I've been using IAR and PHAS, but I've noticed IAR seems to work a bit better and much faster. Recently we changed our ASN, and seconds after we started announcing prefixes under thew new ASN I received the email alerts from IAR. I did not receive anything from PHAS. Although I have in the past, PHAS seems to be unreliable at times.
As for alerting on AS_PATH changes, I think that more false alarms would be generated given certain 'techniques' used to 're-route' traffic to use the best available path. (Internap/FCP). Maybe a better idea would be if you were able to input your origin asn and define your upstreams and/or peers, to be alerted on as well. (ie: Do not alert me on any paths containing 123_000, 456_000, 789_000). Christian On Fri, Sep 12, 2008 at 8:49 AM, Nathan Ward <[EMAIL PROTECTED]> wrote: > On 12/09/2008, at 10:42 PM, Gadi Evron wrote: > >> Hi, WatchMy.Net is a new community service to alert you when your prefix >> has been hijacked, in real-time. > > > Hi Gadi, > > I just had a quick play with this, as I've been considering hacking together > something similar. > > It is trivially easy for an attacker to falsify the origin AS. If 'they' are > not doing it already, then I'm quite surprised. > This isn't really a good thing to alarm on, in my opinion. Or, maybe it is, > but there should be big bold text explaining that it's not reliable as it's > trivially easy to falsify. > > To be honest, I can't think of anything better, all the attributes you can > monitor can easily be falsified. > > My best idea is looking at the AS_PATH for changes, and alerting whenever > that happens. You'd obviously get a different path whenever there is churn > in the network though. I'm sure there's a way to do this, and I suspect > having BGP feeds from many many places is the most reliable way for it to > happen, I just haven't figured out why yet. > > This seems like a service that Renesys etc. could/should (or maybe do?) > offer, they seem well placed with all their BGP feeds.. > > -- > Nathan Ward > > > > > >
