I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia).
Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates:
22/9/2008 9:00:00 and 22/9/2008 15:00:00
If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent).
If the above two are correct, would it be correct to say only the downstream customers of ASN 3267 were affected?
scott
I received a phas notification about this today as well...
I couldn't find any relevant data confirming the announcement of one
of my /19 blocks, until a few minutes ago when i checked the route
views bgplay (ripe bgplay turns up nothing) and can now see 8997
announcing and quickly withdrawing my prefix
Yep, saw this for 69.61.0.0/17 GlobalCompass (my upstream) this AM:
SEQUENCE_NUMBER: 1222091638
TYPE: last-hop
BGP-UPDATE-TIME: 1222075864
PHAS-DETECT-TIME: 1222091637
PHAS-NOTIFY-TIME: 1222091637
PREFIX: 69.61.0.0/17
SET: 3561,3267,3356,3491
GAINED: 3267 <- Russian Federal University Network
LOST:
SEQUENCE_NUMBER: 1222091638
TYPE: origin
BGP-UPDATE-TIME: 1222075864
PHAS-DETECT-TIME: 1222091637
PHAS-NOTIFY-TIME: 1222091637
PREFIX: 69.61.0.0/17
SET: 8997,22653
GAINED: 8997 <- OJSC North-West Telecom, St.-Petersburg, Russia
LOST:
SEQUENCE_NUMBER: 1222096125
TYPE: origin
BGP-UPDATE-TIME: 1222076569
PHAS-DETECT-TIME: 1222092415
PHAS-NOTIFY-TIME: 1222096124
PREFIX: 69.61.0.0/17
SET: 22653 <- GlobalCrossing
GAINED:
LOST: 8997
-Jim P.
Looking up some of my prefixes in PHAS and BGPPlay, I too see my prefixes being advertised by 8997 for a short time. It looks like it happened around 1222091563 according to PHAS.
Was this a mistake or something else?
Justin
Christian Koch wrote:
I too spotted this via PHAS for a large number of prefixes, but have not received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack: http://www.ris.ripe.net/perl-risapp/risearch.html I would have expected with so many RRC boxes that RIPE RIS would have caught it. I had thought it was a false positive from PHAS but now that you and others have seen it - I guess it is for real.
-Hank
Strange that RIPE RIS search doesn't show it:
http://www.ris.ripe.net/perl-risapp/risearch.html
but yet you say BGPlay does show it.
-Hank
At first glance this morning not seeing any data between the gain and
lost alerts from phas and inability to find a route in any of the many
collectors and route servers out there I had thought it was a possibly
a fat finger mistake by 8997 or a false positive.
After locating the data in bgplay/rviews, and noticing how many more
people this occured to I'm leaning towards 2 possible scenarios:
1 - bgp misconfigurations leading to leaks
(Depends on the overall scale of how many other prefixes were
possibly announced)
2 - 8997 began announcing prefixes as an experiment to "test the
waters" for potential real hijacks in future...
'geography' hints towards #2
Or both theories could be way off 
I'd be interested to know if Renesys collected any data that might
give some better insight to this...
Christian
Bgplay on routeviews, not the ripe one
Christian
Hi,
.-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank Nussbacher wrote:
I too spotted this via PHAS for a large number of prefixes, but have not
received alerts from IAR, Watchmy.Net nor does RIPE RIS show this hijack:
http://www.ris.ripe.net/perl-risapp/risearch.html I would have expected
with so many RRC boxes that RIPE RIS would have caught it. I had thought
it was a false positive from PHAS but now that you and others have seen
it - I guess it is for real.
Not a false positive, It actually was detected by the RIS box in Moscow (rrc13). Strange that it's not visible in RIS search website, but it's definitely in the raw data files.
Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a full table, i.e. :
* 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997)
* 250495 seen by routeviews (ASpath: 2895 3267 8997).
(results of quick query: where AS-path contained '3267 8997' update type = advertisement).
I'm using another prefix monitoring tool and within a few minutes it notified me of this hijack for some of our prefixes:
<>
Ahah, so my first theory was on the right track
Thanks for sharing the info...
Christian
Is that the only ASpath that leaked it? There are others - did they filter properly and only that path failed to filter?
Regards,
Hank
Hi Hank,
.-- My secret spy satellite informs me that at Tue, 23 Sep 2008, Hank Nussbacher wrote:
Looking at that raw data from both routeviews and Ripe, it looks like they (AS8997) 'leaked' a full table, i.e. :
* 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997)
* 250495 seen by routeviews (ASpath: 2895 3267 8997).
(results of quick query: where AS-path contained '3267 8997' update type = advertisement).
ASpath: 2895 3267 8997
Is that the only ASpath that leaked it? There are others - did they
filter properly and only that path failed to filter?
Again:
* 217.208 unique prefixes detected by the RIS server in Moscow (ASpath: 2895 3267 8997 & ASpath 2895 5431 3267 8997)
* 250495 seen by routeviews (ASpath: 3277 3267 8997).
Looks like those are the only ones, but this is just a quick egrep, awk, and sort on the rawdata so I might have missed something (It's getting late here, so no guarantees ;))
Cheers,
Andree
Hi,
http://www.msk-ix.ru/network/traffic.html
it was 12:00 moscow local time.
Kind regards,
ingo flaschberger
Hi
Трафик
it was 12:00 moscow local time.
sorry, 13:xx
TIME: 09/22/08 09:30:05
TYPE: BGP4MP/MESSAGE/Update
ORIGIN: IGP
ASPATH: 2895 3267 8997
NEXT_HOP: 193.232.244.36
ANNOUNCE
GMT+4
Kind regards,
ingo flaschberger
I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in Russia) in using ASN 3267 (Russian Federal University Network) to advertise our space to ASN 3277 (Regional University and Scientific Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia).
Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put in prefix 72.234.0.0/15 and select the dates:
22/9/2008 9:00:00 and 22/9/2008 15:00:00
If so, am I understanding it correctly if I say ASN 3267 saw a shorter path from ASN 8997, so refused the proper announcement from ASN 36149 (me) it normally hears from ASN 174 (Cogent).
I cannot confirm that from the monitoring program at AS 16517 :
[tme@lennon mcast]$ grep 72.234.0.0 bgp.full.Sep_2*2008
bgp.full.Sep_21_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
bgp.full.Sep_21_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
bgp.full.Sep_21_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
bgp.full.Sep_21_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
bgp.full.Sep_22_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
bgp.full.Sep_22_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
bgp.full.Sep_22_12:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
bgp.full.Sep_22_18:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
bgp.full.Sep_23_00:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
bgp.full.Sep_23_06:07:00_EDT_2008:*> 72.234.0.0/15 38.101.161.116 3990 0 174 209 36149 ?
You didn't specify the time zone you are in, so I looked at +- 1 day around it. If the hijack lasted 6 hours, we
should have seen it.
Regards
Marshall
Agree on #2 as well. You can bet they're also reading Nanog right now
to see who and how it was detected. Oh, well, on with the fight.
Chuck
Small typo on my part above... 22653 is GlobalCompass, not
GlobalCrossing as I mistakenly typed above.
-Jim P.