Did AS13214 really hijack the Internet?
This morning there was a discussion about a possible prefix hijack by AS13214 on the Nanog list. Cyclops users received a notification email notifying them that AS13214 was announcing their prefix. I just went trough some of the raw data and this is what I found. It seems it was picked up by the route-views4 collector only. Non of the RIS peers seem to have seen this. This is also the reason why BGPmon.net users did not get notified, as BGPmon.net uses the RIS resources for BGP updates. Looking at the raw BGP data from routeviews4 it seems that: AS13214 leaked a full table (~266294 prefixes) with 13214 as OriginAS to AS48285 which is a routeviews4 peer. Routeviews4 saw these announcements as: ASpath 48285 13214. It seems to have happened twice: ~ 11:03:45 GMT to 12:16:31 GMT (here AS48285 start announcing a valid path to routeviews again). then a few seconds later again: ~ 12:16:36 GMT to 12:18:14 GMT After that AS48285 announced ‘normal’ ASpath to routeviews again. So looks like it wasn’t a global hijack, it was only seen by one routeview peer. This is a very similar event as the one we saw in November 2008: Prefix hijack by AS16735 or (Brazil Leak: If a tree falls in the rainforest). This again shows that it’s hard to determine if an event is a ‘real’ hijack or not. Some will say it’s irrelevant some want to be notified in all cases. Based on received feedback regarding the November 11 event, BGPmon.net implemented peer thresholds.