Hi Yang,
My secret spy satellite informs me that Yang Yu wrote On 2015-11-06,
10:19 AM:
Yes I saw the same thing. Level 3 customer space inside 8.0.0.0/8 got
leaked by AS9498 through 174, 4323, 5580 and 12989.
I did got alerts from bgpmon but the event is not shown on
bgpstream.com. What are the criteria for listing on bgpstream.com?
Great question!
We set out to build a tool that would provide a 'clean' feed of BGP
events. The goal of bgpstream.com is to give folks an idea of what's
going on in the world of BGP and in large scale cases like this, to show
that you're not alone, instead many other networks were affected as
well. So you'd go there to see if others see the same.
We're still tuning the system, the hardest part is to figure out what is
a 'suspicious' origin AS change and what is 'probably' ok. We have
several checks and balances in place, for example GEO based info
(expected ASn in US, new ASn in India). Historical info (did the AS ever
announce other prefixes for the expected AS). Peering relations
(customer - upstream relationship?). Obvious we check the several
RIR/IRR databases, check for overlapping names / email addresses in
those records. And a bunch more. All those heuristic combined determine
if this is a 'suspicious' origin AS change (hijack) or not.
With this we have a fairly good list of events that are worth looking
into as a human. It's very easy to create a list of hundreds of events a
day, but many will be perfectly fine and the goal was to have a handful
of actionable events. As a result we do throttle the number of events
that are published on bgpstream.com in cases of large scale incidents.
That's what happened to the events this morning. We have 130 AS9498
events in BGPstream today, that's all that's the admin max today for a
given AS.
Just to be clear: we did detect many more events, alerted all our users,
but only publish 130 per AS per day on bgpstream.com to prevent
cluttering. At least for now :)
Cheers,
Andree (BGPmon.net)
