Did AS13214 really hijack the Internet?

Posted by Andree Toonk - May 11, 2009 - Hijack - 1 Comment
This morning there was a discussion about a possible prefix hijack by AS13214 on the Nanog list. Cyclops users received a notification email notifying them that AS13214 was announcing their prefix.  I just went trough some of the raw data and this is what I found. It seems it was picked up by the route-views4 collector only. Non of the RIS peers seem to have seen this.  This is also the reason why BGPmon.net users did not get notified, as BGPmon.net uses the RIS resources for BGP updates. Looking at the raw BGP data from routeviews4 it seems that: AS13214 leaked a full table (~266294 prefixes) with 13214  as OriginAS to AS48285 which is a routeviews4 peer. Routeviews4 saw these announcements as: ASpath 48285 13214. It seems to  have happened twice: ~ 11:03:45 GMT to 12:16:31 GMT (here AS48285 start announcing a valid path to routeviews again). then a few seconds later again: ~ 12:16:36 GMT to 12:18:14 GMT After that AS48285 announced ‘normal’ ASpath to routeviews again. So looks like it wasn’t a global hijack, it was only seen by one routeview peer.  This is a very similar event as the one we saw in November 2008:  Prefix hijack by AS16735 or (Brazil Leak: If a tree falls in the rainforest). This again shows that it’s hard to determine if an event is a ‘real’ hijack or not. Some will say it’s irrelevant some want to be notified in all cases. Based on received feedback regarding the November 11 event, BGPmon.net implemented peer thresholds.

One comment

  • They did it again, around 2009-07-28 08:30 UTC. Cyclops users received the notification from one monitor.

    Alert type: origin change
    Monitored ASN,prefix:
    Offending attribute:
    Date: 2009-07-28 08:30:26 UTC
    Duration: 00:00:01 (hh:mm:ss)
    No. monitors: 1
    Announced prefix:
    Announced ASPATH: 48285 13214

Leave a Reply

Your email address will not be published. Required fields are marked *