Tracking spoofed routes?

David_Meyer · January 5, 2005, 3:06pm

Kevin,

I am seeking avenues to investigate a possible case of IP address spoofing.

I've recently received complaints which suggest that in the recent
past (but not right now), somebody may have announced a more specific
prefix, effectively hijacking "unused" address space within our
allocated range.

As it happens, the address space is not unused, just not visible on
the public Internet.

I am aware of route reflectors and other options to manually review
what prefixes are currently announced, but have not been able to find
a *searchable* archive of historical data, either overall BGP tables
or just "unusual" announcements. The closest thing I've found so far
is Route Views (http://www.routeviews.org/), however there is no
obvious way to search the (huge) archived data files for substring
matches?

  We're involved in trying to build database front ends for
  the data so you can do just this sort of thing. But right
  now, we're a little stuck. One thing you might try is
  using BGPlay to watch what happens to your prefix.

Alternately, are there any existing mechanisms for monitoring route
announcements which can provide near real-time alerting when any
prefixes within specific subnet ranges are announced?

  Not that I know of. You can log into
  route-views.routeviews.org and use the cli to watch it,
  but that is a manual process.

Hope this helps,

Dave

Florian_Frotzler · January 5, 2005, 3:49pm

-----Urspr�ngliche Nachricht-----
Von: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] Im
Auftrag von David Meyer
Gesendet: Mittwoch, 05. J�nner 2005 16:06
An: Kevin
Cc: nanog@merit.edu; help@routeviews.org
Betreff: Re: Tracking spoofed routes?

>> Alternately, are there any existing mechanisms for
monitoring route
>> announcements which can provide near real-time alerting when any
>> prefixes within specific subnet ranges are announced?

  Not that I know of. You can log into
  route-views.routeviews.org and use the cli to watch it,
  but that is a manual process.

  Hope this helps,

  Dave

To my knowledge, the myas-tool/-service from RIPE NCC is kind of doing what
you like to achive.

Florian

Arife_Vural · January 6, 2005, 10:23am

> >> Alternately, are there any existing mechanisms for
> monitoring route
> >> announcements which can provide near real-time alerting when any
> >> prefixes within specific subnet ranges are announced?
>
> Not that I know of. You can log into
> route-views.routeviews.org and use the cli to watch it,
> but that is a manual process.
>
> Hope this helps,
>
> Dave
>

To my knowledge, the myas-tool/-service from RIPE NCC is kind of doing what
you like to achive.

MyASN is working on user-based. To get the alarm for unexpected routing patterns, you
should set it up an account beforehand.

I think for Kevin's situation, we have other tools. One is called, "Search by Prefix"
and other one is BGPlay. Both tools are running over last 3 months routing data.

URL for those tools,

http://www.ris.ripe.net/cgi-bin/risprefix.cgi

Arife

Simon_Leinen1 · January 6, 2005, 1:23pm

Arife Vural writes:
[in response to Florian Frotzler <florian.frotzler@gmx.at>:]

To my knowledge, the myas-tool/-service from RIPE NCC is kind of
doing what you like to achive.

MyASN is working on user-based. To get the alarm for unexpected
routing patterns, you should set it up an account beforehand.

I have been using MyASN for half a year, and it is quite nice.
Setting it up required typing all our customer routes into Web forms,
which was somewhat tedious, but now I receive alerts in almost real
time as soon as someone tries to "highjack" our routes or announces
more-specifics.

For example, there was a large-scale incident on 24 December 2004 (see
e.g. http://www.merit.edu/mail.archives/nanog/msg03827.html). It
started shortly before 09:20 UTC, and at 09:59 UTC I received an alert
from MyASN that some of our customer routes were announced from
another AS. This is very respectable, especially since the system
must have been very heavily loaded at that time, because of the sheer
number of BGP updates and the number of potential alerts (MOST
prefixes were highjacked at some point during that day).

I think for Kevin's situation, we have other tools. One is called,
"Search by Prefix" and other one is BGPlay. Both tools are running
over last 3 months routing data.

One problem is that Kevin is looking for an announcement of a *more
specific* prefix from his space. BGPlay only supports queries on
exact prefixes I think.

The "Search by Prefix" tool seems to be ideal for Kevin's application
though.

Arife_Vural · January 7, 2005, 10:52am

I have been using MyASN for half a year, and it is quite nice.
Setting it up required typing all our customer routes into Web forms,
which was somewhat tedious, but now I receive alerts in almost real
time as soon as someone tries to "highjack" our routes or announces
more-specifics.

Thanks for those feedbacks, Simon.

One problem is that Kevin is looking for an announcement of a *more
specific* prefix from his space. BGPlay only supports queries on
exact prefixes I think.

Yes, you're right. It looks only "Search by Prefix" could help him.

Arife

Nick_Feamster1 · January 9, 2005, 8:39pm

You can also see:

http://bgp.lcs.mit.edu/

which has a searchable archive back to 2001 for several feeds. We're
always interested in getting more feeds from folks to make this
searchable archive more comprehensive.

thanks,
-Nick