shore; surfer () mauigateway com; nanog () merit edu
Subject: Re: prefix hijack by ASN 8997


At first glance this morning not seeing any data between the gain and
lost alerts from phas and inability to find a route in any of the many
collectors and route servers out there I had thought it was a possibly
a fat finger mistake by 8997 or a false positive.

After locating the data in bgplay/rviews, and noticing how many more
people this occured to I'm leaning towards 2 possible scenarios:

1 - bgp misconfigurations leading to leaks
 (Depends on the overall scale of how many other prefixes were
possibly announced)

2 - 8997 began announcing prefixes as an experiment to "test the
waters" for potential real hijacks in future...

'geography' hints towards #2

Or both theories could be way off :)

I'd be interested to know if Renesys collected any data that might
give some better insight to this...

Christian



On 9/23/08, Justin Shore <justin () justinshore com> wrote:
> Looking up some of my prefixes in PHAS and BGPPlay, I too see my
> prefixes being advertised by 8997 for a short time.  It looks like it
> happened around 1222091563 according to PHAS.
>
> Was this a mistake or something else?
>
> Justin
>
>
> Christian Koch wrote:
> > I received a phas notification about this today as well...
> >
> > I couldn't find any relevant data confirming the announcement of one
> > of my /19 blocks, until a few minutes ago when i checked the route
> > views bgplay (ripe bgplay turns up nothing) and can now see 8997
> > announcing and quickly withdrawing my prefix
> >
> >
> >
> >
> > On Mon, Sep 22, 2008 at 9:06 PM, Scott Weeks <surfer () mauigateway com>
> > wrote:
> > > I am hoping to confirm a short-duration prefix hijack of
72.234.0.0/15
> > > (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom"
in
> > > Russia) in using ASN 3267 (Russian Federal University Network) to
> > > advertise our space to ASN 3277 (Regional University and Scientific
> > > Network (RUSNet) of North-Western and Saint-Petersburg Area of
Russia).
> > > Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay",
put
> > > in prefix 72.234.0.0/15 and select the dates:
> > >
> > > 22/9/2008  9:00:00   and   22/9/2008  15:00:00
> > >
> > > If so, am I understanding it correctly if I say ASN 3267 saw a
shorter
> > > path from ASN 8997, so refused the proper announcement from ASN
36149
> > > (me) it normally hears from ASN 174 (Cogent).
> > >
> > > If the above two are correct, would it be correct to say only the
> > > downstream customers of ASN 3267 were affected?
> > >
> > > scott

-- 
Sent from my mobile device