Re: Tracking spoofed routes?

[David Meyer <dmm () 1-4-5 net>]

        Kevin,

> > I am seeking avenues to investigate a possible case of IP address spoofing.
> >
> > I've recently received complaints which suggest that in the recent
> > past (but not right now), somebody may have announced a more specific
> > prefix, effectively hijacking "unused" address space within our
> > allocated range.
> >
> > As it happens, the address space is not unused, just not visible on
> > the public Internet.
> >
> >
> > I am aware of route reflectors and other options to manually review
> > what prefixes are currently announced, but have not been able to find
> > a *searchable* archive of historical data, either overall BGP tables
> > or just "unusual" announcements.  The closest thing I've found so far
> > is Route Views (http://www.routeviews.org/), however there is no
> > obvious way to search the (huge) archived data files for substring
> > matches?

        We're involved in trying to build database front ends for
        the data so you can do just this sort of thing. But right
        now, we're a little stuck. One thing you might try is
        using BGPlay to watch what happens to your prefix.

> > Alternately, are there any existing mechanisms for monitoring route
> > announcements which can provide near real-time alerting when any
> > prefixes within specific subnet ranges are announced?

        Not that I know of. You can log into
        route-views.routeviews.org and use the cli to watch it,
        but that is a manual process.

        Hope this helps,

        Dave