[76926] in North American Network Operators' Group
Re: Tracking spoofed routes?
daemon@ATHENA.MIT.EDU (David Meyer)
Wed Jan 5 10:06:53 2005
Date: Wed, 5 Jan 2005 07:06:17 -0800
From: David Meyer <dmm@1-4-5.net>
To: Kevin <kkadow@gmail.com>
Cc: nanog@merit.edu, help@routeviews.org
In-Reply-To: <dc718edc05010422076d8a05fe@mail.gmail.com>
Errors-To: owner-nanog-outgoing@merit.edu
Kevin,
>> I am seeking avenues to investigate a possible case of IP address spoofing.
>>
>> I've recently received complaints which suggest that in the recent
>> past (but not right now), somebody may have announced a more specific
>> prefix, effectively hijacking "unused" address space within our
>> allocated range.
>>
>> As it happens, the address space is not unused, just not visible on
>> the public Internet.
>>
>>
>> I am aware of route reflectors and other options to manually review
>> what prefixes are currently announced, but have not been able to find
>> a *searchable* archive of historical data, either overall BGP tables
>> or just "unusual" announcements. The closest thing I've found so far
>> is Route Views (http://www.routeviews.org/), however there is no
>> obvious way to search the (huge) archived data files for substring
>> matches?
We're involved in trying to build database front ends for
the data so you can do just this sort of thing. But right
now, we're a little stuck. One thing you might try is
using BGPlay to watch what happens to your prefix.
>> Alternately, are there any existing mechanisms for monitoring route
>> announcements which can provide near real-time alerting when any
>> prefixes within specific subnet ranges are announced?
Not that I know of. You can log into
route-views.routeviews.org and use the cli to watch it,
but that is a manual process.
Hope this helps,
Dave
