On 30/08/2008, at 9:58 AM, Florian Weimer wrote:
* Alex Pilosov:
We've demonstrated ability to monitor traffic to arbitrary prefixes. Slides for presentation can be found here: http://eng.5ninesdata.com/~tkapela/iphd-2.ppt
The interesting question is whether it's acceptable to use this trick for non-malicious day-to-day traffic engineering.
The technique of path stuffing ASes who you do not want to receive an announcement is called AS PATH poisoning. It's a fairly well known trick.
Not exactly specifically in reply to your note, but more generally: In the old days, Usenet spammers would sometimes preload the Path: line with names of NNTP transits that they might want to avoid for various reasons (usually the home sites of Usenet spam cancellers). In most ways, avoiding offering an article back to a server because it was already listed in the Path: was merely an optimization, to avoid extra traffic on a futile offer. However, simply removing the exclusion allowed the sending site to attempt the transmission, which would then succeed if the receiving site had not seen the article (etc). For purposes of detection, then, it seems reasonable to consider that there could be some way to leverage BGP to monitor for this sort of thing. There would seem to be at least two very interesting things that you could monitor for, which would be irregularities in the ASPATH, and irregularities in your announced prefixes. Since major networks would need to be involved for significant traffic redirection events, I'm wondering if it would be reasonable to have a looking glass/route server type service that would peer with a bunch of them, based on random 32-bit ASN's assigned from a preallocated range for the purpose, one per network (think: reducing effectiveness of AS PATH stuffing). You could then provide a configurable notification service, or for sites with the technical capabilities, a realtime BGP feed of all events involving their AS or prefixes (again over a randomly assigned 32-bit ASN, and obviously to some off-net IP where they run a monitoring box, so that a prefix hijack is ineffective). Such a service would seem like it would be generally useful for other purposes as well. There's almost certainly some fatal flaw in this idea, or maybe better yet, some obvious improvements that could be made, so for the BGP gurus out there, what are they? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.