.-- My secret spy satellite informs me that at 2014-11-30 6:24 AM
Pierfrancesco Caci wrote:
>>>>>> "Simon" == Simon Leinen <simon.lei...@switch.ch> writes:
>
> Simon> Some suspicious paths I'm seeing right now:
>
> Simon> 133439 5
> Simon> 197945 4
>
> my bet is on someone using the syntax "prepend asnX timesY" on a router
> that instead wants "prepend asnX asnX...."
I agree. When looking at distribution of ASns that appear to be
hijacking prefixes, the lower number ASns stand out. AS1,2,3,4,5 are
common. When looking closer, the next-hop AS is typically the 'expected'
AS, which would confirm the prepend theory.
185.78.114.0/24 was announced as ".* 47551 5" and but now as ".*
47551". I guess they found out the 5x prepending didn't work as expected.
AS3 (MIT) seems to be particularly popular, probably by folks who
attempt to prepend 3 times. Here's a current example:
212.69.8.0/23 [BGP/170] 6d 05:45:32, MED 22007, localpref 100
AS path: 3356 15958 52116 3 I
This is a prefix in Serbia, routes to Serbia and doesn't seem to be
related to MIT (AS3) at all.
Another example: AS35819, Etihad Etisalat was originating some of its
prefixes as AS1 earlier this week as well.
https://twitter.com/bgpmon/status/537062576002064385
Just a few examples.
Cheers,
Andree
