Tracking spoofed routes?

Nick Feamster feamster at
Sun Jan 9 20:39:49 UTC 2005

You can also see:

which has a searchable archive back to 2001 for several feeds.  We're
always interested in getting more feeds from folks to make this
searchable archive more comprehensive.


On Wed, Jan 05, 2005 at 07:06:17AM -0800, David Meyer wrote:
> 	Kevin,
> >> I am seeking avenues to investigate a possible case of IP address spoofing.
> >> 
> >> I've recently received complaints which suggest that in the recent
> >> past (but not right now), somebody may have announced a more specific
> >> prefix, effectively hijacking "unused" address space within our
> >> allocated range.
> >> 
> >> As it happens, the address space is not unused, just not visible on
> >> the public Internet.
> >> 
> >> 
> >> I am aware of route reflectors and other options to manually review
> >> what prefixes are currently announced, but have not been able to find
> >> a *searchable* archive of historical data, either overall BGP tables
> >> or just "unusual" announcements.  The closest thing I've found so far
> >> is Route Views (, however there is no
> >> obvious way to search the (huge) archived data files for substring
> >> matches?
> 	We're involved in trying to build database front ends for
> 	the data so you can do just this sort of thing. But right
> 	now, we're a little stuck. One thing you might try is
> 	using BGPlay to watch what happens to your prefix.
> >> Alternately, are there any existing mechanisms for monitoring route
> >> announcements which can provide near real-time alerting when any
> >> prefixes within specific subnet ranges are announced?
> 	Not that I know of. You can log into
> and use the cli to watch it,
> 	but that is a manual process.
> 	Hope this helps,
> 	Dave

More information about the NANOG mailing list