BGP IP prefix hijack detection times

Tue Feb 28 05:47:07 UTC 2017

On Tue, Feb 28, 2017 at 12:15 AM, Nagarjun Govindraj <
nagarjun.govindraj at imaginea.com> wrote:

>
> Well, the idea behind the mail was to know if anyone in the community are
> doing real time BGP IP prefix hijacking.
> Like Artemis detection tool claims to be detecting in 1.4 ~ 3.1 minutes.
> So I wanted to know if anyone in the community are using such tools for
> detecting hijacks, if yes how much time does the system take to detect.
>
>
My guess is: "yes, people are struggling through hjjack detection problems"
and: "1-3 minutes isn't as important as the time spent figuring out: 1) is
the alert real (this time!), 2) what will you do about it?"

Then you sink time into: "Hey remote peer of not me, could you stop
accepting the prefix X/y from your 'customer' because .. clearly they are
not me..."

Also, maybe time to push for more RPKI deployment so you can say: "Hey peer
of not me out there in the world, you note that I've a signed certificate
from $RIR attesting that I'm the proper user of prefix X/y and I've created
and published ROA data saying the proper origin-as for X/y is M... your
customer isn't M... so, yea, please stop accepting that prefix from them?
Kthxbi!"

You may ALSO want to ask: "So, about that customer (and all your other
customers) you DO have bgp prefix filters on their sessions, right? because
the year is 2017 and that is ... table-stakes for operating a part of the
global internet now... right?"

-chris

>
> Regards,
> Nagarjun
>
> On Mon, Feb 27, 2017 at 10:59 PM Nick Hilliard <nick at foobar.org> wrote:
>
>> Christopher Morrow wrote:
>> > Also: "How reliable are the alerts being sent?"
>>
>> also: do the smtp servers which handle mail for the domain of the
>> alerting email address use the IP address space as they're notifying
>> about?
>>
>> Nick
>>
>>