[107735] in North American Network Operators' Group
Re: community real-time BGP hijack notification service
daemon@ATHENA.MIT.EDU (Christian Koch)
Fri Sep 12 09:49:51 2008
Date: Fri, 12 Sep 2008 09:49:39 -0400
From: "Christian Koch" <christian@broknrobot.com>
To: "Nathan Ward" <nanog@daork.net>
In-Reply-To: <0D35644E-6263-4B19-A3EC-E79BA5CCB2D0@daork.net>
Cc: nanog <nanog@merit.edu>
Errors-To: nanog-bounces@nanog.org
It is, agreed. But what is more likely; a simple a prefix hijack or an
all out attack, manipulating origin as, and as_path? While the 2nd is
possible, the first is the most likely, and the basis for all these
"hijack alert" services.
Christian
On Fri, Sep 12, 2008 at 9:27 AM, Nathan Ward <nanog@daork.net> wrote:
> On 13/09/2008, at 1:14 AM, Christian Koch wrote:
>
>> Maybe a better idea would be if you were able to input your origin asn
>> and define your upstreams and/or peers, to be alerted on as well. (ie:
>> Do not alert me on any paths containing 123_000, 456_000, 789_000).
>
>
> Again, that is trivially easy to falsify.
>
> My best quick hack solution so far is to fire off a traceroute and make sure
> that the traceroute gets ICMP TTL expire messages from IP addresses that are
> in prefixes originated from all the ASes in the ASPATH.
> Still forgeable, but a bit more difficult.. still far from perfect though.
>
> --
> Nathan Ward
>
>
>
>
>
>
