[renesys] The New Threat: Targeted Internet Traffic Misdirection

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Nov 26 21:09:24 UTC 2013

On Wed, Nov 20, 2013 at 01:54:00PM -0500,
 Christopher Morrow <morrowc.lists at gmail.com> wrote 
 a message of 11 lines which said:

> someone has already parsed out all route announcements from
> ris/routeviews for the 2 specific incidents in question in the
> article? and posted the contents somewhere for review? I didn't see
> Renesys do that :(

Indeed. But the data is public. Let's use RouteViews. Renesys gave us
the exact time (0736 UTC) and the origin AS. From the time, let's find
the relevant RouteViews file, whose URL is made of date and time:


Download, bunzip2, bgpdump to translate the MRT to text, then
Control-S in emacs to find announces by AS 48685. And here it is:

TIME: 07/31/13 07:36:46
FROM: AS6067
TO: AS6447
ASPATH: 6067 6677 48685

These addresses have no relationship with Iceland so we can say it's a
hijacking. But do note there is no AS prepending in the announce (the
trick described by Kapela & PIlosov to create a clean return path).

Finding the other announces in RouteViews is left as an exercice
(hint: use a RouteViews collector close from the announce, here in
England, because the hijacking announce did not propagate everywhere).

More information about the NANOG mailing list