It may be the North American NOG, but it's been said before that it functions as a GNOG, G for Global. I don't think Brazil is insignificant. I respect Todd's work greatly, but I think he's wrong on this point. - original message - Subject: Re: Prefix Hijack Tool Comaprision From: "Scott Weeks" <surfer@mauigateway.com> Date: 13/11/2008 7:42 pm --- todd@renesys.com wrote: From: Todd Underwood <todd@renesys.com> interesting, but it's not operationally significant. i would not consider the fact that PHAS and Watchmy didn't alert any particular criticism of them. but perhaps there was something else to which you were referring. ---------------------------------- I think he was just referring to and answering my question. I hope to see how these tools work in 'small' incidents as well as large-scale incidents. Knowing the tool's capabilities increases one's ability to assess the damage while troubleshooting. scott
alexander, all, On Thu, Nov 13, 2008 at 07:56:26PM +0000, Alexander Harrowell wrote:
It may be the North American NOG, but it's been said before that it functions as a GNOG, G for Global. I don't think Brazil is insignificant. I respect Todd's work greatly, but I think he's wrong on this point.
you misread me. i did not say that brazil was insignificant. it's not. it has some of the fastest growing internet in latin america. i said that *this* hijacking took place in an insignificant corner of the internet. i mean this AS-map wise rather than geographically. this hijacking didn't even spread beyond one or two ASes, one of whom just happened to be a RIPE RIS peer. real hijackings leak into dozens or hundreds or thousands of ASNs. they spread far and wide. that's why people carry them out, when they do. this one was stopped in its tracks in a very small portion of one corner of the AS graph. as such, i don't count it as a hijacking or leak of any great significance and wouldn't want to alert anyone about it. that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth. sorry if it appears that i was denegrating .br . i was not. t. -- _____________________________________________________________________ todd underwood +1 603 643 9300 x101 renesys corporation todd@renesys.com http://www.renesys.com/blog
Todd Underwood wrote:
i said that *this* hijacking took place in an insignificant corner of the internet. i mean this AS-map wise rather than geographically. this hijacking didn't even spread beyond one or two ASes, one of whom just happened to be a RIPE RIS peer.
Yet for someone monitoring from their own perspective, what matters to them is what their own AS is seeing. If a hijacking makes it to their AS, they want to be concerned.
real hijackings leak into dozens or hundreds or thousands of ASNs. they spread far and wide. that's why people carry them out, when they do. this one was stopped in its tracks in a very small portion of one corner of the AS graph.
Wasn't there a dns hijack not long ago that only had the scope of one ISP (who just happened to be extremely large and carried a bunch of cell phones)? Just because a hijack only covers a small portion of the net doesn't make it any less effective. This is why we push to get as many access controls as far out to the edge as possible. If it only effects the person who tries it, then it has no bearing.
as such, i don't count it as a hijacking or leak of any great significance and wouldn't want to alert anyone about it. that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth.
Thresholds might be important, but different mileage, yada yada. Jack
On Nov 13, 2008, at 1:05 PM, Todd Underwood wrote:
as such, i don't count it as a hijacking or leak of any great significance and wouldn't want to alert anyone about it. that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth.
While I agree that this incident didn't appear to much impact anyone beyond CTBC and their customers (where we very clearly impacted considerably), I would contend that ANY time anyone asserts reachability of another ASNs address space the owner of that space should be alerted. IMO, if an actual intentional targeted attack were to be launched, versus, say, the slew of accidental leaks we mostly see, then it may very well be scoped to some insignificant corner of the Internet, as close to the targets as possible - that's precisely what I'd do if I were to launch such an attack.... Now, if the goal is denial of service or a leak, sure, it'll likely propagate much wider - and be detected much quicker. -danny
Hi all, .-- My secret spy satellite informs me that at Thu, 13 Nov 2008, Todd Underwood wrote:
that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth.
For those who like to use a peer threshold, BGPmon.net now has minimum peer threshold support. For more information see: http://bgpmon.net/blog/?p=88 Cheers, Andree
participants (5)
-
Alexander Harrowell -
Andree Toonk -
Danny McPherson -
Jack Bates -
Todd Underwood