Couldn't attackers use the same techniques?
Attacker advertises 10.0.0.0/23, white hat advertises 10.0.0.0/24 & 10.0.0.1/24, attacker advertises 10.0.0.0/25, 10.0.0.128/25, 10.0.1.0/25, 10.0.0.1.128/25, and so on...
Attacker advertises 10.0.0.0/23, white hat advertises 10.0.0.0/24 & 10.0.0.1/24, attacker advertises 10.0.0.0/25, 10.0.0.128/25, 10.0.1.0/25, 10.0.0.1.128/25, and so on...