The Goal is not to mitigate or take action against the malicious activity. Goal is to detect the hijacking event by trying to reduce false posivites as much as possible. I know false positives is one of the key factor to consider. I am just trying to distinguish between a legitimate advertisement against hijack event.
Regards, Nagarjun On Tue, Feb 28, 2017 at 11:31 AM Hank Nussbacher <h...@efes.iucc.ac.il> wrote: > On 28/02/2017 07:15, Nagarjun Govindraj via NANOG wrote: > > So what if you detect in 1.4 minutes of 3.1 minutes? Or even 8 > minutes? What then? > You certainly couldn't do anything to prevent it after 3.1 minutes. > First you need to analyze whether the BGP hijack is a false positive or > not. > Could be the customer you are watching is testing out some cloud based > anti-DDOS mitigation and is allowing some other ASN to announce their > /24 (intentional). > Could be the ASN on the other side of the world has implemented some BGP > optimization box which announces prefixes internally to do TE but they > also happen to be sending BGP updates to Dyn/BGPMON/Team Cymru/whoever. > Could be the customer you are monitoring has decided to blackhole some > malicious IP and has started to announce a /32 internally and they too > feed BGP announcements to Dyn/BGPMON/Team Cymru/whoever. > I have many other examples. > After you get an announcement of a BGP hijack, you start investigating. > You determine the extent of the hijack - is it localized to one > geographic area or is it worldwide. Is it just you or are there > thousands of other prefixes affected. After 15 minutes you sit down and > write an email to the ASN doing the announcement. For that you hope > whois is up to date which 60% of the time it is not. So you start > scraping Google for possible email addresses to contact. > After not getting a response for 24 hours you send an email to their > upstream ASN (also contingent on finding proper email addresses that > will respond). > After waiting another day you send an email to the upstream of the > upstream and you keep repeating the process until you find someone > responsive. > Stopping a BGP hijack does not take 1.4 minutes or 3.1 minutes. It is > usually hours and sometimes days until the hijack is stopped. > > -Hank > > > > Well, the idea behind the mail was to know if anyone in the community are > > doing real time BGP IP prefix hijacking. > > Like Artemis detection tool claims to be detecting in 1.4 ~ 3.1 minutes. > So > > I wanted to know if anyone in the community are using such tools for > > detecting hijacks, if yes how much time does the system take to detect. > > > > > > Regards, > > Nagarjun > > > > On Mon, Feb 27, 2017 at 10:59 PM Nick Hilliard <n...@foobar.org> wrote: > > > >> Christopher Morrow wrote: > >>> Also: "How reliable are the alerts being sent?" > >> also: do the smtp servers which handle mail for the domain of the > >> alerting email address use the IP address space as they're notifying > about? > >> > >> Nick > >> > >> > > >
