North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: community real-time BGP hijack notification service

  • From: Nathan Ward
  • Date: Fri Sep 12 09:28:11 2008

On 13/09/2008, at 1:14 AM, Christian Koch wrote:

Maybe a better idea would be if you were able to input your origin asn
and define your upstreams and/or peers, to be alerted on as well. (ie:
Do not alert me on any paths containing  123_000, 456_000, 789_000).


Again, that is trivially easy to falsify.

My best quick hack solution so far is to fire off a traceroute and make sure that the traceroute gets ICMP TTL expire messages from IP addresses that are in prefixes originated from all the ASes in the ASPATH.
Still forgeable, but a bit more difficult.. still far from perfect though.


--
Nathan Ward