[107294] in North American Network Operators' Group
Re: BGP Attack - Best Defense ?
daemon@ATHENA.MIT.EDU (Guy_Shields@Stream.Com)
Fri Aug 29 18:59:55 2008
From: Guy_Shields@Stream.Com
Date: Fri, 29 Aug 2008 17:58:47 -0500
To: "surfer" <surfer@mauigateway.com>, "nanog" <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
You need to contact 1st their directly connected provider, 2nd contact your u=
pstream provider and ask that they contact their peers and negate the announc=
ement. 3rd if this is an ARIN provided block contact them as you do pay for y=
our allocation and they will have the contacts to resolve the issue. You cann=
ot normally announce smaller than a /24
----- Original Message -----
From: "Scott Weeks" [surfer@mauigateway.com]
Sent: 08/29/2008 03:50 PM MST
To: <nanog@merit.edu>
Subject: Re: BGP Attack - Best Defense ?
------- jfesler@gigo.com wrote: -------
From: Jason Fesler <jfesler@gigo.com>
> I am signed up for the Prefix Hijack Alert System
> (phas.netsec.colostate.edu) and would be alerted in about 6 hours (or
> less?) about a prefix announcement change.
Would the alerts go to a mail server behind said BGP prefixes?
---------------------------------------
They would go to me. They have been coming to me since I heard about this se=
rvice on NANOG.
Thanks folks at Colorado State University! :-)
--------------------------------------
Also, if you're gonna bother at all.. I'd humbly suggest that 6 hours is
too long to wait. Without naming names, consider if this response time is
adequate, and if not, look at some of the commercial options.
--------------------------------------
I'm currently on an eyeball network and no one is physically close to me, sin=
ce I'm in Hawaii (the most isolated land mass in the world). Even though the=
TTL changes in this attack, the physics don't. The gamers would probably be=
the first alert folks as they would see the delay regardless of what their t=
raceroutes say... ;-) In this attack the traffic makes it to both end-point=
s. The middle is what changes.
Restating my question differently: If the attacker is announcing a /24 of mi=
ne, I figure it out some how and I start announcing the same. What happens i=
f the attacker doesn't stop?
This e-mail may contain confidential and/or privileged information. If yo=
u are
not the intended recipient (or have received this e-mail in error) please=
=
notify the sender immediately and destroy this e-mail. Any unauthorized =
copying, disclosure or distribution of the material in this e-mail is str=
ictly =
forbidden.
=0D
