[76940] in North American Network Operators' Group
Re: Tracking spoofed routes?
daemon@ATHENA.MIT.EDU (Simon Leinen)
Thu Jan 6 08:24:08 2005
To: Arife Vural <arife@ripe.net>
Cc: Florian Frotzler <florian.frotzler@gmx.at>, nanog@merit.edu
From: Simon Leinen <simon@limmat.switch.ch>
In-Reply-To: <20050106102305.GA11734@ripe.net> (Arife Vural's message of
"Thu, 6 Jan 2005 11:23:06 +0100")
Date: Thu, 06 Jan 2005 14:23:33 +0100
Errors-To: owner-nanog-outgoing@merit.edu
Arife Vural writes:
[in response to Florian Frotzler <florian.frotzler@gmx.at>:]
>> To my knowledge, the myas-tool/-service from RIPE NCC is kind of
>> doing what you like to achive.
> MyASN is working on user-based. To get the alarm for unexpected
> routing patterns, you should set it up an account beforehand.
I have been using MyASN for half a year, and it is quite nice.
Setting it up required typing all our customer routes into Web forms,
which was somewhat tedious, but now I receive alerts in almost real
time as soon as someone tries to "highjack" our routes or announces
more-specifics.
For example, there was a large-scale incident on 24 December 2004 (see
e.g. http://www.merit.edu/mail.archives/nanog/msg03827.html). It
started shortly before 09:20 UTC, and at 09:59 UTC I received an alert
from MyASN that some of our customer routes were announced from
another AS. This is very respectable, especially since the system
must have been very heavily loaded at that time, because of the sheer
number of BGP updates and the number of potential alerts (MOST
prefixes were highjacked at some point during that day).
> I think for Kevin's situation, we have other tools. One is called,
> "Search by Prefix" and other one is BGPlay. Both tools are running
> over last 3 months routing data.
One problem is that Kevin is looking for an announcement of a *more
specific* prefix from his space. BGPlay only supports queries on
exact prefixes I think.
The "Search by Prefix" tool seems to be ideal for Kevin's application
though.
> URL for those tools,
> http://www.ris.ripe.net/cgi-bin/risprefix.cgi
> http://www.ris.ripe.net/bgplay/
--
Simon.
