On Wed, Apr 17, 2013 at 11:24:42AM -0400, Richard Barnes wrote:
However, it's not clear to me how Atlas could help measure hijacking. Atlas is an active measurement network. What sort of probes would detect a hijack?
If you look at the behavior of a service on a remote host from the vantagepoint of network A, and that behavior is especially distinct from how it appears from network B, then you can infer that it's not the same remote host. Aside from the possibility that it's an anycast address reaching differently-configured hosts, this would serve as an indicator of a hijack. More or less an automated version of what we did at Greenhost to unravel the hijacked Spamhaus name server case. When I talk about "behavior" I'm including everything under the umbrella of OS fingerprinting, network service fingerprinting, etc. And I think there are plenty more possibilities besides.
I wonder if analyzing some of RIPE's passive data sets might be a better approach.
Likely also a valuable approach. Regards, Anatole