BGP Attack - Best Defense ?
My question revolves around the best recovery from an attack of the type we've been discussing. I only figured out the attack methodology yesterday evening Hawaiian Standard Time. Be gentle please... :-) I am signed up for the Prefix Hijack Alert System (phas.netsec.colostate.edu) and would be alerted in about 6 hours (or less?) about a prefix announcement change. I then would deaggregate (as little as possible) to be able to announce the same more specific as the attacker. The topologically closer ASs would then start sending the traffic to me properly. Those topologically closest to the attacker would still send to the attack path. I would then try to contact the ASs still using the attack path to get it stopped. (Yell help on NANOG? ;-) Is this the best recovery plan at this time? scott
I am signed up for the Prefix Hijack Alert System (phas.netsec.colostate.edu) and would be alerted in about 6 hours (or less?) about a prefix announcement change.
Would the alerts go to a mail server behind said BGP prefixes? Also, if you're gonna bother at all.. I'd humbly suggest that 6 hours is too long to wait. Without naming names, consider if this response time is adequate, and if not, look at some of the commercial options.
On Fri, 29 Aug 2008, Scott Weeks wrote:
I am signed up for the Prefix Hijack Alert System (phas.netsec.colostate.edu) and would be alerted in about 6 hours (or less?) about a prefix announcement change.
I then would deaggregate (as little as possible) to be able to announce the same more specific as the attacker.
Announcing the same prefix length as the attacker would get you back some portion of your traffic, rather than all of it. You'd really want to announce something more specific than what the attacker is announcing. Of course, then you'd need to get your upstreams to accept the more specific, which might mean modifying filters. How quickly can you get your upstreams to do that? Also, please don't be like Covad. If you deaggregate to deal with a highjacking, make your deaggregation temporary, and clean it up when it's not needed anymore.
I would then try to contact the ASs still using the attack path to get it stopped. (Yell help on NANOG? ;-)
If you try to contact networks that are innocently hearing the announcement, rather than those involved in propagating it, you'll have a lot of networks to contact. A better move would be to contact those originating the announcement (unless you think they're involved in something malicious), and then their upstreams, and if that doesn't work, their upstreams' upstreams. Calling an upstream provider's NOC to ask them to modify a customer's filters generally gets met with lots of skepticism. You'll almost certainly be told that you have to be the customer whose filter it is to ask to have it modified. You'll need to be quite firm, and will probably need to ask to speak to somebody higher up than the front-line tech who answers the phone. The very few times I've had to do this, I've also found it quite useful to deemphasize their receiving of the prefix from a customer, and emphasize that they were announcing it to the rest of the world. "You are announcing our prefix, and you are not authorized to do so," is a useful line. -Steve
participants (3)
-
Jason Fesler
-
Scott Weeks
-
Steve Gibbard