[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BGP related question
- Subject: BGP related question
- From: andree+nanog at toonk.nl (Andree Toonk)
- Date: Thu, 01 Aug 2013 15:42:37 -0700
- In-reply-to: <[email protected]>
- References: <[email protected]>
Hi Parthiv,
.-- My secret spy satellite informs me that at 2013-08-01 7:00 AM Shah,
Parthiv wrote:
> My apology if I am asking for a repeat question on the list. On 7/29/13 I read an incident about accidental BGP broadcast see article here https://isc.sans.edu/diary/BGP+multiple+banking+addresses+hijacked/16249 or older 2008 incident http://www.renesys.com/2008/02/pakistan-hijacks-youtube-1/
This was the same issue as was discussed last week on Nanog:
http://mailman.nanog.org/pipermail/nanog/2013-July/059992.html
In summary there were 72 prefixes hijacked, they also leaked a few
hundred more specifics of their own prefixes.
You can examples of similar events here: http://www.bgpmon.net/blog/
> 1) I would like to understand how can we detect and potentially prevent activities like this? I understand native BGP was not design to authenticate IP owners to the BGP broadcaster. Therefore, issues like this due to a human error would happen. How can activities like this be detected as this is clearly a threat if someone decides to broadcast IP networks of an organization and knock the real org. off the Net.
There are a few BGP monitoring tools available, BGPMon.net is one such
service.
2) In reference to prevention, I recall there were discussions about
secure BGP (S-BGP), Pretty Good BGP, or Secure Original BGP but I don't
remember if any one of them was finalized (from practicality viewpoint)
and if any one of them is implementable/enforceable by ISPs (do anyone
have any insight)?
The thing we can improve today is providers doing a better job of
filtering. But that's still not full proof. Since many folks use
max-prefix filters only on for example Internet Exchange points, it's
easy to pick up a hijacked route from peers.
In the long term RPKI should solve this, but that's not full proof
either. The next step is full path validation, that's going to take a
while. For more info see for example:
http://www.bgpmon.net/securing-bgp-routing-with-rpki-and-roas/ or
http://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure
Cheers,
Andree