Kevin,
I am seeking avenues to investigate a possible case of IP address spoofing.
I've recently received complaints which suggest that in the recent past (but not right now), somebody may have announced a more specific prefix, effectively hijacking "unused" address space within our allocated range.
As it happens, the address space is not unused, just not visible on the public Internet.
I am aware of route reflectors and other options to manually review what prefixes are currently announced, but have not been able to find a *searchable* archive of historical data, either overall BGP tables or just "unusual" announcements. The closest thing I've found so far is Route Views (http://www.routeviews.org/), however there is no obvious way to search the (huge) archived data files for substring matches?
We're involved in trying to build database front ends for the data so you can do just this sort of thing. But right now, we're a little stuck. One thing you might try is using BGPlay to watch what happens to your prefix.
Alternately, are there any existing mechanisms for monitoring route announcements which can provide near real-time alerting when any prefixes within specific subnet ranges are announced?
Not that I know of. You can log into route-views.routeviews.org and use the cli to watch it, but that is a manual process. Hope this helps, Dave
-----Ursprüngliche Nachricht----- Von: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] Im Auftrag von David Meyer Gesendet: Mittwoch, 05. Jänner 2005 16:06 An: Kevin Cc: nanog@merit.edu; help@routeviews.org Betreff: Re: Tracking spoofed routes?
Alternately, are there any existing mechanisms for monitoring route announcements which can provide near real-time alerting when any prefixes within specific subnet ranges are announced?
Not that I know of. You can log into route-views.routeviews.org and use the cli to watch it, but that is a manual process.
Hope this helps,
Dave
To my knowledge, the myas-tool/-service from RIPE NCC is kind of doing what you like to achive. Florian
Alternately, are there any existing mechanisms for monitoring route announcements which can provide near real-time alerting when any prefixes within specific subnet ranges are announced?
Not that I know of. You can log into route-views.routeviews.org and use the cli to watch it, but that is a manual process.
Hope this helps,
Dave
To my knowledge, the myas-tool/-service from RIPE NCC is kind of doing what you like to achive.
MyASN is working on user-based. To get the alarm for unexpected routing patterns, you should set it up an account beforehand. I think for Kevin's situation, we have other tools. One is called, "Search by Prefix" and other one is BGPlay. Both tools are running over last 3 months routing data. URL for those tools, http://www.ris.ripe.net/cgi-bin/risprefix.cgi http://www.ris.ripe.net/bgplay/ Arife
Arife Vural writes: [in response to Florian Frotzler <florian.frotzler@gmx.at>:]
To my knowledge, the myas-tool/-service from RIPE NCC is kind of doing what you like to achive.
MyASN is working on user-based. To get the alarm for unexpected routing patterns, you should set it up an account beforehand.
I have been using MyASN for half a year, and it is quite nice. Setting it up required typing all our customer routes into Web forms, which was somewhat tedious, but now I receive alerts in almost real time as soon as someone tries to "highjack" our routes or announces more-specifics. For example, there was a large-scale incident on 24 December 2004 (see e.g. http://www.merit.edu/mail.archives/nanog/msg03827.html). It started shortly before 09:20 UTC, and at 09:59 UTC I received an alert from MyASN that some of our customer routes were announced from another AS. This is very respectable, especially since the system must have been very heavily loaded at that time, because of the sheer number of BGP updates and the number of potential alerts (MOST prefixes were highjacked at some point during that day).
I think for Kevin's situation, we have other tools. One is called, "Search by Prefix" and other one is BGPlay. Both tools are running over last 3 months routing data.
One problem is that Kevin is looking for an announcement of a *more specific* prefix from his space. BGPlay only supports queries on exact prefixes I think. The "Search by Prefix" tool seems to be ideal for Kevin's application though.
URL for those tools,
http://www.ris.ripe.net/cgi-bin/risprefix.cgi http://www.ris.ripe.net/bgplay/ -- Simon.
I have been using MyASN for half a year, and it is quite nice. Setting it up required typing all our customer routes into Web forms, which was somewhat tedious, but now I receive alerts in almost real time as soon as someone tries to "highjack" our routes or announces more-specifics.
Thanks for those feedbacks, Simon.
One problem is that Kevin is looking for an announcement of a *more specific* prefix from his space. BGPlay only supports queries on exact prefixes I think.
Yes, you're right. It looks only "Search by Prefix" could help him. Arife
You can also see: http://bgp.lcs.mit.edu/ which has a searchable archive back to 2001 for several feeds. We're always interested in getting more feeds from folks to make this searchable archive more comprehensive. thanks, -Nick On Wed, Jan 05, 2005 at 07:06:17AM -0800, David Meyer wrote:
Kevin,
I am seeking avenues to investigate a possible case of IP address spoofing.
I've recently received complaints which suggest that in the recent past (but not right now), somebody may have announced a more specific prefix, effectively hijacking "unused" address space within our allocated range.
As it happens, the address space is not unused, just not visible on the public Internet.
I am aware of route reflectors and other options to manually review what prefixes are currently announced, but have not been able to find a *searchable* archive of historical data, either overall BGP tables or just "unusual" announcements. The closest thing I've found so far is Route Views (http://www.routeviews.org/), however there is no obvious way to search the (huge) archived data files for substring matches?
We're involved in trying to build database front ends for the data so you can do just this sort of thing. But right now, we're a little stuck. One thing you might try is using BGPlay to watch what happens to your prefix.
Alternately, are there any existing mechanisms for monitoring route announcements which can provide near real-time alerting when any prefixes within specific subnet ranges are announced?
Not that I know of. You can log into route-views.routeviews.org and use the cli to watch it, but that is a manual process.
Hope this helps,
Dave
participants (5)
-
Arife Vural
-
David Meyer
-
Florian Frotzler
-
Nick Feamster
-
Simon Leinen