Dear all,
Discussions on the recent Youtube incident raised the question about
availability of our projects PHAS (Prefix Hijack Alert System).
http://phas.netsec.colostate.edu/
Unfortunately, the timing of the hijack coincided with our
transitioning to the next stage of PHAS, thus it was unavailable at
the time. We have switched back to the last stable version and the
site is fully functional now. We apologize for the inconvenience.
For people not familiar with PHAS, we analyze BGP updates received
from different vantage points and maintain 3 sets for each prefix.
1. Origin set
2. Last hop set
3. Sub-prefix set
Anyone may register with PHAS for the prefixes he/she wants to watch,
and select the types of alarms of interest. Each time the set changes,
an email is sent to the registered email addresses.
If you want to get an idea of the alarms generated, you can register
for one or more active prefixes that are constantly generating alarms
as seen in
http://phas.netsec.colostate.edu/stat.html
For the youtube hijack case:
1. since a more specific prefix was observed for youtube's prefix,
PHAS caught the incident as a "sub-prefix set change" and an alarm was
generated.
2. PHAS does not rely on information from IRR, so any manipulations to
IRR (or outdated entries) would not affect PHAS.
3. Some folks questioned whether PHAS would detect cases of hijack if
origin AS was unchanged: from the above, one can see that PHAS catches
any sub prefix announcements, and any changes to the last hop (i.e.
next hop to origin AS).
It is true that the current version of PHAS does not detect AS path
manipulations beyond the last hop. We are developing solutions to this
problem and hoping to combine the new solution into PHAS soon.
Our recent results also show that the farther away from the origin the
hijacker inserts his AS number, the less impact it would have on the
Internet. For folks interested in how the impact of a hijack may vary
depending on which prefix is involved and the hijacker's location, we
have a paper in DSN 2007 with some interesting results.
http://www.cs.ucla.edu/~mohit/cameraReady/hijack-dsn.pdf
Thanks
-Mohit