On Wed, 28 Mar 2007, Tony Finch wrote:
> On Wed, 28 Mar 2007, Ken Simpson wrote:
>>
>> What is particularly missing IMHO is a
spoofed-BGP-route blacklist.
>> Anyone making any progress on that sort of thing?
>
> completewhois has lists in various forms of bogon and
hijacked networks.
>
> http
://completewhois.com/bogons/bogons_usage.htm
Only bogon list will catch some real-time hijacking and only
when
they are doing at the unannounced space (which does happen -
see
presentation at couple nanogs ago about spammers announcing
full
/8 and using unallocated portions; there were other cases
too
that did not use as large of an announcement).
The real-time hijacking (short-announcements that go away in
about
an hour although some do stay longer) of someone else's
space or
short-term announcements of unused legacy space can only be
caught
when you know where correct announcements should come from
and until
we have SIDR, there is no reliable way to do it. The way i'm
testing
it is by comparing where routes for where announcements come
from
before and setting certain time period before route is
considered
"adequate" (this has obvious bad implications for
those changing
from one ASN to another). If my project get sufficiently
stable for
public consumption trials I'll let you know more but from
what I
wrote you should get an idea on how set something like it
yourself
(and I think this is something similar to what others are
doing too
already, I'm unsure if they are making data public or not).
--
William Leibzon
Elan Networks
william elan.net
|
