Re: Tracking spoofed routes?

[Nick Feamster <feamster () lcs mit edu>]

You can also see:

http://bgp.lcs.mit.edu/

which has a searchable archive back to 2001 for several feeds.  We're
always interested in getting more feeds from folks to make this
searchable archive more comprehensive.

thanks,
-Nick

On Wed, Jan 05, 2005 at 07:06:17AM -0800, David Meyer wrote:
>       Kevin,
>
> > > I am seeking avenues to investigate a possible case of IP address spoofing.
> > >
> > > I've recently received complaints which suggest that in the recent
> > > past (but not right now), somebody may have announced a more specific
> > > prefix, effectively hijacking "unused" address space within our
> > > allocated range.
> > >
> > > As it happens, the address space is not unused, just not visible on
> > > the public Internet.
> > >
> > >
> > > I am aware of route reflectors and other options to manually review
> > > what prefixes are currently announced, but have not been able to find
> > > a *searchable* archive of historical data, either overall BGP tables
> > > or just "unusual" announcements.  The closest thing I've found so far
> > > is Route Views (http://www.routeviews.org/), however there is no
> > > obvious way to search the (huge) archived data files for substring
> > > matches?
>
>       We're involved in trying to build database front ends for
>       the data so you can do just this sort of thing. But right
>       now, we're a little stuck. One thing you might try is
>       using BGPlay to watch what happens to your prefix.
>
> > > Alternately, are there any existing mechanisms for monitoring route
> > > announcements which can provide near real-time alerting when any
> > > prefixes within specific subnet ranges are announced?
>
>       Not that I know of. You can log into
>       route-views.routeviews.org and use the cli to watch it,
>       but that is a manual process.
>
>       Hope this helps,
>
>       Dave