Re: Prefix Hijack Tool Comaprision

["Josh Karlin" <karlinjf () cs unm edu>]

Agreed.  The Internet Alert Registry ( http://iar.cs.unm.edu ) has switched
from monitoring RIPE and Routeviews to direct connections with our PGBGP
enabled router.  This means the IAR has less data, but immediate response
times.   Some of the prefixes were detected as hijacked by the IAR but most
of the hijacked prefixes never reached the IAR's neighbors.  If anyone would
like to add their feed to the IAR we would appreciate it!

Josh

On Thu, Nov 13, 2008 at 2:31 PM, Mohit Lad <mohitlad () gmail com> wrote:

> Sorry for the subject line in the previous message :-)
>
> Since this thread started as comparison of the tools, there are two issues
> 1. Which BGP feeds the tools use? RIPE, RouteViews, other private feeds.
> 2. How they decide what to send and what not to send?
>
> In this case, BGPMon detected an event that was not detected by others, and
> there might be other hijacks that were local in scope where PHAS or Watchmy
> might catch something that BGPMon does not. But that does not make one tool
> better than the other, unless this pattern is repeated.
> Eventually all tools will catch up with each other on the feeds (or so is
> the hope), so the difference will then lie in "the decision of what to send
> and what to drop".
>
> Mohit
>
> Date: Thu, 13 Nov 2008 20:27:32 +0000
> > From: "Alexander Harrowell" <a.harrowell () gmail com>
> > Subject: Re: Prefix Hijack Tool Comaprision
> > To: Todd Underwood <todd () renesys com>
> > Cc: nanog () nanog org
> >
> > OK. This seems to be a flaw in RIPE RIS, a pity because BGPlay is great.
> >
> > - original message -
> > Subject:        Re: Prefix Hijack Tool Comaprision
> > From:   Todd Underwood <todd () renesys com>
> > Date:           13/11/2008 8:05 pm
> >
> > alexander, all,
> >
> > On Thu, Nov 13, 2008 at 07:56:26PM +0000, Alexander Harrowell wrote:
> > > It may be the North American NOG, but it's been said before that it
> > > functions as a GNOG, G for Global. I don't think Brazil is
> > > insignificant. I respect Todd's work greatly, but I think he's wrong
> > > on this point.
> >
> > you misread me.
> >
> > i did not say that brazil was insignificant. it's not.  it has some of
> > the fastest growing internet in latin america.
> >
> > i said that *this* hijacking took place in an insignificant corner of
> > the internet.  i mean this AS-map wise rather than geographically.
> > this hijacking didn't even spread beyond one or two ASes, one of whom
> > just happened to be a RIPE RIS peer.
> >
> > real hijackings leak into dozens or hundreds or thousands of ASNs.
> > they spread far and wide.  that's why people carry them out, when they
> > do.  this one was stopped in its tracks in a very small portion of one
> > corner of the AS graph.
> >
> > as such, i don't count it as a hijacking or leak of any great
> > significance and wouldn't want to alert anyone about it.  that's why i
> > recommend that prefix hijacking detection systems do thresholding of
> > peers to prevent a single, rogue, unrepresentative peer from reporting
> > a hijacking when none is really happening.  others may have a
> > different approach, but without thresholding prefix alert systems can
> > be noisy and more trouble than they are worth.
> >
> > sorry if it appears that i was denegrating .br .  i was not.
> >
> > t.
> >
> > --
> > _____________________________________________________________________
> > todd underwood                                 +1 603 643 9300 x101
> > renesys corporation
> > todd () renesys com
> http://www.renesys.com/blog
> >