Dear colleagues, in case you are not following MAT-WG mailing-list: this was posted there yesterday (text bellow). To see the whole thread, start here: http://www.ripe.net/ripe/mail/archives/mat-wg/2013-April/000273.html Any comments, ideas, feedback? Please have a discussion on the MAT-WG list, or, if you prefer to reply on this list, I will collect your feedback & bring it to the mat-wg. Thanks, Vesna -------- Original Message -------- Subject: [mat-wg] Measuring IP address hijacking with RIPE Atlas? Date: Wed, 17 Apr 2013 16:01:18 +0200 From: Anatole Shaw <ripemat@omni.poc.net> To: mat-wg@ripe.net Currently I work with Greenhost, which is a RIPE LIR that was recently the recipient of a malicious route advertisement, as described here: https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/ IP address hijacking is a real problem. How often does it happen? Which networks are being spoofed, and which networks are the victims? My sense is that we don't have solid up-to-date answers to these questions. I have some thoughts about how to detect successful IP hijacking, using empirical measurements taken from multiple network vantagepoints. I'll hold off on details for now, but I'm aware that the answer is *not* simple analysis of AS paths or traceroute output, both of which are increasingly spoofed. It seems like the RIPE Atlas probe network would be an ideal platform for this type of study. Does such a study already exist? How does one begin to propose a RIPE Atlas project? Regards, Anatole Shaw