community real-time BGP hijack notification service

Christian Koch christian at broknrobot.com
Fri Sep 12 13:14:35 UTC 2008


I've been using  IAR  and PHAS, but I've noticed IAR seems to work a
bit better and much faster. Recently we changed our ASN, and seconds
after we started announcing prefixes under thew new ASN I received the
email alerts from IAR. I did not receive anything from PHAS. Although
I have in the past, PHAS seems to be unreliable at times.

As for alerting on AS_PATH changes, I think that more false alarms
would be generated given certain 'techniques' used to 're-route'
traffic to use the best available path. (Internap/FCP).

Maybe a better idea would be if you were able to input your origin asn
and define your upstreams and/or peers, to be alerted on as well. (ie:
Do not alert me on any paths containing  123_000, 456_000, 789_000).


Christian

On Fri, Sep 12, 2008 at 8:49 AM, Nathan Ward <nanog at daork.net> wrote:
> On 12/09/2008, at 10:42 PM, Gadi Evron wrote:
>
>> Hi, WatchMy.Net is a new community service to alert you when your prefix
>> has been hijacked, in real-time.
>
>
> Hi Gadi,
>
> I just had a quick play with this, as I've been considering hacking together
> something similar.
>
> It is trivially easy for an attacker to falsify the origin AS. If 'they' are
> not doing it already, then I'm quite surprised.
> This isn't really a good thing to alarm on, in my opinion. Or, maybe it is,
> but there should be big bold text explaining that it's not reliable as it's
> trivially easy to falsify.
>
> To be honest, I can't think of anything better, all the attributes you can
> monitor can easily be falsified.
>
> My best idea is looking at the AS_PATH for changes, and alerting whenever
> that happens. You'd obviously get a different path whenever there is churn
> in the network though. I'm sure there's a way to do this, and I suspect
> having BGP feeds from many many places is the most reliable way for it to
> happen, I just haven't figured out why yet.
>
> This seems like a service that Renesys etc. could/should (or maybe do?)
> offer, they seem well placed with all their BGP feeds..
>
> --
> Nathan Ward
>
>
>
>
>
>




More information about the NANOG mailing list