[107777] in North American Network Operators' Group
Re: community real-time BGP hijack notification service
daemon@ATHENA.MIT.EDU (Nathan Ward)
Sat Sep 13 02:30:32 2008
From: Nathan Ward <nanog@daork.net>
To: nanog <nanog@merit.edu>
In-Reply-To: <48CB5429.7000908@internode.com.au>
Date: Sat, 13 Sep 2008 18:30:25 +1200
Errors-To: nanog-bounces@nanog.org
On 13/09/2008, at 5:48 PM, Matthew Moyle-Croft wrote:
> Arnaud de Prelle wrote:
>> I think that most of us (me included) are already using it but the
>> problem is that they don't have BGP collectors everywhere in the
>> world.
>> This is in fact a generic issue for BGP monitoring.
>>
> In this case it's very important to have a lot of collectors broadly
> distributed listening in many ASes.
>
> For example:
>
> If I know there are two BGP collectors driving this service, and
> they're in, say, AS701 and AS1239, then if I wanted to do a partial
> hijack (which might be good enough for my evil purposes) then I
> could advertise a path which had those ASes stuffed in it and
> prevent downstream collectors in AS701 and AS1239 from learning the
> hijack path.
Note that the attack becomes less and less effective if you're path
stuffing ASes, as it will be preferred by fewer and fewer networks.
Put collection points in say 10 networks, and the attack becomes
pretty useless.
Unless of course you are announcing a more specific prefix than the
authentic one.
--
Nathan Ward
