Re: Prefix Hijack Tool Comaprision
Hi all, .-- My secret spy satellite informs me that at Thu, 13 Nov 2008, Todd Underwood wrote: that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth. For those who like to use a peer threshold, BGPmon.net now has minimum peer threshold support. For more information see: http://bgpmon.net/blog/?p=88 Cheers, Andree
Prefix Hijack Tool Comaprision
With this last hijack, we see the comparison between PHAS and BGPmon. Does anyone use other hijack tools who would be willing to compare to these two tools wrt time to alert, number of alerts, etc. during this event? How do folks find the extent of the damage? Using BGPlay only or are their other good tools for assessing damage? scott
Re: Prefix Hijack Tool Comaprision
At 10:28 AM 13-11-08 -0800, Scott Weeks wrote: With this last hijack, we see the comparison between PHAS and BGPmon. Does anyone use other hijack tools who would be willing to compare to these two tools wrt time to alert, number of alerts, etc. during this event? How do folks find the extent of the damage? Using BGPlay only or are their other good tools for assessing damage? scott I use all 4 - BGPmon, RIPE, PHAS, and Watchmy.net. BGPMon kicks ass on all of them. RIPE showed up 5-6 hours later. PHAS and Watchmy were nowhere to be seen. -Hank
Re: Prefix Hijack Tool Comaprision
hank, all, On Thu, Nov 13, 2008 at 08:57:35PM +0200, Hank Nussbacher wrote: I use all 4 - BGPmon, RIPE, PHAS, and Watchmy.net. BGPMon kicks ass on all of them. RIPE showed up 5-6 hours later. PHAS and Watchmy were nowhere to be seen. is that a bug or a feature? this was a non-event in a tiny corner of the internet. it's interesting, but it's not operationally significant. i would not consider the fact that PHAS and Watchmy didn't alert any particular criticism of them. but perhaps there was something else to which you were referring. t. -- _ todd underwood +1 603 643 9300 x101 renesys corporation [EMAIL PROTECTED] http://www.renesys.com/blog
Re: Prefix Hijack Tool Comaprision
--- [EMAIL PROTECTED] wrote: From: Todd Underwood [EMAIL PROTECTED] interesting, but it's not operationally significant. i would not consider the fact that PHAS and Watchmy didn't alert any particular criticism of them. but perhaps there was something else to which you were referring. -- I think he was just referring to and answering my question. I hope to see how these tools work in 'small' incidents as well as large-scale incidents. Knowing the tool's capabilities increases one's ability to assess the damage while troubleshooting. scott
Re: Prefix Hijack Tool Comaprision
It may be the North American NOG, but it's been said before that it functions as a GNOG, G for Global. I don't think Brazil is insignificant. I respect Todd's work greatly, but I think he's wrong on this point. - original message - Subject:Re: Prefix Hijack Tool Comaprision From: Scott Weeks [EMAIL PROTECTED] Date: 13/11/2008 7:42 pm --- [EMAIL PROTECTED] wrote: From: Todd Underwood [EMAIL PROTECTED] interesting, but it's not operationally significant. i would not consider the fact that PHAS and Watchmy didn't alert any particular criticism of them. but perhaps there was something else to which you were referring. -- I think he was just referring to and answering my question. I hope to see how these tools work in 'small' incidents as well as large-scale incidents. Knowing the tool's capabilities increases one's ability to assess the damage while troubleshooting. scott
Re: Prefix Hijack Tool Comaprision
alexander, all, On Thu, Nov 13, 2008 at 07:56:26PM +, Alexander Harrowell wrote: It may be the North American NOG, but it's been said before that it functions as a GNOG, G for Global. I don't think Brazil is insignificant. I respect Todd's work greatly, but I think he's wrong on this point. you misread me. i did not say that brazil was insignificant. it's not. it has some of the fastest growing internet in latin america. i said that *this* hijacking took place in an insignificant corner of the internet. i mean this AS-map wise rather than geographically. this hijacking didn't even spread beyond one or two ASes, one of whom just happened to be a RIPE RIS peer. real hijackings leak into dozens or hundreds or thousands of ASNs. they spread far and wide. that's why people carry them out, when they do. this one was stopped in its tracks in a very small portion of one corner of the AS graph. as such, i don't count it as a hijacking or leak of any great significance and wouldn't want to alert anyone about it. that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth. sorry if it appears that i was denegrating .br . i was not. t. -- _ todd underwood +1 603 643 9300 x101 renesys corporation [EMAIL PROTECTED] http://www.renesys.com/blog
Re: Prefix Hijack Tool Comaprision
OK. This seems to be a flaw in RIPE RIS, a pity because BGPlay is great. - original message - Subject:Re: Prefix Hijack Tool Comaprision From: Todd Underwood [EMAIL PROTECTED] Date: 13/11/2008 8:05 pm alexander, all, On Thu, Nov 13, 2008 at 07:56:26PM +, Alexander Harrowell wrote: It may be the North American NOG, but it's been said before that it functions as a GNOG, G for Global. I don't think Brazil is insignificant. I respect Todd's work greatly, but I think he's wrong on this point. you misread me. i did not say that brazil was insignificant. it's not. it has some of the fastest growing internet in latin america. i said that *this* hijacking took place in an insignificant corner of the internet. i mean this AS-map wise rather than geographically. this hijacking didn't even spread beyond one or two ASes, one of whom just happened to be a RIPE RIS peer. real hijackings leak into dozens or hundreds or thousands of ASNs. they spread far and wide. that's why people carry them out, when they do. this one was stopped in its tracks in a very small portion of one corner of the AS graph. as such, i don't count it as a hijacking or leak of any great significance and wouldn't want to alert anyone about it. that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth. sorry if it appears that i was denegrating .br . i was not. t. -- _ todd underwood +1 603 643 9300 x101 renesys corporation [EMAIL PROTECTED] http://www.renesys.com/blog
Re: Prefix Hijack Tool Comaprision
Todd Underwood wrote: i said that *this* hijacking took place in an insignificant corner of the internet. i mean this AS-map wise rather than geographically. this hijacking didn't even spread beyond one or two ASes, one of whom just happened to be a RIPE RIS peer. Yet for someone monitoring from their own perspective, what matters to them is what their own AS is seeing. If a hijacking makes it to their AS, they want to be concerned. real hijackings leak into dozens or hundreds or thousands of ASNs. they spread far and wide. that's why people carry them out, when they do. this one was stopped in its tracks in a very small portion of one corner of the AS graph. Wasn't there a dns hijack not long ago that only had the scope of one ISP (who just happened to be extremely large and carried a bunch of cell phones)? Just because a hijack only covers a small portion of the net doesn't make it any less effective. This is why we push to get as many access controls as far out to the edge as possible. If it only effects the person who tries it, then it has no bearing. as such, i don't count it as a hijacking or leak of any great significance and wouldn't want to alert anyone about it. that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth. Thresholds might be important, but different mileage, yada yada. Jack
Re: Prefix Hijack Tool Comaprision
Agreed. The Internet Alert Registry ( http://iar.cs.unm.edu ) has switched from monitoring RIPE and Routeviews to direct connections with our PGBGP enabled router. This means the IAR has less data, but immediate response times. Some of the prefixes were detected as hijacked by the IAR but most of the hijacked prefixes never reached the IAR's neighbors. If anyone would like to add their feed to the IAR we would appreciate it! Josh On Thu, Nov 13, 2008 at 2:31 PM, Mohit Lad [EMAIL PROTECTED] wrote: Sorry for the subject line in the previous message :-) Since this thread started as comparison of the tools, there are two issues 1. Which BGP feeds the tools use? RIPE, RouteViews, other private feeds. 2. How they decide what to send and what not to send? In this case, BGPMon detected an event that was not detected by others, and there might be other hijacks that were local in scope where PHAS or Watchmy might catch something that BGPMon does not. But that does not make one tool better than the other, unless this pattern is repeated. Eventually all tools will catch up with each other on the feeds (or so is the hope), so the difference will then lie in the decision of what to send and what to drop. Mohit Date: Thu, 13 Nov 2008 20:27:32 + From: Alexander Harrowell [EMAIL PROTECTED] Subject: Re: Prefix Hijack Tool Comaprision To: Todd Underwood [EMAIL PROTECTED] Cc: nanog@nanog.org OK. This seems to be a flaw in RIPE RIS, a pity because BGPlay is great. - original message - Subject:Re: Prefix Hijack Tool Comaprision From: Todd Underwood [EMAIL PROTECTED] Date: 13/11/2008 8:05 pm alexander, all, On Thu, Nov 13, 2008 at 07:56:26PM +, Alexander Harrowell wrote: It may be the North American NOG, but it's been said before that it functions as a GNOG, G for Global. I don't think Brazil is insignificant. I respect Todd's work greatly, but I think he's wrong on this point. you misread me. i did not say that brazil was insignificant. it's not. it has some of the fastest growing internet in latin america. i said that *this* hijacking took place in an insignificant corner of the internet. i mean this AS-map wise rather than geographically. this hijacking didn't even spread beyond one or two ASes, one of whom just happened to be a RIPE RIS peer. real hijackings leak into dozens or hundreds or thousands of ASNs. they spread far and wide. that's why people carry them out, when they do. this one was stopped in its tracks in a very small portion of one corner of the AS graph. as such, i don't count it as a hijacking or leak of any great significance and wouldn't want to alert anyone about it. that's why i recommend that prefix hijacking detection systems do thresholding of peers to prevent a single, rogue, unrepresentative peer from reporting a hijacking when none is really happening. others may have a different approach, but without thresholding prefix alert systems can be noisy and more trouble than they are worth. sorry if it appears that i was denegrating .br . i was not. t. -- _ todd underwood +1 603 643 9300 x101 renesys corporation [EMAIL PROTECTED] http://www.renesys.com/blog
