North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Tracking spoofed routes?
Kevin, >> I am seeking avenues to investigate a possible case of IP address spoofing. >> >> I've recently received complaints which suggest that in the recent >> past (but not right now), somebody may have announced a more specific >> prefix, effectively hijacking "unused" address space within our >> allocated range. >> >> As it happens, the address space is not unused, just not visible on >> the public Internet. >> >> >> I am aware of route reflectors and other options to manually review >> what prefixes are currently announced, but have not been able to find >> a *searchable* archive of historical data, either overall BGP tables >> or just "unusual" announcements. The closest thing I've found so far >> is Route Views (http://www.routeviews.org/), however there is no >> obvious way to search the (huge) archived data files for substring >> matches? We're involved in trying to build database front ends for the data so you can do just this sort of thing. But right now, we're a little stuck. One thing you might try is using BGPlay to watch what happens to your prefix. >> Alternately, are there any existing mechanisms for monitoring route >> announcements which can provide near real-time alerting when any >> prefixes within specific subnet ranges are announced? Not that I know of. You can log into route-views.routeviews.org and use the cli to watch it, but that is a manual process. Hope this helps, Dave
|