community real-time BGP hijack notification service

Nathan Ward nanog at daork.net
Fri Sep 12 12:49:49 UTC 2008


On 12/09/2008, at 10:42 PM, Gadi Evron wrote:

> Hi, WatchMy.Net is a new community service to alert you when your  
> prefix
> has been hijacked, in real-time.


Hi Gadi,

I just had a quick play with this, as I've been considering hacking  
together something similar.

It is trivially easy for an attacker to falsify the origin AS. If  
'they' are not doing it already, then I'm quite surprised.
This isn't really a good thing to alarm on, in my opinion. Or, maybe  
it is, but there should be big bold text explaining that it's not  
reliable as it's trivially easy to falsify.

To be honest, I can't think of anything better, all the attributes you  
can monitor can easily be falsified.

My best idea is looking at the AS_PATH for changes, and alerting  
whenever that happens. You'd obviously get a different path whenever  
there is churn in the network though. I'm sure there's a way to do  
this, and I suspect having BGP feeds from many many places is the most  
reliable way for it to happen, I just haven't figured out why yet.

This seems like a service that Renesys etc. could/should (or maybe  
do?) offer, they seem well placed with all their BGP feeds..

--
Nathan Ward








More information about the NANOG mailing list