prefix hijack by ASN 8997

Marshall Eubanks tme at multicasttech.com
Tue Sep 23 11:51:36 UTC 2008 

On Sep 22, 2008, at 9:06 PM, Scott Weeks wrote:

>
>
>
> I am hoping to confirm a short-duration prefix hijack of  
> 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North- 
> West Telecom" in Russia) in using ASN 3267 (Russian Federal  
> University Network) to advertise our space to ASN 3277 (Regional  
> University and Scientific Network (RUSNet) of North-Western and  
> Saint-Petersburg Area of Russia).
>
> Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay",  
> put in prefix 72.234.0.0/15 and select the dates:
>
> 22/9/2008  9:00:00   and   22/9/2008  15:00:00
>
> If so, am I understanding it correctly if I say ASN 3267 saw a  
> shorter path from ASN 8997, so refused the proper announcement from  
> ASN 36149 (me) it normally hears from ASN 174 (Cogent).

I cannot confirm that from the monitoring program at AS 16517 :

[tme at lennon mcast]$ grep 72.234.0.0 bgp.full.Sep_2*2008
bgp.full.Sep_21_00:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_21_06:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_21_12:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_21_18:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_22_00:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_22_06:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_22_12:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_22_18:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_23_00:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_23_06:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?

You didn't specify the time zone you are in, so I looked at +- 1 day  
around it. If the hijack lasted 6 hours, we
should have seen it.

Regards
Marshall


>
>
> If the above two are correct, would it be correct to say only the  
> downstream customers of ASN 3267 were affected?
>
> scott
>

More information about the NANOG mailing list