[nsp-sec] AS Path Forging - Observations from an incident
Hank Nussbacher
hank at efes.iucc.ac.il
Thu Jan 8 14:28:11 EST 2009
On Thu, 8 Jan 2009, Stephen Gill wrote:
> Hi Hank,
>
>> An idea: I have tried Traceroute Mesh:
>> http://jlh.nightmist.co.uk/tr.php
>> http://www.robandmollie.com/tr/tr.php
>> http://tr.meta.net.nz/tr.php
>>
>> If you choose an IP that you believe has been hijacked, you can view a
>> graphic of all the traceroute hops (map) and if any of the paths go where
>> it shouldn't be going, then you have a hijack. Problem is the various
>> traceroute mesh servers are located at small mom & pop sites and are slow
>> and unreliable.
>>
>> What if we (nsp-sec) were to create a closed, secret traceroute mesh so we
>> can check whether a prefix has been hijacked? This would only be used
>> when a hijack is taking place and is not useful after the fact.
>>
>> How does this idea sound? Would various nsp-sec members be willing to
>> contribute their servers? Team Cymru want to get involved?
>
> All great suggestions! Stay tuned, we have already been noodling on some
> ideas along this front and will keep you posted...
>
> Along with your original question - what are some metrics you would use to
> detect this automatically, rather than requiring a human to know and query
> for it in the first place?
Not a clue. I use Hankware, which with proper multifocal lenses is able
to spot things fairly well. :-)
-Hank
>
> Cheers,
> -- steve
>
> --
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
>
>
More information about the nsp-security
mailing list