[mat-wg] Measuring IP address hijacking with RIPE Atlas?

On Apr 17, 2013, at 12:51 PM, Anatole Shaw <ripemat at omni.poc.net> wrote:

> On Wed, Apr 17, 2013 at 11:24:42AM -0400, Richard Barnes wrote:
>> However, it's not clear to me how Atlas could help measure hijacking.  Atlas is an active measurement network.  What sort of probes would detect a hijack?  
> 
> If you look at the behavior of a service on a remote host from the
> vantagepoint of network A, and that behavior is especially distinct from
> how it appears from network B, then you can infer that it's not the same
> remote host. Aside from the possibility that it's an anycast address
> reaching differently-configured hosts, this would serve as an indicator
> of a hijack. More or less an automated version of what we did at
> Greenhost to unravel the hijacked Spamhaus name server case.
> 
> When I talk about "behavior" I'm including everything under the umbrella
> of OS fingerprinting, network service fingerprinting, etc.
> 
> And I think there are plenty more possibilities besides.

Thanks, that actually sounds like a very interesting approach, assuming you can find proper test addresses in the relevant prefixes.  (That could be hard, especially for IPv6.)  

Is this sort of fingerprinting something you could do with the current Atlas UDM capability?


>> I wonder if analyzing some of RIPE's passive data sets might be a better approach. 
> 
> Likely also a valuable approach.

It might also be worthwhile to look at combining active and passive measurements.  For example, you might observe a change in behavior in Atlas measurements, and check whether there is a change in BGP.

--Richard



> 
> Regards,
> 
> Anatole
> 
>