[mat-wg] Measuring IP address hijacking with RIPE Atlas?
- Previous message (by thread): [mat-wg] Measuring IP address hijacking with RIPE Atlas?
- Next message (by thread): [mat-wg] Preliminary agenda for MAT @ RIPE66
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Andrei Robachevsky
robachevsky at isoc.org
Fri Apr 19 10:07:02 CEST 2013
On Apr 17, 2013, at 12:51 PM, Anatole Shaw <ripemat at omni.poc.net> wrote: > On Wed, Apr 17, 2013 at 11:24:42AM -0400, Richard Barnes wrote: >> However, it's not clear to me how Atlas could help measure hijacking. Atlas is an active measurement network. What sort of probes would detect a hijack? > > If you look at the behavior of a service on a remote host from the > vantagepoint of network A, and that behavior is especially distinct from > how it appears from network B, then you can infer that it's not the same > remote host. Aside from the possibility that it's an anycast address > reaching differently-configured hosts, this would serve as an indicator > of a hijack. More or less an automated version of what we did at > Greenhost to unravel the hijacked Spamhaus name server case. I agree getting consistent data about route hijacks is important. But in many cases a prefix hijack will result in blackholing the traffic and no service availability at all. Besides, for the authenticity check of the DNS service we have DNSSEC and I wonder how difficult it'd be for Spamhaus to use it. I heard about the idea of using RIPE Atlas for testing of the ISP anti-spoofing capabilities, similar to what the spoofer project (http://spoofer.csail.mit.edu/) is doing, and I like it. (Although, it might make Atlas look too alike a botnet ;). Andrei
- Previous message (by thread): [mat-wg] Measuring IP address hijacking with RIPE Atlas?
- Next message (by thread): [mat-wg] Preliminary agenda for MAT @ RIPE66
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ mat-wg Archives ]