Re: BGP Attack - Best Defense ?
------- jfesler@gigo.com wrote: ------- From: Jason Fesler <jfesler@gigo.com>
I am signed up for the Prefix Hijack Alert System (phas.netsec.colostate.edu) and would be alerted in about 6 hours (or less?) about a prefix announcement change.
Would the alerts go to a mail server behind said BGP prefixes? --------------------------------------- They would go to me. They have been coming to me since I heard about this service on NANOG. Thanks folks at Colorado State University! :-) -------------------------------------- Also, if you're gonna bother at all.. I'd humbly suggest that 6 hours is too long to wait. Without naming names, consider if this response time is adequate, and if not, look at some of the commercial options. -------------------------------------- I'm currently on an eyeball network and no one is physically close to me, since I'm in Hawaii (the most isolated land mass in the world). Even though the TTL changes in this attack, the physics don't. The gamers would probably be the first alert folks as they would see the delay regardless of what their traceroutes say... ;-) In this attack the traffic makes it to both end-points. The middle is what changes. Restating my question differently: If the attacker is announcing a /24 of mine, I figure it out some how and I start announcing the same. What happens if the attacker doesn't stop?
On Fri, 29 Aug 2008, Scott Weeks wrote:
Restating my question differently: If the attacker is announcing a /24 of mine, I figure it out some how and I start announcing the same. What happens if the attacker doesn't stop?
You may as well announce both the same /24 and /25s if you can...though those probably won't make it far. If they hijack something less specific than a /24, go one bit more specific than the rogue announcement. After that, try contacting the rogue ASN's upstreams. After that? See if you can find a backhoe for hire? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (2)
-
Jon Lewis
-
Scott Weeks