Prefix hijack by AS16735
Many BGPmon.net users received a notification email regarding a possible prefix hijack. I just went over the data files manually and verified the leak. For those interested, let me share with you what I saw in the raw data. Between 01:55 UTC and 02:15 267947 distinct prefixes were originated from AS16735 (Companhia de Telecomunicacoes do Brasil Central), hence a full table ‘leak’. After that more updates were detected. The last hijack update originated by AS16735 was received at 03:07 UTC. So the ‘hijack’ was there for about 75 minutes As far as I can see the only RIS collector who saw this hijack was the one in Sao Paulo, Brazil (PTTMetro-SP), there it was seen by a few RIS peers.
The reason that you received multiple email is that your prefix was detected as hijacked multiple times in 75 minutes. Multiple alarms in a 5 minutes interval are aggregated in one notification email. If the updates are detected after that 5 minutes another notification email is generated, this email possibly can have multiple updates as well. BGPmon tries not to sent to many notification by aggregating notifications, but at the same time we try to be sub-real time, i.e. 5 minutes interval. Hope that explains a bit about more about the notification email interval.
Example email as sent out earlier today:
You Receive this email because you are subscribed to BGPmon.net.
For more details about these updates please visit:
Possible Prefix Hijack (Code: 11)
1 number of peer(s) detected this updates for your prefix 184.108.40.206/16:
Update details: 2008-11-11 01:58 (UTC)
Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central)
Transit AS: 22548 (Comite Gestor da Internet no Brasil)
ASpath: 22548 16735