[nsp-sec] AS8997
Chris Morrow
morrowc at ops-netman.net
Tue Sep 23 00:50:50 EDT 2008
On Tue, 23 Sep 2008, Hank Nussbacher wrote:
> ----------- nsp-security Confidential --------
>
> On Tue, 23 Sep 2008, David Freedman wrote:
>
> I've been following this since last night when I saw a number of different
> prefixes from a number of different origin ASNs in Israel get hit and assumed
> it was a prefix hijacking test run since according to PHAS it was short
> lived.
>
> Now that others are seeing it, I guess it isn't only Israel being affected
> :-)
yes, turn off paranoia shield... :) Could this be:
1) PHAS mis-reporting? (I don't see my event in RIS nor route-views)
2) sneaky hijacking prepending RV and RIS ASN's such that loop-avoidance
removes the path from the monitors?
3) an as7007-type incident? (re-advertisment and removing origin-as)
Is there any way we can tell this was malicious vs thumbheavy ops work??
-Chris
More information about the nsp-security
mailing list