Prefix hijacking, how to prevent and fix currently
saku at ytti.fi
Sun Aug 31 18:36:08 UTC 2014
On (2014-08-31 14:04 -0400), Doug Madory wrote:
> FWIW, this is from an IP squatting operation I came across in recent weeks. I encounter these things regularly in the course of working with BGP data - probably others do too. Usually I look up the ASN or prefix and often it has already been added to someone's spam source list. When I see that, I assume the "system is working" and move on.
Some seem to avoid BGP analysis by exposing their attack only to their target.
We recently saw MSFT getting our customer's more specific announcement from
60937 originated ostensibly by 35886. No on else (~200 vantage points) was
receiving this more specific.
Companies who are likely target for this, like MSFT and GOOG, might want to
monitor DFZ and see if they are receiving prefixes no one else is receiving.
More information about the NANOG