.-- My secret spy satellite informs me that at 2014-11-30 6:24 AM Pierfrancesco Caci wrote: >>>>>> "Simon" == Simon Leinen <simon.lei...@switch.ch> writes: > > Simon> Some suspicious paths I'm seeing right now: > > Simon> 133439 5 > Simon> 197945 4 > > my bet is on someone using the syntax "prepend asnX timesY" on a router > that instead wants "prepend asnX asnX...."
I agree. When looking at distribution of ASns that appear to be hijacking prefixes, the lower number ASns stand out. AS1,2,3,4,5 are common. When looking closer, the next-hop AS is typically the 'expected' AS, which would confirm the prepend theory. 185.78.114.0/24 was announced as ".* 47551 5" and but now as ".* 47551". I guess they found out the 5x prepending didn't work as expected. AS3 (MIT) seems to be particularly popular, probably by folks who attempt to prepend 3 times. Here's a current example: 212.69.8.0/23 [BGP/170] 6d 05:45:32, MED 22007, localpref 100 AS path: 3356 15958 52116 3 I This is a prefix in Serbia, routes to Serbia and doesn't seem to be related to MIT (AS3) at all. Another example: AS35819, Etihad Etisalat was originating some of its prefixes as AS1 earlier this week as well. https://twitter.com/bgpmon/status/537062576002064385 Just a few examples. Cheers, Andree