This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/mat-wg@ripe.net/
[mat-wg] Measuring IP address hijacking with RIPE Atlas?
- Previous message (by thread): [mat-wg] Measuring IP address hijacking with RIPE Atlas?
- Next message (by thread): [mat-wg] Measuring IP address hijacking with RIPE Atlas?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Richard Barnes
rbarnes at bbn.com
Thu Apr 18 16:10:19 CEST 2013
On Apr 17, 2013, at 12:51 PM, Anatole Shaw <ripemat at omni.poc.net> wrote: > On Wed, Apr 17, 2013 at 11:24:42AM -0400, Richard Barnes wrote: >> However, it's not clear to me how Atlas could help measure hijacking. Atlas is an active measurement network. What sort of probes would detect a hijack? > > If you look at the behavior of a service on a remote host from the > vantagepoint of network A, and that behavior is especially distinct from > how it appears from network B, then you can infer that it's not the same > remote host. Aside from the possibility that it's an anycast address > reaching differently-configured hosts, this would serve as an indicator > of a hijack. More or less an automated version of what we did at > Greenhost to unravel the hijacked Spamhaus name server case. > > When I talk about "behavior" I'm including everything under the umbrella > of OS fingerprinting, network service fingerprinting, etc. > > And I think there are plenty more possibilities besides. Thanks, that actually sounds like a very interesting approach, assuming you can find proper test addresses in the relevant prefixes. (That could be hard, especially for IPv6.) Is this sort of fingerprinting something you could do with the current Atlas UDM capability? >> I wonder if analyzing some of RIPE's passive data sets might be a better approach. > > Likely also a valuable approach. It might also be worthwhile to look at combining active and passive measurements. For example, you might observe a change in behavior in Atlas measurements, and check whether there is a change in BGP. --Richard > > Regards, > > Anatole > >
- Previous message (by thread): [mat-wg] Measuring IP address hijacking with RIPE Atlas?
- Next message (by thread): [mat-wg] Measuring IP address hijacking with RIPE Atlas?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ mat-wg Archives ]