Low-numbered ASes being hijacked? [Re: BGP Update Report]

Andree Toonk andree+nanog at toonk.nl
Sun Nov 30 19:57:19 UTC 2014


.-- My secret spy satellite informs me that at 2014-11-30 6:24 AM
Pierfrancesco Caci wrote:
>>>>>> "Simon" == Simon Leinen <simon.leinen at switch.ch> writes:
> 
>     Simon> Some suspicious paths I'm seeing right now:
> 
>     Simon>   133439 5
>     Simon>   197945 4
> 
> my bet is on someone using the syntax "prepend asnX timesY" on a router
> that instead wants "prepend asnX asnX...." 

I agree. When looking at distribution of ASns that appear to be
hijacking prefixes, the lower number ASns stand out. AS1,2,3,4,5 are
common. When looking closer, the next-hop AS is typically the 'expected'
AS, which would confirm the prepend theory.

185.78.114.0/24 was announced as ".* 47551 5" and  but now as ".*
47551". I guess they found out the 5x prepending didn't work as expected.

AS3 (MIT) seems to be particularly popular, probably by folks who
attempt to prepend 3 times. Here's a current example:

212.69.8.0/23       [BGP/170] 6d 05:45:32, MED 22007, localpref 100
                      AS path: 3356 15958 52116 3 I

This is a prefix in Serbia, routes to Serbia and doesn't seem to be
related to MIT (AS3) at all.

Another example: AS35819, Etihad Etisalat was originating some of its
prefixes as AS1 earlier this week as well.
https://twitter.com/bgpmon/status/537062576002064385

Just a few examples.

Cheers,
 Andree





More information about the NANOG mailing list