North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Tracking spoofed routes?
You can also see: http://bgp.lcs.mit.edu/ which has a searchable archive back to 2001 for several feeds. We're always interested in getting more feeds from folks to make this searchable archive more comprehensive. thanks, -Nick On Wed, Jan 05, 2005 at 07:06:17AM -0800, David Meyer wrote: > > Kevin, > > >> I am seeking avenues to investigate a possible case of IP address spoofing. > >> > >> I've recently received complaints which suggest that in the recent > >> past (but not right now), somebody may have announced a more specific > >> prefix, effectively hijacking "unused" address space within our > >> allocated range. > >> > >> As it happens, the address space is not unused, just not visible on > >> the public Internet. > >> > >> > >> I am aware of route reflectors and other options to manually review > >> what prefixes are currently announced, but have not been able to find > >> a *searchable* archive of historical data, either overall BGP tables > >> or just "unusual" announcements. The closest thing I've found so far > >> is Route Views (http://www.routeviews.org/), however there is no > >> obvious way to search the (huge) archived data files for substring > >> matches? > > We're involved in trying to build database front ends for > the data so you can do just this sort of thing. But right > now, we're a little stuck. One thing you might try is > using BGPlay to watch what happens to your prefix. > > >> Alternately, are there any existing mechanisms for monitoring route > >> announcements which can provide near real-time alerting when any > >> prefixes within specific subnet ranges are announced? > > Not that I know of. You can log into > route-views.routeviews.org and use the cli to watch it, > but that is a manual process. > > Hope this helps, > > Dave
|