BGP IP prefix hijack detection times
Hi Nanog, what are the detection times for BGP IP prefix hijack detection systems adopted by community members/operators (if any) ? Regards, Nagarjun
you probably want to ask the people that make these systems, yes? On Sun, Feb 26, 2017 at 7:12 AM, Nagarjun Govindraj via NANOG < nanog@nanog.org> wrote:
Hi Nanog,
what are the detection times for BGP IP prefix hijack detection systems adopted by community members/operators (if any) ?
Regards, Nagarjun
Also: "How reliable are the alerts being sent?" On Mon, Feb 27, 2017 at 12:19 PM, Christopher Morrow < morrowc.lists@gmail.com> wrote:
you probably want to ask the people that make these systems, yes?
On Sun, Feb 26, 2017 at 7:12 AM, Nagarjun Govindraj via NANOG < nanog@nanog.org> wrote:
Hi Nanog,
what are the detection times for BGP IP prefix hijack detection systems adopted by community members/operators (if any) ?
Regards, Nagarjun
Well, the idea behind the mail was to know if anyone in the community are doing real time BGP IP prefix hijacking. Like Artemis detection tool claims to be detecting in 1.4 ~ 3.1 minutes. So I wanted to know if anyone in the community are using such tools for detecting hijacks, if yes how much time does the system take to detect. Regards, Nagarjun On Mon, Feb 27, 2017 at 10:59 PM Nick Hilliard <nick@foobar.org> wrote:
Christopher Morrow wrote:
Also: "How reliable are the alerts being sent?"
also: do the smtp servers which handle mail for the domain of the alerting email address use the IP address space as they're notifying about?
Nick
On Tue, Feb 28, 2017 at 12:15 AM, Nagarjun Govindraj < nagarjun.govindraj@imaginea.com> wrote:
Well, the idea behind the mail was to know if anyone in the community are doing real time BGP IP prefix hijacking. Like Artemis detection tool claims to be detecting in 1.4 ~ 3.1 minutes. So I wanted to know if anyone in the community are using such tools for detecting hijacks, if yes how much time does the system take to detect.
My guess is: "yes, people are struggling through hjjack detection problems" and: "1-3 minutes isn't as important as the time spent figuring out: 1) is the alert real (this time!), 2) what will you do about it?" Then you sink time into: "Hey remote peer of not me, could you stop accepting the prefix X/y from your 'customer' because .. clearly they are not me..." Also, maybe time to push for more RPKI deployment so you can say: "Hey peer of not me out there in the world, you note that I've a signed certificate from $RIR attesting that I'm the proper user of prefix X/y and I've created and published ROA data saying the proper origin-as for X/y is M... your customer isn't M... so, yea, please stop accepting that prefix from them? Kthxbi!" You may ALSO want to ask: "So, about that customer (and all your other customers) you DO have bgp prefix filters on their sessions, right? because the year is 2017 and that is ... table-stakes for operating a part of the global internet now... right?" -chris
Regards, Nagarjun
On Mon, Feb 27, 2017 at 10:59 PM Nick Hilliard <nick@foobar.org> wrote:
Christopher Morrow wrote:
Also: "How reliable are the alerts being sent?"
also: do the smtp servers which handle mail for the domain of the alerting email address use the IP address space as they're notifying about?
Nick
On 28/02/2017 07:15, Nagarjun Govindraj via NANOG wrote: So what if you detect in 1.4 minutes of 3.1 minutes? Or even 8 minutes? What then? You certainly couldn't do anything to prevent it after 3.1 minutes. First you need to analyze whether the BGP hijack is a false positive or not. Could be the customer you are watching is testing out some cloud based anti-DDOS mitigation and is allowing some other ASN to announce their /24 (intentional). Could be the ASN on the other side of the world has implemented some BGP optimization box which announces prefixes internally to do TE but they also happen to be sending BGP updates to Dyn/BGPMON/Team Cymru/whoever. Could be the customer you are monitoring has decided to blackhole some malicious IP and has started to announce a /32 internally and they too feed BGP announcements to Dyn/BGPMON/Team Cymru/whoever. I have many other examples. After you get an announcement of a BGP hijack, you start investigating. You determine the extent of the hijack - is it localized to one geographic area or is it worldwide. Is it just you or are there thousands of other prefixes affected. After 15 minutes you sit down and write an email to the ASN doing the announcement. For that you hope whois is up to date which 60% of the time it is not. So you start scraping Google for possible email addresses to contact. After not getting a response for 24 hours you send an email to their upstream ASN (also contingent on finding proper email addresses that will respond). After waiting another day you send an email to the upstream of the upstream and you keep repeating the process until you find someone responsive. Stopping a BGP hijack does not take 1.4 minutes or 3.1 minutes. It is usually hours and sometimes days until the hijack is stopped. -Hank
Well, the idea behind the mail was to know if anyone in the community are doing real time BGP IP prefix hijacking. Like Artemis detection tool claims to be detecting in 1.4 ~ 3.1 minutes. So I wanted to know if anyone in the community are using such tools for detecting hijacks, if yes how much time does the system take to detect.
Regards, Nagarjun
On Mon, Feb 27, 2017 at 10:59 PM Nick Hilliard <nick@foobar.org> wrote:
Christopher Morrow wrote:
Also: "How reliable are the alerts being sent?" also: do the smtp servers which handle mail for the domain of the alerting email address use the IP address space as they're notifying about?
Nick
The Goal is not to mitigate or take action against the malicious activity. Goal is to detect the hijacking event by trying to reduce false posivites as much as possible. I know false positives is one of the key factor to consider. I am just trying to distinguish between a legitimate advertisement against hijack event. Regards, Nagarjun On Tue, Feb 28, 2017 at 11:31 AM Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
On 28/02/2017 07:15, Nagarjun Govindraj via NANOG wrote:
So what if you detect in 1.4 minutes of 3.1 minutes? Or even 8 minutes? What then? You certainly couldn't do anything to prevent it after 3.1 minutes. First you need to analyze whether the BGP hijack is a false positive or not. Could be the customer you are watching is testing out some cloud based anti-DDOS mitigation and is allowing some other ASN to announce their /24 (intentional). Could be the ASN on the other side of the world has implemented some BGP optimization box which announces prefixes internally to do TE but they also happen to be sending BGP updates to Dyn/BGPMON/Team Cymru/whoever. Could be the customer you are monitoring has decided to blackhole some malicious IP and has started to announce a /32 internally and they too feed BGP announcements to Dyn/BGPMON/Team Cymru/whoever. I have many other examples. After you get an announcement of a BGP hijack, you start investigating. You determine the extent of the hijack - is it localized to one geographic area or is it worldwide. Is it just you or are there thousands of other prefixes affected. After 15 minutes you sit down and write an email to the ASN doing the announcement. For that you hope whois is up to date which 60% of the time it is not. So you start scraping Google for possible email addresses to contact. After not getting a response for 24 hours you send an email to their upstream ASN (also contingent on finding proper email addresses that will respond). After waiting another day you send an email to the upstream of the upstream and you keep repeating the process until you find someone responsive. Stopping a BGP hijack does not take 1.4 minutes or 3.1 minutes. It is usually hours and sometimes days until the hijack is stopped.
-Hank
Well, the idea behind the mail was to know if anyone in the community are doing real time BGP IP prefix hijacking. Like Artemis detection tool claims to be detecting in 1.4 ~ 3.1 minutes. So I wanted to know if anyone in the community are using such tools for detecting hijacks, if yes how much time does the system take to detect.
Regards, Nagarjun
On Mon, Feb 27, 2017 at 10:59 PM Nick Hilliard <nick@foobar.org> wrote:
Christopher Morrow wrote:
Also: "How reliable are the alerts being sent?" also: do the smtp servers which handle mail for the domain of the alerting email address use the IP address space as they're notifying about?
Nick
On Tue, Feb 28, 2017 at 1:17 AM, Nagarjun Govindraj < nagarjun.govindraj@imaginea.com> wrote:
I am just trying to distinguish between a legitimate advertisement against hijack event.
that's what everyone's trying to do... if you aren't trying to fix things, why do you care about them at all?
participants (4)
-
Christopher Morrow
-
Hank Nussbacher
-
Nagarjun Govindraj
-
Nick Hilliard