On Mon, Jan 23, 2006 at 12:47:38PM -0700, Josh Karlin wrote:
Suspicious routes are those that originate at an AS that has not
originated the prefix in the last few days and those that introduce
sub-prefixes. Sub-prefixes are always considered suspicious (~1 day)
and traffic will be routed to the super-prefix for the suspicious
So, if you consider the recent Cone-D hijacking incident, it seems to
1) Cone-D's announcement of _some_ of the prefixes they announced would
have been considered "suspicious" -- but not all, since some of the
prefixes in question were for former customers or peers who had only
recently terminated their business arrangements with Cone-D.
2) Panix's first, obvious countermeasure aimed at restoring their
connectivity -- announcing their own address space split in half --
would *also* have been considered suspicious, since it gave two
"sub-prefixes" of what Cone-D was hijacking.
Unless I misunderstand what you're proposing -- which is entirely possible,
in fact perhaps even likely -- it seems to me that it might well have done
at least as much harm as good.