You might find a hijacked prefix advertised solely to a single asn at an ix where it peers, and this for the purpose of spamming to or otherwise attacking whoever owns the asn. Most of these targeted announcements might not even be visible to anyone else.
From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Nick Hilliard <nick@foobar.org>
Sent: Friday, April 5, 2019 3:19 AM
To: Carlos Friaças
Cc: anti-abuse-wg@ripe.net; Ronald F. Guilmette
Subject: Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 89, Issue 15
Carlos Friaças via anti-abuse-wg wrote on 04/04/2019 21:58:
> On Thu, 4 Apr 2019, Ronald F. Guilmette wrote:
>> Wny have Tier 1 providers not stepped up and done a much better job
>> of policing hijacks better than they have done?
>
> Not all hijacks reach the so-called DFZ.
>
> "Partial visibility" hijacks can happen without touching any of the
> Tier-1s....
People generally hijack prefixes in order to make money. If hijacked
prefixes are not generally visible in the internet, then the value of
the hijacking is a good deal lower because the reach is smaller.
In order to stop something like hijacking from being a problem, you
don't need to make it impossible to perpetrate - you just need to reduce
the value to the point that it's not worth doing it.
What makes hijacking attractive is when transit service providers don't
filter ingress prefixes from their customers. The value of hijacking at
an IXP will be proportional to the size of the IXP and whether the IXP
has implemented filtering policies at their route servers. Direct
peering sessions are troublesome, as they generally don't implement
prefix filtering.
But transit providers are where the bulk of the problem lies, and where
efforts need to be concentrated in order to handle the issue. MANRS is
one part of this effort.
Nick