nanog mailing list archives
Re: community real-time BGP hijack notification service
From: Gadi Evron <ge () linuxbox org>
Date: Fri, 12 Sep 2008 08:27:29 -0500 (CDT)
On Fri, 12 Sep 2008, Christian Koch wrote:
I've been using IAR and PHAS, but I've noticed IAR seems to work a bit better and much faster. Recently we changed our ASN, and seconds after we started announcing prefixes under thew new ASN I received the email alerts from IAR. I did not receive anything from PHAS. Although I have in the past, PHAS seems to be unreliable at times. As for alerting on AS_PATH changes, I think that more false alarms would be generated given certain 'techniques' used to 're-route' traffic to use the best available path. (Internap/FCP). Maybe a better idea would be if you were able to input your origin asn and define your upstreams and/or peers, to be alerted on as well. (ie: Do not alert me on any paths containing 123_000, 456_000, 789_000).
To that I don't need to wait for Avi to land and reply: Absolutely, but that requires another weekend of hacking. :)
Christian On Fri, Sep 12, 2008 at 8:49 AM, Nathan Ward <nanog () daork net> wrote:On 12/09/2008, at 10:42 PM, Gadi Evron wrote:Hi, WatchMy.Net is a new community service to alert you when your prefix has been hijacked, in real-time.Hi Gadi, I just had a quick play with this, as I've been considering hacking together something similar. It is trivially easy for an attacker to falsify the origin AS. If 'they' are not doing it already, then I'm quite surprised. This isn't really a good thing to alarm on, in my opinion. Or, maybe it is, but there should be big bold text explaining that it's not reliable as it's trivially easy to falsify. To be honest, I can't think of anything better, all the attributes you can monitor can easily be falsified. My best idea is looking at the AS_PATH for changes, and alerting whenever that happens. You'd obviously get a different path whenever there is churn in the network though. I'm sure there's a way to do this, and I suspect having BGP feeds from many many places is the most reliable way for it to happen, I just haven't figured out why yet. This seems like a service that Renesys etc. could/should (or maybe do?) offer, they seem well placed with all their BGP feeds.. -- Nathan Ward
Current thread:
- community real-time BGP hijack notification service Gadi Evron (Sep 12)
- Re: community real-time BGP hijack notification service Arnaud de Prelle (Sep 12)
- Re: community real-time BGP hijack notification service Gadi Evron (Sep 12)
- Re: community real-time BGP hijack notification service Nathan Ward (Sep 12)
- Re: community real-time BGP hijack notification service Christian Koch (Sep 12)
- Re: community real-time BGP hijack notification service Nathan Ward (Sep 12)
- Re: community real-time BGP hijack notification service Christian Koch (Sep 12)
- Re: community real-time BGP hijack notification service Gadi Evron (Sep 12)
- Re: community real-time BGP hijack notification service Christian Koch (Sep 12)
- Re: community real-time BGP hijack notification service Gadi Evron (Sep 12)
- Re: community real-time BGP hijack notification service Andy Davidson (Sep 12)
- Re: community real-time BGP hijack notification service Arnaud de Prelle (Sep 12)
- Re: community real-time BGP hijack notification service Matthew Moyle-Croft (Sep 12)
- Re: community real-time BGP hijack notification service Nathan Ward (Sep 12)
- Re: community real-time BGP hijack notification service Matthew Moyle-Croft (Sep 13)
- Re: community real-time BGP hijack notification service Randy Bush (Sep 13)
- Re: community real-time BGP hijack notification service Nathan Ward (Sep 13)
- Re: community real-time BGP hijack notification service Arnaud de Prelle (Sep 12)
- Re: community real-time BGP hijack notification service Hank Nussbacher (Sep 14)
- Message not available
- Message not available
- RE: community real-time BGP hijack notification service Hank Nussbacher (Sep 14)