On Sat, 13 Sep 2008, Nathan Ward wrote:
On 12/09/2008, at 10:42 PM, Gadi Evron wrote:
Hi, WatchMy.Net is a new community service to alert you when your prefix has been hijacked, in real-time.
Hi Gadi,
I just had a quick play with this, as I've been considering hacking together something similar.
Thank you for taking a look, and if you like to join in and help develop it, you are welcome to.
It is trivially easy for an attacker to falsify the origin AS. If 'they' are not doing it already, then I'm quite surprised. This isn't really a good thing to alarm on, in my opinion. Or, maybe it is, but there should be big bold text explaining that it's not reliable as it's trivially easy to falsify.
To be honest, I can't think of anything better, all the attributes you can monitor can easily be falsified.
My best idea is looking at the AS_PATH for changes, and alerting whenever that happens. You'd obviously get a different path whenever there is churn in the network though. I'm sure there's a way to do this, and I suspect having BGP feeds from many many places is the most reliable way for it to happen, I just haven't figured out why yet.
You are possibly right, and you are absolutely right that verbosity and documentation need to be better. We'll get there, and hopefully not too long from now. This is a weekend project, although we definitely intend to get through out TO-DO list.
This seems like a service that Renesys etc. could/should (or maybe do?) offer, they seem well placed with all their BGP feeds..
Probably so, but they are a commercial effort.
-- Nathan Ward