This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] /24 prefix "hijackability" metric (defining "better than avg AS")
- Previous message (by thread): [routing-wg] The Ongoing Summer of Hijacks: MNT-SERVERSGET / dnsget.top
- Next message (by thread): [routing-wg] [anti-abuse-wg] The Ongoing Summer of Hijacks: MNT-SERVERSGET / dnsget.top
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
nusenu
nusenu-lists at riseup.net
Tue Aug 14 21:58:00 CEST 2018
Hi, I'm currently estimating how "vulnerable" certain IP addresses are to BGP hijacking. To do that, I put them into different categories (multiple can apply): a) RPKI validity state is "NotFound" (no ROA) and IP located in a prefix shorter than /24 (IPv4) or /48 (IPv6) b) Valid ROA but weak maxlength c) Valid ROA with proper maxlength d) is announced in a /24 prefix (IPv4) or /48 (IPv6) e) = (c) + (d) In addition to the distinction of prefix length (/24 vs. </24) I'd like to subcategorize /24 prefixes into - /24 prefix located in "well" connected AS (attacker's BGP visibility is presumed lower than the authentic AS visibility) - /24 prefix located in "poorly" connected AS (better for the attacker) The question is: What is the threshold and metric to tell these two apart? I'm having 3 approaches in mind and wanted to hear if you have any preferences, opinions or other approaches: Approach 1: ----------- If avg AS PATH length as provided by [1] is <2 in more than 50% of given locations and DE-CIX and AMS-IX is among them, then consider it a "well connected AS" Approach 2: ----------- Use CAIDA's AS rank data and define the top 50% ASes as "well" connected Approach 3: ----------- define "well connected" as avg AS PATH as seen in [1] is shorter than the global avg. AS PATH length (defined in [2]) Also: If there are already well established metrics for "well connected" AS I'd be happy to hear about them. Currently I'm leaning towards approach 1 as it is probably the strictest and most conservative approach. I also might compare the results of all 3 approaches. thanks! nusenu [1] https://stat.ripe.net/docs/data_api#AsPathLength [2] http://thyme.rand.apnic.net/current/data-summary (the mean value would actually be more interesting than the avg) Because it is hard to collect ROV data and the list on https://rov.rpki.net is still short I do not try to include a ROV metric (yet). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: </ripe/mail/archives/routing-wg/attachments/20180814/6b10bc12/attachment.sig>
- Previous message (by thread): [routing-wg] The Ongoing Summer of Hijacks: MNT-SERVERSGET / dnsget.top
- Next message (by thread): [routing-wg] [anti-abuse-wg] The Ongoing Summer of Hijacks: MNT-SERVERSGET / dnsget.top
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]