Prefix Hijack Tool Comaprision

Jack Bates jbates at brightok.net
Thu Nov 13 14:33:06 CST 2008


Todd Underwood wrote:
> i said that *this* hijacking took place in an insignificant corner of
> the internet.  i mean this AS-map wise rather than geographically.
> this hijacking didn't even spread beyond one or two ASes, one of whom
> just happened to be a RIPE RIS peer.  
> 

Yet for someone monitoring from their own perspective, what matters to 
them is what their own AS is seeing. If a hijacking makes it to their 
AS, they want to be concerned.

> real hijackings leak into dozens or hundreds or thousands of ASNs.
> they spread far and wide.  that's why people carry them out, when they
> do.  this one was stopped in its tracks in a very small portion of one
> corner of the AS graph.  
> 

Wasn't there a dns hijack not long ago that only had the scope of one 
ISP (who just happened to be extremely large and carried a bunch of cell 
phones)? Just because a hijack only covers a small portion of the net 
doesn't make it any less effective. This is why we push to get as many 
access controls as far out to the edge as possible. If it only effects 
the person who tries it, then it has no bearing.

> as such, i don't count it as a hijacking or leak of any great
> significance and wouldn't want to alert anyone about it.  that's why i
> recommend that prefix hijacking detection systems do thresholding of
> peers to prevent a single, rogue, unrepresentative peer from reporting
> a hijacking when none is really happening.  others may have a
> different approach, but without thresholding prefix alert systems can
> be noisy and more trouble than they are worth.

Thresholds might be important, but different mileage, yada yada.

Jack




More information about the NANOG mailing list