Low-numbered ASes being hijacked? [Re: BGP Update Report]
andree+nanog at toonk.nl
Sun Nov 30 19:57:19 UTC 2014
.-- My secret spy satellite informs me that at 2014-11-30 6:24 AM
Pierfrancesco Caci wrote:
>>>>>> "Simon" == Simon Leinen <simon.leinen at switch.ch> writes:
> Simon> Some suspicious paths I'm seeing right now:
> Simon> 133439 5
> Simon> 197945 4
> my bet is on someone using the syntax "prepend asnX timesY" on a router
> that instead wants "prepend asnX asnX...."
I agree. When looking at distribution of ASns that appear to be
hijacking prefixes, the lower number ASns stand out. AS1,2,3,4,5 are
common. When looking closer, the next-hop AS is typically the 'expected'
AS, which would confirm the prepend theory.
220.127.116.11/24 was announced as ".* 47551 5" and but now as ".*
47551". I guess they found out the 5x prepending didn't work as expected.
AS3 (MIT) seems to be particularly popular, probably by folks who
attempt to prepend 3 times. Here's a current example:
18.104.22.168/23 [BGP/170] 6d 05:45:32, MED 22007, localpref 100
AS path: 3356 15958 52116 3 I
This is a prefix in Serbia, routes to Serbia and doesn't seem to be
related to MIT (AS3) at all.
Another example: AS35819, Etihad Etisalat was originating some of its
prefixes as AS1 earlier this week as well.
Just a few examples.
More information about the NANOG