Hi Andy, It smells like someone in 38478 or 131477 is using Noction or some other BGP "optimizer" that injects hijacks for the purpose of traffic engineering. :-(
Kind regards, Job On Thu, 31 Aug 2017 at 19:38, Andy Litzinger <andy.litzinger.li...@gmail.com> wrote: > Hello, > we use BGPMon.net to monitor our BGP announcements. This morning we > received two possible BGP MITM alerts for two of our prefixes detected by a > single BGPMon probe located in China. I've reached out to BGPMon to see > how much credence I should give to an alert from a single probe location, > but I'm interested in community feedback as well. > > The alert detailed that one of our /23 prefixes has been broken into /24 > specifics and the AS Path shows a peering relationship with us that does > not exist: > 131477(Shanghai Huajan) 38478(Sunny Vision LTD) 3491(PCCW Global) 14042 > (me) > > We do not peer directly with PCCW Global. I'm going to reach out to them > directly to see if they may have done anything by accident, but presuming > they haven't and the path is spoofed, can I prove that? How can I detect > if traffic is indeed swinging through that hijacked path? How worried > should I be and what are my options for resolving the situation? > > thanks! > -andy >
