[nsp-sec] AS Path Forging - Observations from an incident
Hank Nussbacher
hank at efes.iucc.ac.il
Thu Jan 8 13:03:15 EST 2009
> I am possibly encountering an issue with a forged /24. I am not
> interested in prevention or resolution for now. I am interested in
> detection. The path looks valid and doesn't have any strange ASNs. Any
> new ideas in the past month to do MITM AS-path forging detection?
An idea: I have tried Traceroute Mesh:
http://jlh.nightmist.co.uk/tr.php
http://www.robandmollie.com/tr/tr.php
http://tr.meta.net.nz/tr.php
If you choose an IP that you believe has been hijacked, you can view a
graphic of all the traceroute hops (map) and if any of the paths go where
it shouldn't be going, then you have a hijack. Problem is the various
traceroute mesh servers are located at small mom & pop sites and are slow
and unreliable.
What if we (nsp-sec) were to create a closed, secret traceroute mesh so we
can check whether a prefix has been hijacked? This would only be used
when a hijack is taking place and is not useful after the fact.
How does this idea sound? Would various nsp-sec members be willing to
contribute their servers? Team Cymru want to get involved?
-Hank
More information about the nsp-security
mailing list