[108056] in North American Network Operators' Group
Re: prefix hijack by ASN 8997
daemon@ATHENA.MIT.EDU (Andree Toonk)
Tue Sep 23 03:25:04 2008
Date: Tue, 23 Sep 2008 09:24:51 +0200
From: Andree Toonk <andree+nanog@toonk.nl>
To: Hank Nussbacher <hank@efes.iucc.ac.il>
In-Reply-To: <Pine.LNX.4.64.0809230949590.20931@efes.iucc.ac.il>
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
Hi Hank,
.-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank Nussbacher wrote:
>> Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a full table, i.e. :
>> * 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997)
>> * 250495 seen by routeviews (ASpath: 2895 3267 8997).
>> (results of quick query: where AS-path contained '3267 8997' update type = advertisement).
>>
>> ASpath: 2895 3267 8997
>
> Is that the only ASpath that leaked it? There are others - did they
> filter properly and only that path failed to filter?
Again:
* 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997 & ASpath 2895 5431 3267 8997)
* 250495 seen by routeviews (ASpath: 3277 3267 8997).
Looks like those are the only ones, but this is just a quick egrep, awk, and sort on the rawdata so I might have missed something (It's getting late here, so no guarantees ;))
Cheers,
Andree
