Nathan wrote:
It is trivially easy for an attacker to falsify the origin AS. If 'they' are not doing it already, then I'm quite surprised. This isn't really a good thing to alarm on, in my opinion. Or, maybe it is, but there should be big bold text explaining that it's not reliable as it's trivially easy to falsify.
Yep, true. However, there's the case that someone's just typo'd you, which has happened to, near, around, and by me more frequently than an actual jackification. There was the time I fumble-fingered some net99 space and Karl Denninger started tracking me down to threaten lawsuits (before, I might add, asking me to log into the offending device and change the config). Anyway, the other case is where there shouldn't be a more specific, and you still win. Otherwise, yes, origin AS can be forged but the transit part is even messier, I think.
My best idea is looking at the AS_PATH for changes, and alerting whenever that happens. You'd obviously get a different path whenever there is churn in the network though. I'm sure there's a way to do this, and I suspect having BGP feeds from many many places is the most reliable way for it to happen, I just haven't figured out why yet.
As you point out, the Internet is a really noisy and messy place. Just doing the "different than usual" is something I resisted here because there's so much hidden partial transit that doesn't normally expose. More BGP feeds might just amplify that behavior, though the idea is to get more feeds in.
This seems like a service that Renesys etc. could/should (or maybe do?) offer, they seem well placed with all their BGP feeds..
Not sure who else offers it; it seemed reasonable to do and see if it's useful. Gadi told me there was no free real-time alerting out there but I didn't really look into it. Certainly if anyone wants to see the dynamics, who has advertised what now and in the deep dark past, etc Renesys would be the place to go as far as I know.
Nathan Ward
Avi