Tracking spoofed routes?
dmm at 1-4-5.net
Wed Jan 5 15:06:17 UTC 2005
>> I am seeking avenues to investigate a possible case of IP address spoofing.
>> I've recently received complaints which suggest that in the recent
>> past (but not right now), somebody may have announced a more specific
>> prefix, effectively hijacking "unused" address space within our
>> allocated range.
>> As it happens, the address space is not unused, just not visible on
>> the public Internet.
>> I am aware of route reflectors and other options to manually review
>> what prefixes are currently announced, but have not been able to find
>> a *searchable* archive of historical data, either overall BGP tables
>> or just "unusual" announcements. The closest thing I've found so far
>> is Route Views (http://www.routeviews.org/), however there is no
>> obvious way to search the (huge) archived data files for substring
We're involved in trying to build database front ends for
the data so you can do just this sort of thing. But right
now, we're a little stuck. One thing you might try is
using BGPlay to watch what happens to your prefix.
>> Alternately, are there any existing mechanisms for monitoring route
>> announcements which can provide near real-time alerting when any
>> prefixes within specific subnet ranges are announced?
Not that I know of. You can log into
route-views.routeviews.org and use the cli to watch it,
but that is a manual process.
Hope this helps,
More information about the NANOG