Revealed: The Internet's well known BGP behavior

Joe Greco jgreco at ns.sol.net
Sat Aug 30 08:26:47 CDT 2008


> On 30/08/2008, at 9:58 AM, Florian Weimer wrote:
> 
> > * Alex Pilosov:
> >
> >> We've demonstrated ability to monitor traffic to arbitrary
> >> prefixes. Slides for presentation can be found here:
> >> http://eng.5ninesdata.com/~tkapela/iphd-2.ppt
> >
> > The interesting question is whether it's acceptable to use this trick
> > for non-malicious day-to-day traffic engineering.
> 
> The technique of path stuffing ASes who you do not want to receive an  
> announcement is called AS PATH poisoning. It's a fairly well known  
> trick.

Not exactly specifically in reply to your note, but more generally:

In the old days, Usenet spammers would sometimes preload the Path: line
with names of NNTP transits that they might want to avoid for various
reasons (usually the home sites of Usenet spam cancellers).

In most ways, avoiding offering an article back to a server because it
was already listed in the Path: was merely an optimization, to avoid
extra traffic on a futile offer.  However, simply removing the exclusion
allowed the sending site to attempt the transmission, which would then
succeed if the receiving site had not seen the article (etc).

For purposes of detection, then, it seems reasonable to consider that
there could be some way to leverage BGP to monitor for this sort of 
thing.  There would seem to be at least two very interesting things
that you could monitor for, which would be irregularities in the
ASPATH, and irregularities in your announced prefixes.  

Since major networks would need to be involved for significant traffic
redirection events, I'm wondering if it would be reasonable to have a
looking glass/route server type service that would peer with a bunch
of them, based on random 32-bit ASN's assigned from a preallocated
range for the purpose, one per network (think: reducing effectiveness
of AS PATH stuffing).  You could then provide a configurable notification
service, or for sites with the technical capabilities, a realtime BGP 
feed of all events involving their AS or prefixes (again over a randomly
assigned 32-bit ASN, and obviously to some off-net IP where they run a
monitoring box, so that a prefix hijack is ineffective).

Such a service would seem like it would be generally useful for other
purposes as well.  There's almost certainly some fatal flaw in this
idea, or maybe better yet, some obvious improvements that could be made,
so for the BGP gurus out there, what are they?

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list