community real-time BGP hijack notification service

Gadi Evron ge at linuxbox.org
Fri Sep 12 08:27:29 CDT 2008


On Fri, 12 Sep 2008, Christian Koch wrote:
> I've been using  IAR  and PHAS, but I've noticed IAR seems to work a
> bit better and much faster. Recently we changed our ASN, and seconds
> after we started announcing prefixes under thew new ASN I received the
> email alerts from IAR. I did not receive anything from PHAS. Although
> I have in the past, PHAS seems to be unreliable at times.
>
> As for alerting on AS_PATH changes, I think that more false alarms
> would be generated given certain 'techniques' used to 're-route'
> traffic to use the best available path. (Internap/FCP).
>
> Maybe a better idea would be if you were able to input your origin asn
> and define your upstreams and/or peers, to be alerted on as well. (ie:
> Do not alert me on any paths containing  123_000, 456_000, 789_000).

To that I don't need to wait for Avi to land and reply: Absolutely, but 
that requires another weekend of hacking. :)


> Christian
>
> On Fri, Sep 12, 2008 at 8:49 AM, Nathan Ward <nanog at daork.net> wrote:
>> On 12/09/2008, at 10:42 PM, Gadi Evron wrote:
>>
>>> Hi, WatchMy.Net is a new community service to alert you when your prefix
>>> has been hijacked, in real-time.
>>
>>
>> Hi Gadi,
>>
>> I just had a quick play with this, as I've been considering hacking together
>> something similar.
>>
>> It is trivially easy for an attacker to falsify the origin AS. If 'they' are
>> not doing it already, then I'm quite surprised.
>> This isn't really a good thing to alarm on, in my opinion. Or, maybe it is,
>> but there should be big bold text explaining that it's not reliable as it's
>> trivially easy to falsify.
>>
>> To be honest, I can't think of anything better, all the attributes you can
>> monitor can easily be falsified.
>>
>> My best idea is looking at the AS_PATH for changes, and alerting whenever
>> that happens. You'd obviously get a different path whenever there is churn
>> in the network though. I'm sure there's a way to do this, and I suspect
>> having BGP feeds from many many places is the most reliable way for it to
>> happen, I just haven't figured out why yet.
>>
>> This seems like a service that Renesys etc. could/should (or maybe do?)
>> offer, they seem well placed with all their BGP feeds..
>>
>> --
>> Nathan Ward
>>
>>
>>
>>
>>
>>
>




More information about the NANOG mailing list