Prefix hijack by AS16735
Many BGPmon.net users received a notification email regarding a possible prefix hijack. I just went over the data files manually and verified the leak. For those interested, let me share with you what I saw in the raw data. Between 01:55 UTC and 02:15 267947 distinct prefixes were originated from AS16735 (Companhia de Telecomunicacoes do Brasil Central), hence a full table 'leak'. After that more updates were detected. The last hijack update originated by AS16735 was received at 03:07 UTC. So the 'hijack' was there for about 75 minutes As far as I can see the only RIS collector who saw this hijack was the one in Sao Paulo, Brazil (PTTMetro-SP), there it was seen by a few RIS peers.
The reason that you received multiple email is that your prefix was detected as hijacked multiple times in 75 minutes. Multiple alarms in a 5 minutes interval are aggregated in one notification email. If the updates are detected after that 5 minutes another notification email is generated, this email possibly can have multiple updates as well. BGPmon tries not to sent to many notification by aggregating notifications, but at the same time we try to be sub-real time, i.e. 5 minutes interval. Hope that explains a bit about more about the notification email interval.
Example email as sent out earlier today:
You Receive this email because you are subscribed to BGPmon.net.
For more details about these updates please visit:
http://bgpmon.net/showupdates.php
====================
Possible Prefix Hijack (Code: 11)
1 number of peer(s) detected this updates for your prefix 142.231.0.0/16:
Update details: 2008-11-11 01:58 (UTC)
142.231.0.0/16
Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central)
Transit AS: 22548 (Comite Gestor da Internet no Brasil)
ASpath: 22548 16735
====================
9 comments
If I’m not mistaken and I’ve heared right, when these things happen, the AS might have attracted so much traffic that it would fill up the links to external networks and loose BGP-sessions because of it. That’s why the announcements went a way and came back each time.
Yeah I think that might be a possible explanation, although I think BGP and other network control traffic always receive higher (QoS) priority. It would be interesting to know how much traffic was really attracted to AS16735 as the hijack was fairly local. It might not have been that much.
The hijack was indeed fairly local, it was detected by a few number of peers, meaning that these hijack updates didn’t propagate very far.
This event is actually very similar to one we saw in September when AS8997 “leaked” a full table with their AS as origin AS. This was also discussed on Nanog, see:
http://www.merit.edu/mail.archives/nanog/msg11667.html
[…] het internet annonceerde. Onlangs had ik mij voor mijn wergever zijn IP range ingeschreven op BGPmon en hun systeem werkt zeer goed, wegens het tijdsverschil had ik er anders nooit iets van gemarkt […]
[…] autônomos ou grandes operadoras de telecomunicações. Ainda de acordo com as análises do BGPmon e da Renesys, este problema durou aproximadamente 5 minutos. Mas, mesmo depois deste período, […]
[…] So looks like it wasn’t a global hijack, it was only seen by one routeview peer. This is a very similar event as the one we saw on November 11 2008. […]
There are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith. I don?t know if best practices have emerged around things like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment?s pleasure, for the rest of their lives.
I’m not sure the place you’re getting your info, but great topic. I must spend some time studying much more or working out more. Thanks for magnificent information I was on the lookout for this information for my mission.
I liked the dress to begin with, but didn’t realize how figure flattering it was until I saw the pictures.