Re: Update on PHAS (ref Youtube hijack)

[Adrian Chadd]

On Sat, Mar 01, 2008, Mohit Lad wrote:
> Dear all,
> 
> Discussions on the recent Youtube incident raised the question about  
> availability of our projects PHAS (Prefix Hijack Alert System).
> http://phas.netsec.colostate.edu/

Cute! Its in the Wiki.

(And I'm going to keep saying this until I get fed up with the Wiki,
Marty/Alex tells me to shut up, or others start dumping interesting
stuff into the Wiki.)




Adrian

Update on PHAS (ref Youtube hijack)

[Mohit Lad]

Dear all,

Discussions on the recent Youtube incident raised the question about  
availability of our projects PHAS (Prefix Hijack Alert System).

http://phas.netsec.colostate.edu/
Unfortunately, the timing of the hijack coincided with our  
transitioning to the next stage of PHAS, thus it was unavailable at  
the time. We have switched back to the last stable version and the  
site is fully functional now. We apologize for the inconvenience.


For people not familiar with PHAS, we analyze BGP updates received  
from different vantage points and maintain 3 sets for each prefix.

1. Origin set
2. Last hop set
3. Sub-prefix set
Anyone may register with PHAS for the prefixes he/she wants to watch,  
and select the types of alarms of interest. Each time the set changes,  
an email is sent to the registered email addresses.


If you want to get an idea of the alarms generated, you can register  
for one or more active prefixes that are constantly generating alarms  
as seen in

http://phas.netsec.colostate.edu/stat.html

For the youtube hijack case:
1. since a more specific prefix was observed for youtube's prefix,  
PHAS caught the incident as a "sub-prefix set change" and an alarm was  
generated.


2. PHAS does not rely on information from IRR, so any manipulations to  
IRR (or outdated entries) would not affect PHAS.


3. Some folks questioned whether PHAS would detect cases of hijack if  
origin AS was unchanged: from the above, one can see that PHAS catches  
any sub prefix announcements, and any changes to the last hop (i.e.  
next hop to origin AS).


It is true that the current version of PHAS does not detect AS path  
manipulations beyond the last hop. We are developing solutions to this  
problem and hoping to combine the new solution into PHAS soon.


Our recent results also show that the farther away from the origin the  
hijacker inserts his AS number, the less impact it would have on the  
Internet. For folks interested in how the impact of a hijack may vary  
depending on which prefix is involved and the hijacker's location, we  
have a paper in DSN 2007 with some interesting results.

http://www.cs.ucla.edu/~mohit/cameraReady/hijack-dsn.pdf

Thanks

-Mohit