[nsp-sec] AS Path Forging - Observations from an incident
Stephen Gill
gillsr at cymru.com
Thu Jan 8 13:11:37 EST 2009
Hi Hank,
> An idea: I have tried Traceroute Mesh:
> http://jlh.nightmist.co.uk/tr.php
> http://www.robandmollie.com/tr/tr.php
> http://tr.meta.net.nz/tr.php
>
> If you choose an IP that you believe has been hijacked, you can view a
> graphic of all the traceroute hops (map) and if any of the paths go where
> it shouldn't be going, then you have a hijack. Problem is the various
> traceroute mesh servers are located at small mom & pop sites and are slow
> and unreliable.
>
> What if we (nsp-sec) were to create a closed, secret traceroute mesh so we
> can check whether a prefix has been hijacked? This would only be used
> when a hijack is taking place and is not useful after the fact.
>
> How does this idea sound? Would various nsp-sec members be willing to
> contribute their servers? Team Cymru want to get involved?
All great suggestions! Stay tuned, we have already been noodling on some
ideas along this front and will keep you posted...
Along with your original question - what are some metrics you would use to
detect this automatically, rather than requiring a human to know and query
for it in the first place?
Cheers,
-- steve
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list