On Apr 17, 2013, at 12:51 PM, Anatole Shaw <ripemat at omni.poc.net> wrote:
On Wed, Apr 17, 2013 at 11:24:42AM -0400, Richard Barnes wrote:
However, it's not clear to me how Atlas could help measure hijacking. Atlas is an active measurement network. What sort of probes would detect a hijack?
If you look at the behavior of a service on a remote host from the vantagepoint of network A, and that behavior is especially distinct from how it appears from network B, then you can infer that it's not the same remote host. Aside from the possibility that it's an anycast address reaching differently-configured hosts, this would serve as an indicator of a hijack. More or less an automated version of what we did at Greenhost to unravel the hijacked Spamhaus name server case.
I agree getting consistent data about route hijacks is important. But in many cases a prefix hijack will result in blackholing the traffic and no service availability at all. Besides, for the authenticity check of the DNS service we have DNSSEC and I wonder how difficult it'd be for Spamhaus to use it. I heard about the idea of using RIPE Atlas for testing of the ISP anti-spoofing capabilities, similar to what the spoofer project (http://spoofer.csail.mit.edu/) is doing, and I like it. (Although, it might make Atlas look too alike a botnet ;). Andrei