Re: Prefix Hijack Tool Comaprision

• From: Danny McPherson
• Date: Thu Nov 13 16:09:53 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

as such, i don't count it as a hijacking or leak of any great
significance and wouldn't want to alert anyone about it.  that's why i
recommend that prefix hijacking detection systems do thresholding of
peers to prevent a single, rogue, unrepresentative peer from reporting
a hijacking when none is really happening.  others may have a
different approach, but without thresholding prefix alert systems can
be noisy and more trouble than they are worth.

While I agree that this incident didn't appear to much impact
anyone beyond CTBC and their customers (where we very clearly
impacted considerably), I would contend that ANY time anyone
asserts reachability of another ASNs address space the owner
of that space should be alerted.

IMO, if an actual intentional targeted attack were to be launched,
versus, say, the slew of accidental leaks we mostly see, then it
may very well be scoped to some insignificant corner of the Internet,
as close to the targets as possible - that's precisely what I'd do
if I were to launch such an attack....

Now, if the goal is denial of service or a leak, sure, it'll
likely propagate much wider - and be detected much quicker.

• References:
  • Re: Prefix Hijack Tool Comaprision Alexander Harrowell
  • Re: Prefix Hijack Tool Comaprision Todd Underwood

• Prev by Date: Re: Prefix Hijack Tool Comaprision
• Next by Date: Re: NANOG Digest, Vol 10, Issue 46
• Date Index
• Thread Index
• Author Index
• Historical