Nathan Ward wrote:
On 13/09/2008, at 5:48 PM, Matthew Moyle-Croft wrote:
Arnaud de Prelle wrote:
I think that most of us (me included) are already using it but the
problem is that they don't have BGP collectors everywhere in the world.
This is in fact a generic issue for BGP monitoring.
In this case it's very important to have a lot of collectors broadly
distributed listening in many ASes.
For example:
If I know there are two BGP collectors driving this service, and
they're in, say, AS701 and AS1239, then if I wanted to do a partial
hijack (which might be good enough for my evil purposes) then I could
advertise a path which had those ASes stuffed in it and prevent
downstream collectors in AS701 and AS1239 from learning the hijack path.
Note that the attack becomes less and less effective if you're path
stuffing ASes, as it will be preferred by fewer and fewer networks.
Put collection points in say 10 networks, and the attack becomes
pretty useless.
Unless of course you are announcing a more specific prefix than the
authentic one.
Absolutely - but it depends how wide you want the hijack - a global one
is very obvious, but you can see that a very narrow one of some sites it
might be harder (take longer) to detect and live longer.
ie. If I just wanted to disrupt a website to a country or region for
political reasons or just to get the ad revenue for a small amount of
time, then it might be acceptable to limit the scale in order to evade
detection.
I'm not saying this is the end of the world, just reenforcing that
widely distributed BGP monitors are necessary for detection. It might
be that various projects which have these distributed tools etc can help
by becoming feeds for these kinds of notification projects.
MMC
--
Nathan Ward
