community real-time BGP hijack notification service

Hank Nussbacher hank at efes.iucc.ac.il
Sun Sep 14 04:20:47 CDT 2008


At 03:07 PM 12-09-08 +0100, Andy Davidson wrote:

>On 12 Sep 2008, at 13:49, Nathan Ward wrote:
>
>>On 12/09/2008, at 10:42 PM, Gadi Evron wrote:
>>>Hi, WatchMy.Net is a new community service to alert you when your
>>>prefix
>>>has been hijacked, in real-time.
>>I just had a quick play with this, as I've been considering hacking
>>together something similar.
>
>Everyone with any interest in this topic should look at the MyASN
>service from the RIPE NCC (which I use and think is brilliant).
>
>http://www.ris.ripe.net/myasn.html
>
>"
>The MyASN service notifies network operators when a prefix is
>announced with an incorrect AS path. An AS path is seen as incorrect
>when it does not match with a regular expression. As not everyone is
>familiar with regular expressions, MyASN provides several easy ways to
>define typical checks, like "the origin of this prefix must be AS x"
>or "the origin of this prefix must be AS x and transit may be provided
>through y or z". However, as any AS path regular expression can be
>set, the MyASN service is suitable for regular expressions gurus as
>well.
>"
>
>To address Nathan's point, I recommend the RIPE service because for
>such a service to be ubiquitously useful, it needs to have many eyes
>(a view of routing tables at lots of points on the internet) which is
>where the very well peered situation of RIS comes into effect.  At the
>last RIPE meeting I think i saw RIS had over 600 peers, which it
>collects at internet exchange points all over the world.

I have used IAR, PHAS and MyASN and I can say I would not recommend 
myASN.  It is a cumbersome system and very non-intuitive.  It is based on 
an ASN-centric model, whereby each ASN is in its own realm.  So if you 
manage *one* ASN, perhaps this system might work for you.  But if you have 
about 10 ASNs you want to manage, in one central spot, you are out of luck 
here.  Also, you would expect the system to "auto-learn" what prefixes 
exist under your ASN and then you would have perhaps check boxes to disable 
or enable monitoring for specific prefixes.  With myASN you have to 
manually type in each and every prefix you have.  The same holds true for 
the newer http://ripe.net/is/alarms/.  They also differentiate between 
origin and transit ASN.  Their summary view doesn't show which prefixes are 
being monitored.  No help or FAQ available yet on the beta alarms system.

PHAS doesn't look at ASNs just prefixes.  You have to register each and 
every prefix via their site at: http://phas.netsec.colostate.edu/subscribe.html
Problem is to remove prefixes you have to totally unsubscribe via:
http://phas.netsec.colostate.edu/unsubscribe.html
You can't manage/unsubscribe individual prefixes.  And if you registered 
years ago before they instituted the ID and key factor for unsubscribing 
(as I did), you have no way to figure out how to unsubscribe from their 
email notices.  Their notices provide many false alarms based on my 
observation over the past few years.

The best system so far would be IAR:  http://iar.cs.unm.edu/
The email notices are pretty much on time and accurate.  Problem is they 
have changed the system and I believe some forum page/link has gone lost 
that allows one to manage existing subscriptions as per: 
http://iar.cs.unm.edu/alerts.php#email

Now for the new boy in town - Watchmy.net.  When you register it doesn't 
say you need at least an 8 char pswd.  I did 7.  So it wipes out all form 
data entered (name, phone number, etc.) and makes you start again from 
scratch.  The Web interface seems the most intuitive of all 4 but since I 
am just starting to use it - I will only discover the warts over the next week.

In general, academic systems like UNM and Colostate are the baby of some 
post-doc and then disappear after they leave or move on.  By nature, CS and 
EE departments don't like ot care to run production systems.  That is why I 
had high hopes for the RIPE system, which unfortunately, IMHO, is the 
worst.  It is funded via membership dues and one would expect that the 
authors would poll the RIPE community for what functionality they would 
need.  That has not been done.  Even when they get feedback (as far back as 
2003) they just ignore it and continue doing the development based on what 
they *believe* is what we need, rather than *asking* what we need.  That is 
why I am hoping that Watchmy.Net will not only listen to the community 
needs, but also have a committment for long term maintenance.

Regards,
Hank



>best wishes
>Andy





More information about the NANOG mailing list