Re: community real-time BGP hijack notification service

North American Network Operators Group

Re: community real-time BGP hijack notification service

From: Gadi Evron
Date: Fri Sep 12 09:30:06 2008

List-archive: <http://mailman.nanog.org/pipermail/nanog>
List-help: <mailto:[email protected]?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:[email protected]>
List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

On Fri, 12 Sep 2008, Christian Koch wrote:

I've been using  IAR  and PHAS, but I've noticed IAR seems to work a
bit better and much faster. Recently we changed our ASN, and seconds
after we started announcing prefixes under thew new ASN I received the
email alerts from IAR. I did not receive anything from PHAS. Although
I have in the past, PHAS seems to be unreliable at times.

As for alerting on AS_PATH changes, I think that more false alarms
would be generated given certain 'techniques' used to 're-route'
traffic to use the best available path. (Internap/FCP).

Maybe a better idea would be if you were able to input your origin asn
and define your upstreams and/or peers, to be alerted on as well. (ie:
Do not alert me on any paths containing  123_000, 456_000, 789_000).

To that I don't need to wait for Avi to land and reply: Absolutely, but that requires another weekend of hacking. :)

Christian

On Fri, Sep 12, 2008 at 8:49 AM, Nathan Ward <[email protected]> wrote:

On 12/09/2008, at 10:42 PM, Gadi Evron wrote:

Hi, WatchMy.Net is a new community service to alert you when your prefix
has been hijacked, in real-time.

Hi Gadi,

I just had a quick play with this, as I've been considering hacking together
something similar.

It is trivially easy for an attacker to falsify the origin AS. If 'they' are
not doing it already, then I'm quite surprised.
This isn't really a good thing to alarm on, in my opinion. Or, maybe it is,
but there should be big bold text explaining that it's not reliable as it's
trivially easy to falsify.

To be honest, I can't think of anything better, all the attributes you can
monitor can easily be falsified.

My best idea is looking at the AS_PATH for changes, and alerting whenever
that happens. You'd obviously get a different path whenever there is churn
in the network though. I'm sure there's a way to do this, and I suspect
having BGP feeds from many many places is the most reliable way for it to
happen, I just haven't figured out why yet.

This seems like a service that Renesys etc. could/should (or maybe do?)
offer, they seem well placed with all their BGP feeds..

--
Nathan Ward

References:
- community real-time BGP hijack notification service Gadi Evron
- Re: community real-time BGP hijack notification service Nathan Ward
- Re: community real-time BGP hijack notification service Christian Koch

Prev by Date: Re: community real-time BGP hijack notification service
Next by Date: Re: community real-time BGP hijack notification service
Date Index
Thread Index
Author Index
Historical