Hi Sandy, Sandra Murphy wrote on 18/05/2018 17:43:
Are you going to do your own discovery of hijacks? Based on what?
At least at this stage we are using pre-processed data offered by services like BGPmon.net, Qrator.ru and Isolario. Perhaps folks running these services can elaborate on how an event/incident is defined/identified.
Is the start of the hijack the start of the incident? the report on nanog? the contact to the ISP?
Look at https://bgpstream.com/, for example. But, as Daniel Karrenberg commented after the presentation, the duration of an incident does not necessarily indicate the responsiveness of an ISP - an incident may come and go on its own. Given that the objective of this effort is to try to measure security posture of an ISP as it related to MANRS, number of distinct incidents looks like a better indicator.
Randy’s comment about active measurement gets at the same questions. It is much easier to know an incident has occurred and when it started if you are in control of the incident.
Yes, this is an interesting proposal. I doubt it can be scaled up to measure all 60+K ASNs, but for a smaller cooperative group (like MANRS members) we should explore this. As agreed at the session, I'll send a more detailed description of this project and methodology to this list, looking for comments and suggestions. Thank you Andrei