[125488] in North American Network Operators' Group
Re: Senderbase is offbase, need some help
daemon@ATHENA.MIT.EDU (Matthew Petach)
Sun Apr 18 17:02:43 2010
In-Reply-To: <1271610918.29944.8.camel@ub-g-d2>
Date: Sun, 18 Apr 2010 14:02:27 -0700
From: Matthew Petach <mpetach@netflight.com>
To: gordslater@ieee.org
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Apr 18, 2010 at 10:15 AM, gordon b slater <gordslater@ieee.org> wrote:
> On Sat, 2010-04-17 at 16:45 -0400, William Herrin wrote:
>
>> Interesting; I see similar results for my address space. Two
>> addresses, one of which hasn't been attached to a machine for a decade
>> and the other a virtual IP on a web server where the particular IP
>> never emits connections. Magnitude's only "0.48" for both but still,
>> they shouldn't even appear.
>
> Yep, same here, at two seperate sites. It's in the "reserved for extreme
> emergencies" zone at the top of each assigned block. As per house
> practice it is tcpdumped 24/7, and has been for the last 4 years. Zero
> traffic from it at the perimiter.
>
> Go figure.
>
> Gord
Have you checked cyclops and other BGP announcement tracking systems
to see if it might have been a short-lived whack-a-mole short prefix hijack
(pop up, announce block, send burst of spam, remove announcement, disappear
again)?
Matt
