community real-time BGP hijack notification service

Nathan wrote:

It is trivially easy for an attacker to falsify the origin AS. If 'they' are
not doing it already, then I'm quite surprised.
This isn't really a good thing to alarm on, in my opinion. Or, maybe it is, but
there should be big bold text explaining that it's not reliable as it's
trivially easy to falsify.

Yep, true.

However, there's the case that someone's just typo'd you, which has happened
to, near, around, and by me more frequently than an actual jackification.
There was the time I fumble-fingered some net99 space and Karl Denninger
started tracking me down to threaten lawsuits (before, I might add, asking
me to log into the offending device and change the config).

Anyway, the other case is where there shouldn't be a more specific, and you
still win.

Otherwise, yes, origin AS can be forged but the transit part is even messier,
I think.

My best idea is looking at the AS_PATH for changes, and alerting whenever that
happens. You'd obviously get a different path whenever there is churn in the
network though. I'm sure there's a way to do this, and I suspect having BGP
feeds from many many places is the most reliable way for it to happen, I just
haven't figured out why yet.

As you point out, the Internet is a really noisy and messy place. Just doing
the "different than usual" is something I resisted here because there's so much
hidden partial transit that doesn't normally expose.

More BGP feeds might just amplify that behavior, though the idea is to get more
feeds in.

This seems like a service that Renesys etc. could/should (or maybe do?) offer,
they seem well placed with all their BGP feeds..

Not sure who else offers it; it seemed reasonable to do and see if it's useful.
Gadi told me there was no free real-time alerting out there but I didn't really
look into it.

Certainly if anyone wants to see the dynamics, who has advertised what now and
in the deep dark past, etc Renesys would be the place to go as far as I know.

Nathan Ward


Avi Freedman wrote:

Certainly if anyone wants to see the dynamics, who has advertised what now and
in the deep dark past, etc Renesys would be the place to go as far as I know.

RIS provides data in a searchable MySQL database for three months.

All we've ever collected is kept in a raw data format. This archive starts in 1999, and we maintain a library to read the data.
This data is free to use for any purpose and we will not remove any of our raw data as it gets older.

We are also carefully looking into whether we should reduce or increase the amount of data in our MySQL database - as that's easy to search for our users.

However, any increase obviously comes with increased resource usage - so this is something that requires careful thinking and planning.
Another option is to store aggregated info on older data, instead of keeping every update that ever occured.

But, this is just an idea that crosses our minds from time to time - I'm not making promises on what we will implement :slight_smile:

Of course, any ideas on how much more history would help you, are very welcome.