Re: Automatic attack alert to ISPs
Argus can alert prefix hijacking, in realtime. http://tli.tl/argus Hope to be useful to you. BR. 在 2012年6月22日星期五,Ganbold Tsagaankhuu 写道: Hi, Is there any well known free services or scripts that sends automatic attack alerts based on some logs to corresponding ISPs (based on src address)? I have seen dshield.org and mynetwatchman, but I don't know yet how good they are. If somebody has recommendations in this regard please let me know. thanks in advance, Ganbold -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
FYI: [Argus] 12.231.155/24 is 'hijacked' by anomalous origin 'AS13490'
Hi, Just now we found a hijacking, as shown below. Is it a real prefix hijacking, or a false alarm made by us? Hope someone in this list, maybe the admin of those ASes listed below, can give me a reply :-) The feedback can help us improve Argus and provide more valuable information. BRs. -- Forwarded message -- From: argus-alarm argus-al...@csnet1.cs.tsinghua.edu.cn Date: 2012/3/23 Subject: [Argus] 12.231.155/24 is 'hijacked' by anomalous origin 'AS13490' To: argus ar...@csnet1.cs.tsinghua.edu.cn Prefix hijacking alarm: Start Time(UTC): Mar-22-2012 16:29:07 IP Prefix: 12.231.155/24 Origin AS change: AS7018 - AS13490 Details: http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/207340/ ___ Argus mailing list ar...@csnet1.cs.tsinghua.edu.cn http://csnet1.cs.tsinghua.edu.cn/mailman/listinfo/argus -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
Hi chris, 2012/1/23 Christopher Morrow morrowc.li...@gmail.com On Fri, Jan 20, 2012 at 8:08 AM, Yang Xiang xiang...@csnet1.cs.tsinghua.edu.cn wrote: 2012/1/20 Arturo Servin aser...@lacnic.net while Argus can discover potential hijackings caused by anomalous AS path. reading the preceding section (III.B) you check 3 things in the AMM (anomaly monitoring module) 1) proper origin (based on what?) 2) anomalous neighbour (based on what?) 3) policy anomaly (where did you determine the policy?) later text seems to imply you track some history (1 months worth) and use that as a baseline, for at least the neighbour and origin data. The policy data isn't clearly outlined though, where did that come from? (there's a note about use of whois, which could cover some of this, but certainly not all) yes, we use history as a baseline for both the origin, neighbor and policy data. origin data: a history of prefix, origin_AS mappings, neighbor data: a history of every adjacent two ASes in all AS paths received from BGPmon, policy data: a history of every adjacent three ASes (AS triple) in all AS paths. origin and neighbor data is intuitive. for policy data, we do not gather the exact routing policies, since they are usually private. In Argus, we use all adjacent three ASes in all AS paths as the policy data. this is because: 1), AS triples reflect the import/export routing policies; 2), while monitoring BGP updates, we only need to discover 'possible’ hijackings, but not 'exact' hijackings. after figure out a possible hijacking, the hijacking identification process will be launched and make the final judgement. The data plane testing you propose is from the public route-servers (eyes), which don't import the path you want, well routeviews I think doesn't import routes to it's FIB (or maybe I'm mistaken...) but point being with more than one peer on the routeserver it's not clear you would be taking the path you actually want to test anyway, is it? yes, each route-server usually has several route to the target prefix. In Argus, we use the commands (i.e., show route exact active-path”) to get the 'best routes' of the prefix, and consider it as the route in FIB: -chris -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
2012/1/23 Christopher Morrow morrowc.li...@gmail.com ok, that seems squirrelly still :( so, take routeviews for example, they peer almost exclusively ebgp-multi-hop, so any 'best path' you see there isn't actually usable by the route-server... all traffic has to take the local transport out of the routeviews system, off to the internet and beyond. So, your blackhole testing isn't actually testing what you want, I think :( it is not a serious problem, I think. 1). we do not use routeviews-like routeservers for hijacking identification, we only use router. 2). there is a high possibility that, the 'best path' is the path in FIB table. 3). if the 'best path' is not the path in FIB, there is still a high possibility that the 'best path' is the path in the FIB of other routes in the same AS. 4), our criterion is a threshold of a fingerprint, not a extremum. the fingerprint evaluated the possibility. hope I'm not wrong. :) -chris -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
2012/1/24 John Kemp k...@network-services.uoregon.edu Minor correction there. If you are talking about our IX collectors (LINX, PAIX, EQIX Ashburn, SYDNEY, etc.) those are at exchanges and peering directly. The collectors at Univ of Oregon (rv,rv2,rv3,rv4, rv6), yeah, those are multi-hop. Doesn't detract from your point, but I think it helps if people are aware of whether they are on the exchange or on a multihop when using routeviews collectors. We talk about routeservers, not collectors. Argus doesn't use routeservers in RouteViews to identify hijacking. Only other thing to add, I don't think anyone mentioned Cyclops in this thread. Just as another data point, see also: http://cyclops.6watch.net or http://cyclops.cs.ucla.edu John Kemp (k...@routeviews.org) -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
Re: Argus: a hijacking alarm system
ah, bad news ~ too many Argus :) 2012/1/21 RijilV rij...@riji.lv On 20 January 2012 07:53, Rich Kulawiec r...@gsp.org wrote: On Fri, Jan 20, 2012 at 05:47:21PM +0800, Yang Xiang wrote: I build a system ?Argus? to real-timely alert prefix hijackings. A suggestion: pick a different name. There's already a network tool named Argus (it's been around for years): http://www.qosient.com/argus/ I suggest using the name of a different Wishbone Ash album: Bona Fide. ;-) ---rsk Ha, there are already two with the name Argus: http://argus.tcp4me.com/ also been around for years... .r' -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
Re: Argus: a hijacking alarm system
2012/1/21 Suresh Ramasubramanian ops.li...@gmail.com On Fri, Jan 20, 2012 at 10:45 PM, RijilV rij...@riji.lv wrote: A suggestion: pick a different name. There's already a network tool named Argus (it's been around for years): http://www.qosient.com/argus/ I suggest using the name of a different Wishbone Ash album: Bona Fide. ;-) Ha, there are already two with the name Argus: http://argus.tcp4me.com/ Argus being a many eyed dog from greek myth .. no surprise a lot of tools that do this kind of thing have the very same name. Call it panopticon maybe? [nastier connotations - originally a prison design by jeremy bentham where a warder sitting in the center could see everything around him] sounds cool :) panopticon --srs -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
Fwd: [Argus] 190.144.248.64/27 is 'hijacked' by anomalous origin 'AS27817'
FYI, Argus detected a hijacking just now. It seems, I should send this email to South America NOG. -- Forwarded message -- From: argus-alarm argus-al...@csnet1.cs.tsinghua.edu.cn Date: 2012/1/21 Subject: [Argus] 190.144.248.64/27 is 'hijacked' by anomalous origin 'AS27817' To: argus ar...@csnet1.cs.tsinghua.edu.cn Prefix hijacking alarm: Start Time(UTC): Jan-21-2012 12:30:15 IP Prefix: 190.144.248.64/27 Origin AS change: AS14080 - AS27817 Details: http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/90856/ ___ Argus mailing list ar...@csnet1.cs.tsinghua.edu.cn http://csnet1.cs.tsinghua.edu.cn/mailman/listinfo/argus -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
Re: Argus: a hijacking alarm system
_ Yang Xiang . about.me/xiangyang Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn 2012/1/20 Jeroen Massar jer...@unfix.org On 2012-01-20 10:47 , Yang Xiang wrote: Hi, I build a system ‘Argus’ to real-timely alert prefix hijackings. Argus monitors the Internet and discovers anomaly BGP updates which caused by prefix hijacking. When Argus discovers a potential prefix hijacking, it will advertise it in a very short time, both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the mailing list (ar...@csnet1.cs.tsinghua.edu.cn). But the big question of 2012 [*] is: does it do IPv6. The last 99 anomalies don't show any info there. Yes, it's only v4 now :( But I'm trying to do so. It needs enough (dozens of) public IPv6 router-servers to do the job. Actually the system only need to execute 'ping6' and 'show ipv6 bgp' in the IPv6 route-server. Hope I can find enough v6 route-servers before Jun 6 :) Greets, Jeroen [*] We got a http://ipv6week.org/ and http://www.worldipv6launch.org/ this year ;)
Re: Argus: a hijacking alarm system
_ Yang Xiang . about.me/xiangyang 2012/1/20 Suresh Ramasubramanian ops.li...@gmail.com On Fri, Jan 20, 2012 at 4:09 PM, Yang Xiang xiang...@csnet1.cs.tsinghua.edu.cn wrote: Hope I can find enough v6 route-servers before Jun 6 :) Jeroen is just the guy to suggest where you can find them :) Till then, if google is an acceptable substitute - http://www.bgp4.net/wiki/doku.php?id=tools:ipv6_route_servers Thanks very much. I will check these servers. Enjoy - your system sounds great. And of course gong xi fa cai! Gong xi fa cai, happy Chinese New Year :) -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Argus: a hijacking alarm system
_ Yang Xiang . about.me/xiangyang Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn 2012/1/20 Jeroen Massar jer...@unfix.org On 2012-01-20 12:01 , Yang Xiang wrote: 2012/1/20 Suresh Ramasubramanian ops.li...@gmail.com mailto:ops.li...@gmail.com Please note that automated polling of route servers without prior consent of the owner of said route server might not be completely acceptable as it puts serious loads on them. A better way is to get proper BGP sessions set up towards various locations. You might also want to look at http://www.ripe.net/data-tools/stats/ris/ris-raw-data which describes how to get access to RIPE's RIS system raw data, this is what BGPMon also uses. Argus receives BGP update from BGPmon, and only access route servers when it find one BGP update is 'anomalous'. We also controlled the load to these route servers. After login to the route server, Argus only execute 'ping' for a given IP address, and 'show ip bgp' for a given prefix, and will logout from the route server after two minutes. Greets, Jeroen
Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
RPKI is great. But, firstly, ROA doesn't cover all the prefixes now, we need an alternative service to alert hijackings. secondly, ROA can only secure the 'Origin AS' of a prefix, while Argus can discover potential hijackings caused by anomalous AS path. After ROA and BGPsec deployed in the entire Internet (or, in all of your network), Argus will stop the service :) 2012/1/20 Arturo Servin aser...@lacnic.net You could use RPKI and origin validation as well. We have an application that does that. http://www.labs.lacnic.net/rpkitools/looking_glass/ For example you can periodically check if your prefix is valid: http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/ If it were invalid for a possible hijack it would look like: http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/ Or you can just query for any state: http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/ Regards, as -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn
Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
2012/1/20 Arturo Servin aser...@lacnic.net On 20 Jan 2012, at 10:38, Yang Xiang wrote: RPKI is great. But, firstly, ROA doesn't cover all the prefixes now, we need an alternative service to alert hijackings. Or to sign your prefixes. Sign prefixes is the best way. Before sign all prefixes, it is better if we have a detection service. secondly, ROA can only secure the 'Origin AS' of a prefix, That's true. while Argus can discover potential hijackings caused by anomalous AS path. Can you explain how? Only a imprecisely detection. Section III.C in our paper http://argus.csnet1.cs.tsinghua.edu.cn/static/Argus.FIST11.pdf A brief explanation is: If an anomalous AS path hijacked a prefix, I can get replies in normal route-server, and can not get reply in abnormal route-servers. Here we only consider hijackings that black-hole the prefix. If a hijacking doesn't black-hole the prefix (i.e., redirect, interception, ...), is hard to detect :( I think network operators are only careless, but not trust-less, so black-hole hijacking is the majority case. After ROA and BGPsec deployed in the entire Internet (or, in all of your network), Argus will stop the service :) I was just suggesting to add a more deterministic way to detecting hijacks. Sorry for my poor English :( What I want to say is, RPKI is really good, Argus is just an alternative, before we can protect ourself using signatures, honestly :-) Best regards! Regards, as -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn -- _ Yang Xiang. Ph.D candidate. Tsinghua University Argus: argus.csnet1.cs.tsinghua.edu.cn