prefix hijack by ASN 8997

Christian Koch christian at broknrobot.com
Tue Sep 23 01:50:48 CDT 2008


Ahah, so my first theory was on the right track :)

Thanks for sharing the info...

Christian



On Tue, Sep 23, 2008 at 2:33 AM, Andree Toonk <andree+nanog at toonk.nl> wrote:
> Hi,
>
> .-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank Nussbacher wrote:
>
>> I too spotted this via PHAS for a large number of prefixes, but have not
>> received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack:
>> http://www.ris.ripe.net/perl-risapp/risearch.html I would have expected
>> with so many RRC boxes that RIPE RIS would have caught it.  I had thought
>> it was a false positive from PHAS but now that you and others have seen
>> it - I guess it is for real.
>
> Not a false positive, It actually was detected by the RIS box in Moscow (rrc13). Strange that it's not visible in RIS search website, but it's definitely in the raw data files.
> Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a  full table,  i.e. :
> * 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997)
> * 250495 seen by routeviews (ASpath: 2895 3267 8997).
> (results of quick query: where AS-path contained '3267 8997' update type = advertisement).
>
> I'm using another prefix monitoring tool and within a few minutes it notified me of this hijack for some of our prefixes:
> <>
> ====================
> Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed)
> detected 1 updates for your prefix 128.189.0.0/16 AS271:
> Update details: 2008-09-22 09:33 (UTC)
> 128.189.0.0/16
> Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System),
> Transit AS: AS3267 (RUNNET RUNNet)
> ASpath: 2895 3267 8997
> ====================
> Prefix Hijack ( Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed)
> detected 1 updates for your prefix 142.231.0.0/16 AS271:
> Update details: 2008-09-22 09:34 (UTC)
> 142.231.0.0/16
> Announced by: AS8997 (ASN-SPBNIT OJSC North-West Telecom Autonomous System),
> Transit AS: AS3267 (RUNNET RUNNet)
> ASpath: 2895 3267 8997
> ====================
> </>
>
> Cheers,
>  Andree
>
>




More information about the NANOG mailing list