All,
Some of you are aware of the site for network operators:
http://iar.cs.unm.edu/ which has running for two years now. The purpose of
the site is to detect and distribute network anomaly information to the
network operators that need to know. The flip side of our proposed security
system,
, Mar 10, 2008 at 11:01 AM, Josh Karlin [EMAIL PROTECTED] wrote:
All,
Some of you are aware of the site for network operators:
http://iar.cs.unm.edu/ which has running for two years now. The
purpose of
the site is to detect and distribute network anomaly information to the
network
Tomas:
It's primarily a proof of concept site, to show that such an idea would be
useful, but it has been running for over a year now and discovered many
interesting hijacks (such as eBay/google/etc..).
You're right that there is a glaring ommission, which is yesterday's youtube
hijack. This is
Wouldn't they want to hijack more specifics to spam?
no. see nick feamster's work, and the lightning talk i proxied
for him in dallas.
randy
Right, you might want to announce less specifics so that you go
unnoticed and then you can spam from blocks not in use. I'm just
somewhat surprised
I recently brought up a prefix hijack that the NANOG community solved,
the AS had accidentally started announcing their bogon list.
Here is one that is somewhat the opposite, the AS announced a
significant portion of IANA allocated space. Note, they are large
blocks and as such probably did
Wouldn't they want to hijack more specifics to spam? I doubt much of
that space is going to correctly route for spamming purposes.
On 11/9/06, Hank Nussbacher [EMAIL PROTECTED] wrote:
On Thu, 9 Nov 2006, Josh Karlin wrote:
Here is one that is somewhat the opposite, the AS announced
Greetings,
Today (Aug 14th 2006) AS 8437 announced 63 /8 nets from 14:30 to 15:00
UTC. I don't believe that this is normal, but please correct me if I
am wrong.
More info can be found at the Internet Alert Registry here:
http://cs.unm.edu/~karlinjf/IAR/prefix.php?filter=most
If you come to
Yes but no response yet.
On 8/14/06, Randy Bush [EMAIL PROTECTED] wrote:
Today (Aug 14th 2006) AS 8437 announced 63 /8 nets from 14:30 to 15:00
UTC. I don't believe that this is normal, but please correct me if I
am wrong.
have you written to tele2uta in asutria?
randy
PROTECTED] wrote:
On Mon, Aug 14, 2006 at 01:36:36PM -0600, Josh Karlin wrote:
Greetings,
Today (Aug 14th 2006) AS 8437 announced 63 /8 nets from 14:30 to 15:00
UTC. I don't believe that this is normal, but please correct me if I
am wrong.
Note they're all unallocated blocks, so probably someone's
I am happy folks like at RIPE and the IETF are looking at solutions, but
sBGP isn't a new idea, and well, how LONG have we been waiting for DNS-SEC
now?
I just read a paper yesterday from '97 that suggested complete
registries would be available within the next couple of years ;)
Check out the IAR for Potential Prefix Hijacks and if you're coming
to this more than 24 hours after the post, do a search on AS 23520 as
the hijacking AS.
I don't know how long the routes were announced, but they seem to be
gone now. Or maybe the IAR is horribly broken, in which case I will
Wonder if it was intentional or a 'classful' issue. This is why we (Level
3) and ATT announce the /9s of 4/8, 8/8, and 12/8 :)
-Kevin
The /9s were stolen too, as well as a host of other prefixes. I just
listed the biggies that I was pretty sure didn't belong to 23520. No
clue if
Here is what we propose in PGBGP. If you have a more specific route
and its AS Path does not contain any of the less specific route's
origins, then ignore it for a day and keep routing to the less
specific origin. If it's legitimate the less specific origin should
forward the data on for the
Chris has it!
And to be clear, we only require a slow (1 day) provider changeover in
the case that you want to announce your old provider's sub-prefix at a
new provider. For instance, if you are an ATT customer using a 12/8
sub-prefix and change providers but keep the prefix, the prefix will
Hasn't that been said for years? Wouldn't perfect IRRs be great? I
couldn't agree more. But in the meanwhile, why not protect your own
ISP by delaying possible misconfigurations.Our proposed delay does
*not* affect reachability, if the only route left is suspicious, it
will be
Wouldn't a well-operated network of IRRs used by 95% of
network operators be able to meet all three of your
requirements?
-certified prefix ownership
-certified AS path ownership
-dynamic changes to the above two items
It seems to me that most of the pieces needed to do
this already
The noise of origin changes is fairly heavy, somewhere in the low
hundreds of alerts per day given a 3 day history window. Supposing a
falsely originated route was delayed, what is the chance of identifying
and fixing it before the end of the delay period? Do operators
commonly catch
I unfortunately don't have answers to those questions, but you've
piqued my interest so I will try to look into it within the next
couple of days.
Josh
On 1/26/06, Jared Mauch [EMAIL PROTECTED] wrote:
On Thu, Jan 26, 2006 at 04:22:29PM -0700, Josh Karlin wrote:
The noise of origin changes
in detail how few routes will actually be delayed by our
mechanism in the linked paper.
http://www.cs.princeton.edu/~jrex/papers/pgbgp.pdf
Your input is most welcome. Thanks,
Josh Karlin
It seems like most of the routers which would need to make this decision
wouldn't have adequate information upon which to do so...
not necessarily. the decision could be made in near real time by
building prefix filters based on the algorithms that josh and co have
worked on and leaving
To what extent does the route object validation in the RIPE database
(for routes covering RIPE-allocated space), together with maintainer
object authentication, provide a perfect IRR, according to your
research?
(I realise the step from useful, authenticated source of data to
the space among itself and those
downstream of it without considering that suspicious behavior. This
allows ASs to protect themselves via such methods.
Thanks for your comments!
Josh
On 1/23/06, Thor Lancelot Simon [EMAIL PROTECTED] wrote:
On Mon, Jan 23, 2006 at 12:47:38PM -0700, Josh
22 matches
Mail list logo
