community real-time BGP hijack notification service
hank at efes.iucc.ac.il
Sun Sep 14 04:20:47 CDT 2008
At 03:07 PM 12-09-08 +0100, Andy Davidson wrote:
>On 12 Sep 2008, at 13:49, Nathan Ward wrote:
>>On 12/09/2008, at 10:42 PM, Gadi Evron wrote:
>>>Hi, WatchMy.Net is a new community service to alert you when your
>>>has been hijacked, in real-time.
>>I just had a quick play with this, as I've been considering hacking
>>together something similar.
>Everyone with any interest in this topic should look at the MyASN
>service from the RIPE NCC (which I use and think is brilliant).
>The MyASN service notifies network operators when a prefix is
>announced with an incorrect AS path. An AS path is seen as incorrect
>when it does not match with a regular expression. As not everyone is
>familiar with regular expressions, MyASN provides several easy ways to
>define typical checks, like "the origin of this prefix must be AS x"
>or "the origin of this prefix must be AS x and transit may be provided
>through y or z". However, as any AS path regular expression can be
>set, the MyASN service is suitable for regular expressions gurus as
>To address Nathan's point, I recommend the RIPE service because for
>such a service to be ubiquitously useful, it needs to have many eyes
>(a view of routing tables at lots of points on the internet) which is
>where the very well peered situation of RIS comes into effect. At the
>last RIPE meeting I think i saw RIS had over 600 peers, which it
>collects at internet exchange points all over the world.
I have used IAR, PHAS and MyASN and I can say I would not recommend
myASN. It is a cumbersome system and very non-intuitive. It is based on
an ASN-centric model, whereby each ASN is in its own realm. So if you
manage *one* ASN, perhaps this system might work for you. But if you have
about 10 ASNs you want to manage, in one central spot, you are out of luck
here. Also, you would expect the system to "auto-learn" what prefixes
exist under your ASN and then you would have perhaps check boxes to disable
or enable monitoring for specific prefixes. With myASN you have to
manually type in each and every prefix you have. The same holds true for
the newer http://ripe.net/is/alarms/. They also differentiate between
origin and transit ASN. Their summary view doesn't show which prefixes are
being monitored. No help or FAQ available yet on the beta alarms system.
PHAS doesn't look at ASNs just prefixes. You have to register each and
every prefix via their site at: http://phas.netsec.colostate.edu/subscribe.html
Problem is to remove prefixes you have to totally unsubscribe via:
You can't manage/unsubscribe individual prefixes. And if you registered
years ago before they instituted the ID and key factor for unsubscribing
(as I did), you have no way to figure out how to unsubscribe from their
email notices. Their notices provide many false alarms based on my
observation over the past few years.
The best system so far would be IAR: http://iar.cs.unm.edu/
The email notices are pretty much on time and accurate. Problem is they
have changed the system and I believe some forum page/link has gone lost
that allows one to manage existing subscriptions as per:
Now for the new boy in town - Watchmy.net. When you register it doesn't
say you need at least an 8 char pswd. I did 7. So it wipes out all form
data entered (name, phone number, etc.) and makes you start again from
scratch. The Web interface seems the most intuitive of all 4 but since I
am just starting to use it - I will only discover the warts over the next week.
In general, academic systems like UNM and Colostate are the baby of some
post-doc and then disappear after they leave or move on. By nature, CS and
EE departments don't like ot care to run production systems. That is why I
had high hopes for the RIPE system, which unfortunately, IMHO, is the
worst. It is funded via membership dues and one would expect that the
authors would poll the RIPE community for what functionality they would
need. That has not been done. Even when they get feedback (as far back as
2003) they just ignore it and continue doing the development based on what
they *believe* is what we need, rather than *asking* what we need. That is
why I am hoping that Watchmy.Net will not only listen to the community
needs, but also have a committment for long term maintenance.
More information about the NANOG