nanog mailing list archives
Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]
From: Andree Toonk <andree+nanog () toonk nl>
Date: Sun, 30 Nov 2014 11:57:19 -0800
.-- My secret spy satellite informs me that at 2014-11-30 6:24 AM Pierfrancesco Caci wrote:
"Simon" == Simon Leinen <simon.leinen () switch ch> writes:Simon> Some suspicious paths I'm seeing right now: Simon> 133439 5 Simon> 197945 4 my bet is on someone using the syntax "prepend asnX timesY" on a router that instead wants "prepend asnX asnX...."
I agree. When looking at distribution of ASns that appear to be hijacking prefixes, the lower number ASns stand out. AS1,2,3,4,5 are common. When looking closer, the next-hop AS is typically the 'expected' AS, which would confirm the prepend theory. 185.78.114.0/24 was announced as ".* 47551 5" and but now as ".* 47551". I guess they found out the 5x prepending didn't work as expected. AS3 (MIT) seems to be particularly popular, probably by folks who attempt to prepend 3 times. Here's a current example: 212.69.8.0/23 [BGP/170] 6d 05:45:32, MED 22007, localpref 100 AS path: 3356 15958 52116 3 I This is a prefix in Serbia, routes to Serbia and doesn't seem to be related to MIT (AS3) at all. Another example: AS35819, Etihad Etisalat was originating some of its prefixes as AS1 earlier this week as well. https://twitter.com/bgpmon/status/537062576002064385 Just a few examples. Cheers, Andree
Current thread:
- BGP Update Report, (continued)
- BGP Update Report cidr-report (Nov 21)
- BGP Update Report cidr-report (Nov 28)
- Low-numbered ASes being hijacked? [Re: BGP Update Report] Simon Leinen (Nov 30)
- Re: Low-numbered ASes being hijacked? [Re: BGP Update Report] Pierfrancesco Caci (Nov 30)
- Re: Low-numbered ASes being hijacked? [Re: BGP Update Report] Paul S. (Nov 30)
- Re: Low-numbered ASes being hijacked? [Re: BGP Update Report] Valdis . Kletnieks (Nov 30)
- Re: Low-numbered ASes being hijacked? [Re: BGP Update Report] Stephen Satchell (Nov 30)
- Re: Low-numbered ASes being hijacked? [Re: BGP Update Report] Joe Provo (Nov 30)
- Re: Low-numbered ASes being hijacked? [Re: BGP Update Report] Jay Ashworth (Nov 30)
- Re: Low-numbered ASes being hijacked? [Re: BGP Update Report] Jason Bothe (Nov 30)
- Low-numbered ASes being hijacked? [Re: BGP Update Report] Simon Leinen (Nov 30)
- Re: Low-numbered ASes being hijacked? [Re: BGP Update Report] Andree Toonk (Nov 30)