Bgpmon alternatives?

TJ_Trout · June 16, 2019, 1:55am

Any simple and easy bgpmon alternatives you guys could recommend?

Mike_Leber · June 16, 2019, 9:25am

As a beta service you can try out rt-bgp.he.net. This is a real time
bgp monitoring service we are developing.

It's a work in progress so please make sure to send Martin Winter
<mwinter@he.net> any feedback or feature requests.

It works based on contributed BGP feeds, so if you see based on the heat
map that you can provide a feed from an area of the world we don't
currently have it would be a big favor.

Mike.

Toma_Gavrichenkov · June 16, 2019, 9:28am

https://radar.qrator.net/

(this is not an advertisement!)

Brian_Kantor · June 16, 2019, 9:48am

It's interesting, but I don't see any way to do what I primarily
use the existing BGPMon for: watch for hijacks.

That is, set up one or more prefixes to be continuously monitored
and have the monitor send me an email alert when that prefix or a
subnet of it begins to be announced by someone new.

For example, if I have told it to monitor 44.0.0.0/8 and someone
somewhere begins announcing it, or perhaps 44.1.0.0/16, I'd very
much like to know about that, along with details of who and where.

Then if that announcement is authorized, I can tell the monitoring
service that this new entry is NOT a hijack, and it won't bug me
about it again.

Can it be persuaded to do this?
- Brian

Mike_Leber · June 16, 2019, 10:59am

I'm sure if it doesn't do exactly that already, we can add it shortly.

Some of planned functionality for hijack detection is already live.
That's one of the main reasons for creating this service.

Mike.

Brian_Kantor · June 16, 2019, 11:20am

That would be wonderful. Thank you!
- Brian

Michael_Hallgren2 · June 16, 2019, 11:40am

RIS Live API is a choice for this.

mh

Hank_Nussbacher1 · June 16, 2019, 12:00pm

I have been a subscribed member to your service for a number of years and do not see where I can receive an email pushed to my my inbox of a suspected BGP hijack. Can that be added?

Regards,

Hank

Jared_Mauch · June 16, 2019, 12:54pm

Yes. Here’s some sample code:

https://github.com/jaredmauch/rislive

It also helps the more feeds they get, please add feeds to them so there are more views of any possible malicious activities.

Vasileios_Kotronis · June 16, 2019, 1:09pm

Hello,

in case you would like to check out open-source projects

you could try our community tool ARTEMIS https://github.com/FORTH-ICS-INSPIRE/artemis

which uses RIS live and Routeviews feeds (as well as optionally local network feeds)

to detect hijacks of different types (e.g., sub-prefix, fake origin/neighbor, etc.) in real-time.

Best,

Vasileios

Matt_Corallo · June 16, 2019, 2:26pm

There’s also https://github.com/NLNOG/bgpalerter (which I believe they’re trying to turn into a website frontend based on RIS, but I run it with patches for as_path regexes and it works pretty well).

TJ_Trout · June 16, 2019, 3:42pm

Thanks Mike

TJ_Trout · July 18, 2019, 12:15am

Anyone know of a hosted alternative to bgpmon? I’m testing Qrator but I can’t determine if it will notify in real-time of a prefix hijack?

Saunders_D_Wayne · July 18, 2019, 12:44am

We moved to Thousandeyes for this function

Toma_Gavrichenkov · July 18, 2019, 5:44am

Qrator guy there.
Real-time notifications are there but are only available on a
commercial basis, because basically real time is expensive to compute.
The rest is free.

Hank_Nussbacher1 · July 18, 2019, 9:42am

What about once a day notification of BGP hijack? Is that also expensive to compute? I have an account and cannot find any documentation of realtime notifications nor its cost. All I found was this - https://qrator.net/en/pricing . Can you send links to the BGP hijack notification service and its cost?

Thanks,
-Hank

TJ_Trout · July 18, 2019, 6:31pm

I also cannot find a way to subscribe to your hijack notifications?

Konstantinos_Koutali · July 18, 2019, 9:40pm

I’ve been testing out thousandeyes for the past 1,5-2 month(s) and I’m very happy with it.
Depending on what you want to do with it, it can be expensive but for my current employer it’s worth the investment due to the extra visibility it provides.

– Kostas (Konstantinos) Koutalis

Toma_Gavrichenkov · July 20, 2019, 12:51am

> Qrator guy there.
> Real-time notifications are there but are only available on a
> commercial basis, because basically real time is expensive to compute.
> The rest is free.

What about once a day notification of BGP hijack? Is that also
expensive to compute?

That's in the works, but honestly we see no user demand for that.
Either it's real time, or it's not needed. Therefore, it's not a high
priority.

I have an account and cannot find any
documentation of realtime notifications nor its cost. All I found was
this - https://qrator.net/en/pricing . Can you send links to the BGP
hijack notification service and its cost?

This is basically a noncommercial service, so there's really no price
list. Depends on an IP prefix count, but around $500/mo./ASN would be
about enough for us to cover our expenses and to afford a couple beers
at the end of the month.