[nsp-sec] Why do a route hijack for 1 second?

Mon Jul 20 01:51:47 EDT 2009

I have a strange case.  It involves 147.237.234.0/24 and route hijacking 
from AS31500 (AS1680 has no peering arrangement with AS31500).  It started 
on July 1 for 31 minutes and then quiet for 2 weeks and now we have seen 
the following:

Date:                         2009-07-17 11:02:06 UTC
Duration:                     35sec

Date:                         2009-07-18 00:27:05 UTC
Duration:                     1sec

Date:                         2009-07-19 00:27:18 UTC
Duration:                     1sec

Date:                         2009-07-20 00:26:55 UTC
Duration:                     1sec

I am seeing this via Cyclops:
Alert type:                   next-hop change
No. monitors:                 1
Announced ASPATH:             31500 1680

Only 1 monitor sees it which means it is very localized (probably in 
Russia).  But what would be the benefit of doing this next hop change for 
just 1 second and clearly as a cron job to run every night?  Any ideas?

Thanks,
Hank