At first glance this morning not seeing any data between the gain and lost alerts from phas and inability to find a route in any of the many collectors and route servers out there I had thought it was a possibly a fat finger mistake by 8997 or a false positive.
After locating the data in bgplay/rviews, and noticing how many more people this occured to I'm leaning towards 2 possible scenarios: 1 - bgp misconfigurations leading to leaks (Depends on the overall scale of how many other prefixes were possibly announced) 2 - 8997 began announcing prefixes as an experiment to "test the waters" for potential real hijacks in future... 'geography' hints towards #2 Or both theories could be way off :) I'd be interested to know if Renesys collected any data that might give some better insight to this... Christian On 9/23/08, Justin Shore <[EMAIL PROTECTED]> wrote: > Looking up some of my prefixes in PHAS and BGPPlay, I too see my > prefixes being advertised by 8997 for a short time. It looks like it > happened around 1222091563 according to PHAS. > > Was this a mistake or something else? > > Justin > > > Christian Koch wrote: >> I received a phas notification about this today as well... >> >> I couldn't find any relevant data confirming the announcement of one >> of my /19 blocks, until a few minutes ago when i checked the route >> views bgplay (ripe bgplay turns up nothing) and can now see 8997 >> announcing and quickly withdrawing my prefix >> >> >> >> >> On Mon, Sep 22, 2008 at 9:06 PM, Scott Weeks <[EMAIL PROTECTED]> >> wrote: >>> >>> >>> I am hoping to confirm a short-duration prefix hijack of 72.234.0.0/15 >>> (and another of our prefixes) by ASN 8997 ("OJSC North-West Telecom" in >>> Russia) in using ASN 3267 (Russian Federal University Network) to >>> advertise our space to ASN 3277 (Regional University and Scientific >>> Network (RUSNet) of North-Western and Saint-Petersburg Area of Russia). >>> >>> Is that what I'm seeing when I go to "bgplay.routeviews.org/bgplay", put >>> in prefix 72.234.0.0/15 and select the dates: >>> >>> 22/9/2008 9:00:00 and 22/9/2008 15:00:00 >>> >>> If so, am I understanding it correctly if I say ASN 3267 saw a shorter >>> path from ASN 8997, so refused the proper announcement from ASN 36149 >>> (me) it normally hears from ASN 174 (Cogent). >>> >>> If the above two are correct, would it be correct to say only the >>> downstream customers of ASN 3267 were affected? >>> >>> scott >>> >>> >> > -- Sent from my mobile device