[76983] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Tracking spoofed routes?

daemon@ATHENA.MIT.EDU (Nick Feamster)
Sun Jan 9 15:42:19 2005

Date: Sun, 9 Jan 2005 15:39:49 -0500
From: Nick Feamster <feamster@lcs.mit.edu>
To: David Meyer <dmm@1-4-5.net>
Cc: Kevin <kkadow@gmail.com>, nanog@merit.edu, help@routeviews.org
Mail-Followup-To: Nick Feamster <feamster@lcs.mit.edu>,
	David Meyer <dmm@1-4-5.net>, Kevin <kkadow@gmail.com>,
	nanog@merit.edu, help@routeviews.org
In-Reply-To: <20050105150617.GA14480@1-4-5.net>
Errors-To: owner-nanog-outgoing@merit.edu


You can also see:

http://bgp.lcs.mit.edu/

which has a searchable archive back to 2001 for several feeds.  We're
always interested in getting more feeds from folks to make this
searchable archive more comprehensive.

thanks,
-Nick

On Wed, Jan 05, 2005 at 07:06:17AM -0800, David Meyer wrote:
> 
> 	Kevin,
> 
> >> I am seeking avenues to investigate a possible case of IP address spoofing.
> >> 
> >> I've recently received complaints which suggest that in the recent
> >> past (but not right now), somebody may have announced a more specific
> >> prefix, effectively hijacking "unused" address space within our
> >> allocated range.
> >> 
> >> As it happens, the address space is not unused, just not visible on
> >> the public Internet.
> >> 
> >> 
> >> I am aware of route reflectors and other options to manually review
> >> what prefixes are currently announced, but have not been able to find
> >> a *searchable* archive of historical data, either overall BGP tables
> >> or just "unusual" announcements.  The closest thing I've found so far
> >> is Route Views (http://www.routeviews.org/), however there is no
> >> obvious way to search the (huge) archived data files for substring
> >> matches?
> 
> 	We're involved in trying to build database front ends for
> 	the data so you can do just this sort of thing. But right
> 	now, we're a little stuck. One thing you might try is
> 	using BGPlay to watch what happens to your prefix.
> 
> >> Alternately, are there any existing mechanisms for monitoring route
> >> announcements which can provide near real-time alerting when any
> >> prefixes within specific subnet ranges are announced?
> 
> 	Not that I know of. You can log into
> 	route-views.routeviews.org and use the cli to watch it,
> 	but that is a manual process.
> 
> 	Hope this helps,
> 
> 	Dave
home help back first fref pref prev next nref lref last post