Re: prefix hijack by ASN 8997

["Scott Weeks" <surfer () mauigateway com>]

--- tme () multicasttech com wrote:
From: Marshall Eubanks <tme () multicasttech com>

: You didn't specify the time zone you are in, 
: so I looked at +- 1 day around it. If the 
: hijack lasted 6 hours, we should have seen it.

My apologies, I just used the time zone the tool (bgplay.routeviews.org/bgplay) was using when I said: 
22/9/2008  9:00:00   and   22/9/2008  15:00:00

I'm sure it was in GMT.  Seeing the many responses, we now know something happened and it was only about 15 minutes in 
duration.  bgplay shows the problem with the above data and I was just wondering if I was understanding the impact 
correctly:

> If the above two are correct, would it be 
> correct to say only the downstream customers 
> of ASN 3267 were affected?

I was not following the rules properly: never attribute to malice that which can be explained by human error.  I 
thought there might be some testing-of-the-water in preparation for future 'events' and I guess I was starting to be 
trigger happy after all the talk about the new BGP attack.

scott




--- tme () multicasttech com wrote:

From: Marshall Eubanks <tme () multicasttech com>
To: surfer () mauigateway com
Cc:  <nanog () merit edu>
Subject: Re: prefix hijack by ASN 8997
Date: Tue, 23 Sep 2008 07:51:36 -0400


On Sep 22, 2008, at 9:06 PM, Scott Weeks wrote:

> I am hoping to confirm a short-duration prefix hijack of  
> 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North- 
> West Telecom" in Russia) in using ASN 3267 (Russian Federal  
> University Network) to advertise our space to ASN 3277 (Regional  
> University and Scientific Network (RUSNet) of North-Western and  
> Saint-Petersburg Area of Russia).
>
> Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay",  
> put in prefix 72.234.0.0/15 and select the dates:
>
> 22/9/2008  9:00:00   and   22/9/2008  15:00:00
>
> If so, am I understanding it correctly if I say ASN 3267 saw a  
> shorter path from ASN 8997, so refused the proper announcement from  
> ASN 36149 (me) it normally hears from ASN 174 (Cogent).

I cannot confirm that from the monitoring program at AS 16517 :

[tme@lennon mcast]$ grep 72.234.0.0 bgp.full.Sep_2*2008
bgp.full.Sep_21_00:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_21_06:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_21_12:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_21_18:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_22_00:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_22_06:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_22_12:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_22_18:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_23_00:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?
bgp.full.Sep_23_06:07:00_EDT_2008:*> 72.234.0.0/15     
38.101.161.116        3990             0 174 209 36149 ?

You didn't specify the time zone you are in, so I looked at +- 1 day  
around it. If the hijack lasted 6 hours, we
should have seen it.

Regards
Marshall


> If the above two are correct, would it be correct to say only the  
> downstream customers of ASN 3267 were affected?
>
> scott