Re: prefix hijack by ASN 8997

[Andree Toonk <andree+nanog () toonk nl>]

Hi,

.-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank Nussbacher wrote:

> I too spotted this via PHAS for a large number of prefixes, but have not  
> received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack: 
> http://www.ris.ripe.net/perl-risapp/risearch.html I would have expected  
> with so many RRC boxes that RIPE RIS would have caught it.  I had thought 
> it was a false positive from PHAS but now that you and others have seen 
> it - I guess it is for real.

Not a false positive, It actually was detected by the RIS box in Moscow (rrc13). Strange that it's not visible in RIS 
search website, but it's definitely in the raw data files.
Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a  full table,  i.e. :
* 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997)  
* 250495 seen by routeviews (ASpath: 2895 3267 8997).
(results of quick query: where AS-path contained '3267 8997' update type = advertisement).

I'm using another prefix monitoring tool and within a few minutes it notified me of this hijack for some of our 
prefixes:
<>
====================
Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed)
detected 1 updates for your prefix 128.189.0.0/16 AS271:
Update details: 2008-09-22 09:33 (UTC)
128.189.0.0/16
Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System),
Transit AS: AS3267 (RUNNET RUNNet)
ASpath: 2895 3267 8997
====================
Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed)
detected 1 updates for your prefix 142.231.0.0/16 AS271:
Update details: 2008-09-22 09:34 (UTC)
142.231.0.0/16
Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System),
Transit AS: AS3267 (RUNNET RUNNet)
ASpath: 2895 3267 8997
====================
</>

Cheers,
 Andree