[174227] in North American Network Operators' Group
RE: Prefix hijacking, how to prevent and fix currently
daemon@ATHENA.MIT.EDU (Doug Madory)
Sun Aug 31 15:47:50 2014
X-Original-To: nanog@nanog.org
From: Doug Madory <dmadory@renesys.com>
Date: Sun, 31 Aug 2014 15:47:40 -0400
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_47436A5B-E457-49F6-A18B-80E2EB7C78F8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Ah yes BusinessTorg (AS60937). I have also seen this one doing what you =
are describing. Not to MSFT or GOOG, but another major technology =
company that we peer with. In fact, it is going on right now but only =
visible if you receive routes directly from them. A while ago, I sent =
them a note describing what was happening and suggested they might want =
to stop accepting routes from that AS, but they still do.=20
> Some seem to avoid BGP analysis by exposing their attack only to their =
target.
> We recently saw MSFT getting our customer's more specific announcement =
from
> 60937 originated ostensibly by 35886. No on else (~200 vantage points) =
was
> receiving this more specific.
--Apple-Mail=_47436A5B-E457-49F6-A18B-80E2EB7C78F8
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUA3vcAAoJEAvFABtacb3IVOYH/1kDimk1YsovSwJsKHL0zdnS
T4LOAtTs6H8Hos2Ns4irrZZyR5VJ7Q7iOa89jHmJHmS6suwgZ0NFTjz4pwA7isfK
9nMvtS5qHYEHPA1BWZFffDzS+lDyC8lDp+EzzohvMmYP3mdNUKknyC1YtyeXB62R
7J6TVEpHc3syAPjFC9scV+T8NCHX9ygOs39xe709Kzlp8ZtvXTk+HD1izC6tlYUV
KdRaXMs5ljYNhrpbiTsOwsanoPR7SXiVjmVM/xZFj908BZkwvgDm0EUcBulavCY0
2uzxL8zSXvEWQawS11RcDTpWSxDAvkRCE46Peigd2lM9Q36SkA4e97YMBM4nO2k=
=x2PY
-----END PGP SIGNATURE-----
--Apple-Mail=_47436A5B-E457-49F6-A18B-80E2EB7C78F8--
