Domain: routeviews.org
Stories and comments across the archive that link to routeviews.org.
Comments · 7
-
Security is a game of percentages
Going through a proxy (crowded, busy, high traffic, concentrated) makes hack attacks that much more difficult. From the defense standpoint, proxies may be known (lists of know proxies are widely available), detectable (reverse operations), or identifiable via patterns (large volumes of traffic or attack from a single or narrow IP band not otherwise known).
You do highlight the point, however, that patterns of behavior are what are critical. You want to see who's coming in, from what IP ranges, whether or not they're suddendly having a great deal of trouble with their passwords, etc.
I've had more than a little success identifying sources of abuse via CIDR block or ASN using the Routeviews reverse IP-to-BGP Router Data lookup (the txt record is the CIDR block and ASN of an IP). Not just in spam, as indicated in the linked paper, but for apache logs, aggregating ranges of IPs to a single identifiable source.
Sure, someone using a widely distributed botnet across multiple ASNs isn't going to turn up in that analysis (or rather, it will be more weakly distributed), but in that case, you're going to want to find other patterns of behavior to track.
-
Re:Route filtering
Use Route Views.
-
Re:A design: X says Y=Z.
I posted earlier but perhaps some sort of after-the-fact analysis of the tables using an archive (something like Route Views) could be used to figure out who's good and bad, without having to change the protocol.
-
Re:You can bet good money...
BGP is what Internet routers use to tell each other what incoming traffic should be routed where. It isn't used for actual user data transmission.
Yeah, probably it's best to avoid the internet for sensitive traffic. And they do. They have their own copper, fiber, microwave, and satellite telcom system. Yes, some of it is leased from the telcos but I doubt if the packets come anywhere near the internet routers.
But not all governments have the luxury of that sort of system and I'm sure a lot of them use the internet to communicate globally. That's why we generously helped them put in all those undersea cables...
Oh, by the way, there are "private" companies with undersea fiber that are not peered to the internet, and no one knows about them. Some things you can't trust the telco with.
The last thing you should trust is the Internet. Even with encryption, the way it works is on implied trust relationships. So does DNS, and so does the public key infrastructure. As other posters mentioned, you are relying on your upstream provider to give you clean routing tables. The advertised routes need to be the real best route to a closer hop. And somewhere there are the root servers which have the master tables.
An interesting way to maybe catch them would be to analyze the BGP tables (archive them somewhere and actually get a real list of good hosts). I know there are projects such as Route Views which attempt to archive the routing tables. This might be a start. You would need to whitelist people though, or blacklist certain subnets, and it sort of defeats the point of the Internet being open.
-
Re:Route around?
I looked up the groklaw.net site (152.46.7.105), and then see it is coming via AS81 (North Carolina Research and Education Network), which is has a BGP path (peer or customer) to AS174 (Cogent).
AS174 shows it is announcing AS81 groklaw.net site prefix 152.46.7.0/24 to big peers like AS701 (UUNET/MCI/Verizon), AS7018 (ATT), AS1239 (Sprint). Telia also peers with all 3 of these Tier 1 ISPs.
Cogent is violating its peering agreements with those peers by not routing traffic from them to AS81 (which they must do if they announce AS81's 152.46.7.0/24 prefix) and/or traffic from AS81 (which would no doubt be breaking contract to their customer to provide transit).
Look for yourself: BGplay and put in 152.46.7.0/24 and you can see the peers AS81 has.
Use "whois as1299" to see Telia's peering agreements. You can also see from telnet route-views.oregon-ix.net using the command show ip bgp 152.46.7.0 that AS174 is AS81's major peer (but not only peer). -
Re:But how did they do it?
Pakistan Telcom does have an ASN number. Just for kicks, try this:
Head over to this site. It visualizes the BGP routes between different AS's. Click 'Start BGPlay'. The prefix in which YouTube lives is 208.65.153.0/24. Set the start time for about 24 Feb 2008 10:00, and the end time for about 25 Feb 2008 03:00 (times are UTC). Start the simulation.
You'll see a bunch of ASNs. Two have red circles around them. You can get their name by clicking on the number. On the left is YouTube, and on the right is Pakistan Telcom. Click play and watch what happens.
For those too lazy to actually watch this: All the routes destined for YouTube head towards Pakistan Telcom instead. Then, midway through, you see PCCW get wise and shut down those routes, and everyone slowly starts finding the actual YouTube. It's pretty neat to watch.
-
Re:Using IPv6 today(aside: I didn't realize most people considered sbc a real provider, while they have customers, etc.. outside the DSL community. While not unimportant, slow moving goliaths such as SBC that are stuck under various regularatory hurdles they have had to clear to provide intra-LATA service, the old bell companies haven't been that adopting of internet based technologies and I would not expect them to be a leader in this arena). Looking at the IPv6 routing table as visible and available via telnet at route-views6.routeviews.org [type sh bgp] (also visit routeviews.org main website), you can see that NTT/Verio (AS2914), Global Crossing (AS3549), MFN (AS6461), Sprintlink (AS6175) [note, this isn't their IPv4 network ASN of 1239], KPN/QWESTFI (AS790) routes are seen in the pas for AS209 (Qwest).
The current ATT network was created out of the old ibm as well as other networks, i'm not going to read the entire ipv6 routing table (well, it is short enough to read actually, but i'm being lazy) to check for one of the many ATT legacy ASNs or SBC ASNs that they may be using to operate their IPv6 network. I suggest checking 6bone pTLA listing or with the Regional Internet Registry for people that have been assigned IPv6 address space. In the US at least, it's an InterNIC-type company (remember inernic?) called ARIN