prefix hijack by ASN 8997

Larry Blunk ljb at merit.edu
Tue Sep 23 13:05:26 CDT 2008


Scott Weeks wrote:
> ------ tme at multicasttech.com wrote: ----------
> From: Marshall Eubanks <tme at multicasttech.com>
>
> So, do you think this was lots of little tests / hijacks / mistakes ?  
> Or did it just not propagate very far ?
> ---------------------------------------------
>
> According to Andree Toonk (and someone confirmed privately) ASN 8997 leaked a full table to ASN 3267 (who didn't filter!).  The only upstream of ASN 3267 I saw in bgplay was ASN 174 (Cogent) who seems to have filtered, but I can't confirm.  So I guess that the impact would've only been to the peers downstream of ASN 3267.
>
> scott
>
>
>
>
>
> ---------------------------------------------
> Andree Toonk <andree+nanog at toonk.nl>
>
> Not a false positive, It actually was detected by the RIS box in Moscow 
> (rrc13). Strange that it's not visible in RIS search website, but it's 
> definitely in the raw data files.
> Looking at that raw data from both routeviews and Ripe, it looks like 
> they (AS8997) 'leaked' a  full table,  i.e. :
> ----------------------------------------------
>
>   

   I did some analysis of updates on routeviews.
The only routeviews peer I saw leaking  the routes
was AS3277 (out of 42 peers).   There were roughly
117,000 prefixes with origin AS8997 with the path
going through AS3267 to AS3277.   The initial
announcements were seen at 09:29:32 UTC and
updates with the correct path were seen starting
at about 09:36:42 UTC (last ones seen at 09:43:42).

 -Larry







More information about the NANOG mailing list