nanog mailing list archives

Why not to use RPKI (Was Re: Argus: a hijacking alarm system)

From: Arturo Servin <aservin () lacnic net>
Date: Fri, 20 Jan 2012 10:08:17 -0200


        You could use RPKI and origin validation as well.

        We have an application that does that. 

        http://www.labs.lacnic.net/rpkitools/looking_glass/

        For example you can periodically check if your prefix is valid:

http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.84.0/23/

        If it were invalid for a possible hijack it would look like:

http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.31.18.0/24/

        Or you can just query for any state:

http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12.0/22/



Regards,
as

On 20 Jan 2012, at 07:47, Yang Xiang wrote:

Hi,

I build a system ‘Argus’ to real-timely alert prefix hijackings.
Argus monitors the Internet and discovers anomaly BGP updates which caused
by prefix hijacking.
When Argus discovers a potential prefix hijacking, it will advertise it in
a very short time,
both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the
mailing list (argus () csnet1 cs tsinghua edu cn).

Argus has been running in the Internet for more than eight months,
it usually can discover potential prefix hijackings in ten seconds after
the first anomaly BGP update announced.
Several hijacking alarms have been confirmed by network operators.
For example: http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/61544/ has
been confirmed by the network operators of AS23910 and AS4538,
it was a prefix hijacking caused by a mis-configuration of route filter.

If you are interest in BGP security, welcome to visit our website and
subscribe the mailing list.
If you are interest in the system itself, you can find our paper which
published in ICNP 2011 (FIST workshop)
http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=6089080.

Hope Argus will be useful for you.
_________________________________
Yang Xiang . about.me/xiangyang
Ph.D candidate. Tsinghua University
Argus: argus.csnet1.cs.tsinghua.edu.cn

Current thread:

Argus: a hijacking alarm system Yang Xiang (Jan 20)
- Re: Argus: a hijacking alarm system Jeroen Massar (Jan 20)
  - Re: Argus: a hijacking alarm system Yang Xiang (Jan 20)
    - Re: Argus: a hijacking alarm system Suresh Ramasubramanian (Jan 20)
    - Re: Argus: a hijacking alarm system Yang Xiang (Jan 20)
    - Re: Argus: a hijacking alarm system Jeroen Massar (Jan 20)
    - Re: Argus: a hijacking alarm system Yang Xiang (Jan 20)
- Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Arturo Servin (Jan 20)
  - Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Yang Xiang (Jan 20)
    - Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Arturo Servin (Jan 20)
    - Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Yang Xiang (Jan 20)
    - Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Danny McPherson (Jan 20)
    - Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Christopher Morrow (Jan 22)
    - Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Yang Xiang (Jan 23)
    - Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Christopher Morrow (Jan 23)
    - Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Yang Xiang (Jan 23)
    - Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) John Kemp (Jan 23)
    - Re: Why not to use RPKI (Was Re: Argus: a hijacking alarm system) Yang Xiang (Jan 23)

(Thread continues...)