Update on PHAS (ref Youtube hijack)

• Previous message (by thread): The Router Hacking Challenge is Over! (fwd)
• Next message (by thread): Update on PHAS (ref Youtube hijack)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear all,

Discussions on the recent Youtube incident raised the question about  
availability of our projects PHAS (Prefix Hijack Alert System).
http://phas.netsec.colostate.edu/
Unfortunately, the timing of the hijack coincided with our  
transitioning to the next stage of PHAS, thus it was unavailable at  
the time. We have switched back to the last stable version and the  
site is fully functional now. We apologize for the inconvenience.

For people not familiar with PHAS, we analyze BGP updates received  
from different vantage points and maintain 3 sets for each prefix.
1. Origin set
2. Last hop set
3. Sub-prefix set
Anyone may register with PHAS for the prefixes he/she wants to watch,  
and select the types of alarms of interest. Each time the set changes,  
an email is sent to the registered email addresses.

If you want to get an idea of the alarms generated, you can register  
for one or more active prefixes that are constantly generating alarms  
as seen in
http://phas.netsec.colostate.edu/stat.html

For the youtube hijack case:
1. since a more specific prefix was observed for youtube's prefix,  
PHAS caught the incident as a "sub-prefix set change" and an alarm was  
generated.

2. PHAS does not rely on information from IRR, so any manipulations to  
IRR (or outdated entries) would not affect PHAS.

3. Some folks questioned whether PHAS would detect cases of hijack if  
origin AS was unchanged: from the above, one can see that PHAS catches  
any sub prefix announcements, and any changes to the last hop (i.e.  
next hop to origin AS).

It is true that the current version of PHAS does not detect AS path  
manipulations beyond the last hop. We are developing solutions to this  
problem and hoping to combine the new solution into PHAS soon.

Our recent results also show that the farther away from the origin the  
hijacker inserts his AS number, the less impact it would have on the  
Internet. For folks interested in how the impact of a hijack may vary  
depending on which prefix is involved and the hijacker's location, we  
have a paper in DSN 2007 with some interesting results.
http://www.cs.ucla.edu/~mohit/cameraReady/hijack-dsn.pdf

Thanks

-Mohit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080301/9690f2f6/attachment.html>

• Previous message (by thread): The Router Hacking Challenge is Over! (fwd)
• Next message (by thread): Update on PHAS (ref Youtube hijack)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]