[193853] in North American Network Operators' Group
Re: BGP IP prefix hijack detection times
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Feb 28 00:47:10 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <CAESotaFyoqY9BFasn6SRsRrM6r1bdeRRq14V=71nfnEFDSQgUA@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Tue, 28 Feb 2017 00:47:07 -0500
To: Nagarjun Govindraj <nagarjun.govindraj@imaginea.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Feb 28, 2017 at 12:15 AM, Nagarjun Govindraj <
nagarjun.govindraj@imaginea.com> wrote:
>
> Well, the idea behind the mail was to know if anyone in the community are
> doing real time BGP IP prefix hijacking.
> Like Artemis detection tool claims to be detecting in 1.4 ~ 3.1 minutes.
> So I wanted to know if anyone in the community are using such tools for
> detecting hijacks, if yes how much time does the system take to detect.
>
>
My guess is: "yes, people are struggling through hjjack detection problems"
and: "1-3 minutes isn't as important as the time spent figuring out: 1) is
the alert real (this time!), 2) what will you do about it?"
Then you sink time into: "Hey remote peer of not me, could you stop
accepting the prefix X/y from your 'customer' because .. clearly they are
not me..."
Also, maybe time to push for more RPKI deployment so you can say: "Hey peer
of not me out there in the world, you note that I've a signed certificate
from $RIR attesting that I'm the proper user of prefix X/y and I've created
and published ROA data saying the proper origin-as for X/y is M... your
customer isn't M... so, yea, please stop accepting that prefix from them?
Kthxbi!"
You may ALSO want to ask: "So, about that customer (and all your other
customers) you DO have bgp prefix filters on their sessions, right? because
the year is 2017 and that is ... table-stakes for operating a part of the
global internet now... right?"
-chris
>
> Regards,
> Nagarjun
>
> On Mon, Feb 27, 2017 at 10:59 PM Nick Hilliard <nick@foobar.org> wrote:
>
>> Christopher Morrow wrote:
>> > Also: "How reliable are the alerts being sent?"
>>
>> also: do the smtp servers which handle mail for the domain of the
>> alerting email address use the IP address space as they're notifying
>> about?
>>
>> Nick
>>
>>
