Tracking spoofed routes?
simon at limmat.switch.ch
Thu Jan 6 13:23:33 UTC 2005
Arife Vural writes:
[in response to Florian Frotzler <florian.frotzler at gmx.at>:]
>> To my knowledge, the myas-tool/-service from RIPE NCC is kind of
>> doing what you like to achive.
> MyASN is working on user-based. To get the alarm for unexpected
> routing patterns, you should set it up an account beforehand.
I have been using MyASN for half a year, and it is quite nice.
Setting it up required typing all our customer routes into Web forms,
which was somewhat tedious, but now I receive alerts in almost real
time as soon as someone tries to "highjack" our routes or announces
For example, there was a large-scale incident on 24 December 2004 (see
e.g. http://www.merit.edu/mail.archives/nanog/msg03827.html). It
started shortly before 09:20 UTC, and at 09:59 UTC I received an alert
from MyASN that some of our customer routes were announced from
another AS. This is very respectable, especially since the system
must have been very heavily loaded at that time, because of the sheer
number of BGP updates and the number of potential alerts (MOST
prefixes were highjacked at some point during that day).
> I think for Kevin's situation, we have other tools. One is called,
> "Search by Prefix" and other one is BGPlay. Both tools are running
> over last 3 months routing data.
One problem is that Kevin is looking for an announcement of a *more
specific* prefix from his space. BGPlay only supports queries on
exact prefixes I think.
The "Search by Prefix" tool seems to be ideal for Kevin's application
> URL for those tools,
More information about the NANOG