BGP IP prefix hijack detection times

Hank Nussbacher hank at
Tue Feb 28 06:01:40 UTC 2017

On 28/02/2017 07:15, Nagarjun Govindraj via NANOG wrote:

So what if you detect in 1.4 minutes of 3.1 minutes?  Or even 8
minutes?  What then?
You certainly couldn't do anything to prevent it after 3.1 minutes. 
First you need to analyze whether the BGP hijack is a false positive or not.
Could be the customer you are watching is testing out some cloud based
anti-DDOS mitigation and is allowing some other ASN to announce their
/24 (intentional).
Could be the ASN on the other side of the world has implemented some BGP
optimization box which announces prefixes internally  to do TE but they
also happen to be sending BGP updates to Dyn/BGPMON/Team Cymru/whoever. 
Could be the customer you are monitoring has decided to blackhole some
malicious IP and has started to announce a /32 internally and they too
feed BGP announcements to Dyn/BGPMON/Team Cymru/whoever.
I have many other examples. 
After you get an announcement of a BGP hijack, you start investigating. 
You determine the extent of the hijack - is it localized to one
geographic area or is it worldwide.  Is it just you or are there
thousands of other prefixes affected.  After 15 minutes you sit down and
write an email to the ASN doing the announcement.  For that you hope
whois is up to date which 60% of the time it is not.  So you start
scraping Google for possible email addresses to contact.
After not getting a response for 24 hours you send an email to their
upstream ASN (also contingent on finding proper email addresses that
will respond).
After waiting another day you send an email to the upstream of the
upstream and you keep repeating the process until you find someone
Stopping a BGP hijack does not take 1.4 minutes or 3.1 minutes.  It is
usually hours and sometimes days until the hijack is stopped.


> Well, the idea behind the mail was to know if anyone in the community are
> doing real time BGP IP prefix hijacking.
> Like Artemis detection tool claims to be detecting in 1.4 ~ 3.1 minutes. So
> I wanted to know if anyone in the community are using such tools for
> detecting hijacks, if yes how much time does the system take to detect.
> Regards,
> Nagarjun
> On Mon, Feb 27, 2017 at 10:59 PM Nick Hilliard <nick at> wrote:
>> Christopher Morrow wrote:
>>> Also: "How reliable are the alerts being sent?"
>> also: do the smtp servers which handle mail for the domain of the
>> alerting email address use the IP address space as they're notifying about?
>> Nick

More information about the NANOG mailing list