Home page logo

nanog logo nanog mailing list archives

Re: preventing future situations like panix
From: Thor Lancelot Simon <tls () netbsd org>
Date: Mon, 23 Jan 2006 15:52:16 -0500

On Mon, Jan 23, 2006 at 12:47:38PM -0700, Josh Karlin wrote:

Suspicious routes are those that originate at an AS that has not
originated the prefix in the last few days and those that introduce
sub-prefixes.  Sub-prefixes are always considered suspicious (~1 day)
and traffic will be routed to the super-prefix for the suspicious

So, if you consider the recent Cone-D hijacking incident, it seems to
me that:

1) Cone-D's announcement of _some_ of the prefixes they announced would
   have been considered "suspicious" -- but not all, since some of the
   prefixes in question were for former customers or peers who had only
   recently terminated their business arrangements with Cone-D.

2) Panix's first, obvious countermeasure aimed at restoring their
   connectivity -- announcing their own address space split in half --
   would *also* have been considered suspicious, since it gave two
   "sub-prefixes" of what Cone-D was hijacking.

Unless I misunderstand what you're proposing -- which is entirely possible,
in fact perhaps even likely -- it seems to me that it might well have done
at least as much harm as good.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]