[174225] in North American Network Operators' Group
Re: Prefix hijacking, how to prevent and fix currently
daemon@ATHENA.MIT.EDU (Saku Ytti)
Sun Aug 31 14:36:21 2014
X-Original-To: nanog@nanog.org
Date: Sun, 31 Aug 2014 21:36:08 +0300
From: Saku Ytti <saku@ytti.fi>
To: nanog@nanog.org
In-Reply-To: <F1879621-EC26-4787-AB9F-B9B585F3E05D@renesys.com>
Errors-To: nanog-bounces@nanog.org
On (2014-08-31 14:04 -0400), Doug Madory wrote:
Hi,
> FWIW, this is from an IP squatting operation I came across in recent weeks. I encounter these things regularly in the course of working with BGP data - probably others do too. Usually I look up the ASN or prefix and often it has already been added to someone's spam source list. When I see that, I assume the "system is working" and move on.
Some seem to avoid BGP analysis by exposing their attack only to their target.
We recently saw MSFT getting our customer's more specific announcement from
60937 originated ostensibly by 35886. No on else (~200 vantage points) was
receiving this more specific.
Companies who are likely target for this, like MSFT and GOOG, might want to
monitor DFZ and see if they are receiving prefixes no one else is receiving.
--
++ytti
