Prefix hijacking, how to prevent and fix currently

Doug Madory dmadory at
Sun Aug 31 19:47:40 UTC 2014

Ah yes BusinessTorg (AS60937). I have also seen this one doing what you are describing. Not to MSFT or GOOG, but another major technology company that we peer with. In fact, it is going on right now but only visible if you receive routes directly from them. A while ago, I sent them a note describing what was happening and suggested they might want to stop accepting routes from that AS, but they still do. 

> Some seem to avoid BGP analysis by exposing their attack only to their target.
> We recently saw MSFT getting our customer's more specific announcement from
> 60937 originated ostensibly by 35886. No on else (~200 vantage points) was
> receiving this more specific.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the NANOG mailing list