AS8300 - Swisscom hijacking.. Just what are you testing?

Wed Feb 1 21:44:07 UTC 2012

AS8300 started announcing one of the Rove Digital dns changer IP ranges. (The IP ranges the FBI is sending 'you are infected' letters about)  Swisscom's announcement is less specific than the prefixes being announced by ISC during the remediation effort, so it's not impacting traffic... But AS8300 seems to announce less specifics a lot.  Last fall they announced 63/8 and half of that is allocated to 701. AFAIK, we weren't notified they were going to announce a less specific of our space.  As long as folks have pullup routes, and don't have an outage that withdraws their announcements, then Swisscom should only be getting darknet traffic.  The record for AS8300 says 'Test' and the entry for it in CIDR report says "This AS is not currently used to announce prefixes in the global routing table, nor is it used as a visible transit AS."  .. But their announcements certainly do show up in the global routing table, whether they are transiting for someone or not, they could get traffic for anything that doesn't have a more specific.  Given the recent YAHT (yet another hijack thread) it's worth pointing out that hijacking more specifics is bad, but less specifics can be bad as well. (Not suggesting that is the case here..)  

I searched around and couldn't find any mention of what they might be testing.  Anyone know?  

route-views>sh ip bgp 85.255.112.0/20
BGP routing table entry for 85.255.112.0/20, version 2177063753
Paths: (11 available, no best path)
  Not advertised to any peer
  6079 3303 8300 (history entry)
    207.172.6.20 from 207.172.6.20 (207.172.6.20)
      Origin IGP, metric 85, localpref 100, external
      Dampinfo: penalty 495, flapped 2 times in 00:24:37
  3277 3267 174 3303 8300 (history entry)
    194.85.102.33 from 194.85.102.33 (194.85.4.4)
      Origin IGP, localpref 100, external
      Community: 3277:3267 3277:65321 3277:65323 3277:65330
      Dampinfo: penalty 501, flapped 2 times in 00:24:22
....

 --Heather