comment on Thu presentation on Measuring Routing Insecurity

I am curious about Andrei’s presentation ("Measuring Routing Insecurity”): How is an incident known? What do you use as the start of an incident, especially if you are going to try to measure mediation time? Many hijacks mentioned on the nanog list bring responses from operators who had their own incidents to report that would otherwise have not been reported. So clearly not all are reported. Incidents mentioned on the nanog list sometimes lead to discovery of related hijacks by the same ISP. Many hijacks mentioned on the nanog list are discovered to have been going on for quite some time, like days. ISPs that have been propagating a hijack for days may not have been alerted that a hijack has occurred. Sometimes the message on nanog notes that the ISP has been contacted but has not responded. Are you going to do your own discovery of hijacks? Based on what? Is the start of the hijack the start of the incident? the report on nanog? the contact to the ISP? Randy’s comment about active measurement gets at the same questions. It is much easier to know an incident has occurred and when it started if you are in control of the incident. —Sandy

Hi Sandy, Sandra Murphy wrote on 18/05/2018 17:43:
Are you going to do your own discovery of hijacks? Based on what?
At least at this stage we are using pre-processed data offered by services like BGPmon.net, Qrator.ru and Isolario. Perhaps folks running these services can elaborate on how an event/incident is defined/identified.
Is the start of the hijack the start of the incident? the report on nanog? the contact to the ISP?
Look at https://bgpstream.com/, for example. But, as Daniel Karrenberg commented after the presentation, the duration of an incident does not necessarily indicate the responsiveness of an ISP - an incident may come and go on its own. Given that the objective of this effort is to try to measure security posture of an ISP as it related to MANRS, number of distinct incidents looks like a better indicator.
Randy’s comment about active measurement gets at the same questions. It is much easier to know an incident has occurred and when it started if you are in control of the incident.
Yes, this is an interesting proposal. I doubt it can be scaled up to measure all 60+K ASNs, but for a smaller cooperative group (like MANRS members) we should explore this. As agreed at the session, I'll send a more detailed description of this project and methodology to this list, looking for comments and suggestions. Thank you Andrei
participants (2)
-
Andrei Robachevsky
-
Sandra Murphy