[149341] in North American Network Operators' Group
AS8300 - Swisscom hijacking.. Just what are you testing?
daemon@ATHENA.MIT.EDU (Schiller, Heather A)
Wed Feb 1 16:44:58 2012
From: "Schiller, Heather A" <heather.schiller@verizon.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 1 Feb 2012 16:44:07 -0500
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
AS8300 started announcing one of the Rove Digital dns changer IP ranges. (T=
he IP ranges the FBI is sending 'you are infected' letters about) Swisscom=
's announcement is less specific than the prefixes being announced by ISC d=
uring the remediation effort, so it's not impacting traffic... But AS8300 s=
eems to announce less specifics a lot. Last fall they announced 63/8 and h=
alf of that is allocated to 701. AFAIK, we weren't notified they were going=
to announce a less specific of our space. As long as folks have pullup ro=
utes, and don't have an outage that withdraws their announcements, then Swi=
sscom should only be getting darknet traffic. The record for AS8300 says '=
Test' and the entry for it in CIDR report says "This AS is not currently us=
ed to announce prefixes in the global routing table, nor is it used as a vi=
sible transit AS." .. But their announcements certainly do show up in the =
global routing table, whether they are transiting for someone or not, they =
could get traffic for anything that doesn't have a more specific. Given th=
e recent YAHT (yet another hijack thread) it's worth pointing out that hija=
cking more specifics is bad, but less specifics can be bad as well. (Not su=
ggesting that is the case here..) =20
I searched around and couldn't find any mention of what they might be testi=
ng. Anyone know? =20
route-views>sh ip bgp 85.255.112.0/20
BGP routing table entry for 85.255.112.0/20, version 2177063753
Paths: (11 available, no best path)
Not advertised to any peer
6079 3303 8300 (history entry)
207.172.6.20 from 207.172.6.20 (207.172.6.20)
Origin IGP, metric 85, localpref 100, external
Dampinfo: penalty 495, flapped 2 times in 00:24:37
3277 3267 174 3303 8300 (history entry)
194.85.102.33 from 194.85.102.33 (194.85.4.4)
Origin IGP, localpref 100, external
Community: 3277:3267 3277:65321 3277:65323 3277:65330
Dampinfo: penalty 501, flapped 2 times in 00:24:22
....
--Heather=
