Re: BGP IP prefix hijack detection times

[Christopher Morrow <morrowc.lists () gmail com>]

On Tue, Feb 28, 2017 at 12:15 AM, Nagarjun Govindraj <
nagarjun.govindraj () imaginea com> wrote:

> Well, the idea behind the mail was to know if anyone in the community are
> doing real time BGP IP prefix hijacking.
> Like Artemis detection tool claims to be detecting in 1.4 ~ 3.1 minutes.
> So I wanted to know if anyone in the community are using such tools for
> detecting hijacks, if yes how much time does the system take to detect.
My guess is: "yes, people are struggling through hjjack detection problems"
and: "1-3 minutes isn't as important as the time spent figuring out: 1) is
the alert real (this time!), 2) what will you do about it?"

Then you sink time into: "Hey remote peer of not me, could you stop
accepting the prefix X/y from your 'customer' because .. clearly they are
not me..."

Also, maybe time to push for more RPKI deployment so you can say: "Hey peer
of not me out there in the world, you note that I've a signed certificate
from $RIR attesting that I'm the proper user of prefix X/y and I've created
and published ROA data saying the proper origin-as for X/y is M... your
customer isn't M... so, yea, please stop accepting that prefix from them?
Kthxbi!"

You may ALSO want to ask: "So, about that customer (and all your other
customers) you DO have bgp prefix filters on their sessions, right? because
the year is 2017 and that is ... table-stakes for operating a part of the
global internet now... right?"

-chris


> Regards,
> Nagarjun
>
> On Mon, Feb 27, 2017 at 10:59 PM Nick Hilliard <nick () foobar org> wrote:
>
> > Christopher Morrow wrote:
> > > Also: "How reliable are the alerts being sent?"
> >
> > also: do the smtp servers which handle mail for the domain of the
> > alerting email address use the IP address space as they're notifying
> > about?
> >
> > Nick