Nathan wrote:
It is trivially easy for an attacker to falsify the origin AS. If 'they' are
not doing it already, then I'm quite surprised.
This isn't really a good thing to alarm on, in my opinion. Or, maybe it is, but
there should be big bold text explaining that it's not reliable as it's
trivially easy to falsify.
Yep, true.
However, there's the case that someone's just typo'd you, which has happened
to, near, around, and by me more frequently than an actual jackification.
There was the time I fumble-fingered some net99 space and Karl Denninger
started tracking me down to threaten lawsuits (before, I might add, asking
me to log into the offending device and change the config).
Anyway, the other case is where there shouldn't be a more specific, and you
still win.
Otherwise, yes, origin AS can be forged but the transit part is even messier,
I think.
My best idea is looking at the AS_PATH for changes, and alerting whenever that
happens. You'd obviously get a different path whenever there is churn in the
network though. I'm sure there's a way to do this, and I suspect having BGP
feeds from many many places is the most reliable way for it to happen, I just
haven't figured out why yet.
As you point out, the Internet is a really noisy and messy place. Just doing
the "different than usual" is something I resisted here because there's so much
hidden partial transit that doesn't normally expose.
More BGP feeds might just amplify that behavior, though the idea is to get more
feeds in.
This seems like a service that Renesys etc. could/should (or maybe do?) offer,
they seem well placed with all their BGP feeds..
Not sure who else offers it; it seemed reasonable to do and see if it's useful.
Gadi told me there was no free real-time alerting out there but I didn't really
look into it.
Certainly if anyone wants to see the dynamics, who has advertised what now and
in the deep dark past, etc Renesys would be the place to go as far as I know.
Nathan Ward
Avi
