Re: BGP IP prefix hijack detection times

[Nagarjun Govindraj via NANOG <nanog () nanog org>]

The Goal is not to mitigate or take action against the malicious activity.
Goal is to detect the hijacking event by trying to reduce false posivites
as much as possible.
I know false positives is one of the key factor to consider.
I am just trying to distinguish between a legitimate advertisement against
hijack event.

Regards,
Nagarjun

On Tue, Feb 28, 2017 at 11:31 AM Hank Nussbacher <hank () efes iucc ac il>
wrote:

> On 28/02/2017 07:15, Nagarjun Govindraj via NANOG wrote:
>
> So what if you detect in 1.4 minutes of 3.1 minutes?  Or even 8
> minutes?  What then?
> You certainly couldn't do anything to prevent it after 3.1 minutes.
> First you need to analyze whether the BGP hijack is a false positive or
> not.
> Could be the customer you are watching is testing out some cloud based
> anti-DDOS mitigation and is allowing some other ASN to announce their
> /24 (intentional).
> Could be the ASN on the other side of the world has implemented some BGP
> optimization box which announces prefixes internally  to do TE but they
> also happen to be sending BGP updates to Dyn/BGPMON/Team Cymru/whoever.
> Could be the customer you are monitoring has decided to blackhole some
> malicious IP and has started to announce a /32 internally and they too
> feed BGP announcements to Dyn/BGPMON/Team Cymru/whoever.
> I have many other examples.
> After you get an announcement of a BGP hijack, you start investigating.
> You determine the extent of the hijack - is it localized to one
> geographic area or is it worldwide.  Is it just you or are there
> thousands of other prefixes affected.  After 15 minutes you sit down and
> write an email to the ASN doing the announcement.  For that you hope
> whois is up to date which 60% of the time it is not.  So you start
> scraping Google for possible email addresses to contact.
> After not getting a response for 24 hours you send an email to their
> upstream ASN (also contingent on finding proper email addresses that
> will respond).
> After waiting another day you send an email to the upstream of the
> upstream and you keep repeating the process until you find someone
> responsive.
> Stopping a BGP hijack does not take 1.4 minutes or 3.1 minutes.  It is
> usually hours and sometimes days until the hijack is stopped.
>
> -Hank
>
>
> > Well, the idea behind the mail was to know if anyone in the community are
> > doing real time BGP IP prefix hijacking.
> > Like Artemis detection tool claims to be detecting in 1.4 ~ 3.1 minutes.
> So
> > I wanted to know if anyone in the community are using such tools for
> > detecting hijacks, if yes how much time does the system take to detect.
> >
> >
> > Regards,
> > Nagarjun
> >
> > On Mon, Feb 27, 2017 at 10:59 PM Nick Hilliard <nick () foobar org> wrote:
> >
> > > Christopher Morrow wrote:
> > > > Also: "How reliable are the alerts being sent?"
> > > also: do the smtp servers which handle mail for the domain of the
> > > alerting email address use the IP address space as they're notifying
> about?
> > > Nick