Update on PHAS (ref Youtube hijack)

From: Mohit Lad (no email)
Date: Sat Mar 01 2008 - 23:47:26 EST

  • Next message: Greg VILLAIN: "Re: [admin] [summary] RE: YouTube IP Hijacking"

    Dear all,

    Discussions on the recent Youtube incident raised the question about
    availability of our projects PHAS (Prefix Hijack Alert System).
    http://phas.netsec.colostate.edu/
    Unfortunately, the timing of the hijack coincided with our
    transitioning to the next stage of PHAS, thus it was unavailable at
    the time. We have switched back to the last stable version and the
    site is fully functional now. We apologize for the inconvenience.

    For people not familiar with PHAS, we analyze BGP updates received
    from different vantage points and maintain 3 sets for each prefix.
    1. Origin set
    2. Last hop set
    3. Sub-prefix set
    Anyone may register with PHAS for the prefixes he/she wants to watch,
    and select the types of alarms of interest. Each time the set changes,
    an email is sent to the registered email addresses.

    If you want to get an idea of the alarms generated, you can register
    for one or more active prefixes that are constantly generating alarms
    as seen in
    http://phas.netsec.colostate.edu/stat.html

    For the youtube hijack case:
    1. since a more specific prefix was observed for youtube's prefix,
    PHAS caught the incident as a "sub-prefix set change" and an alarm was
    generated.

    2. PHAS does not rely on information from IRR, so any manipulations to
    IRR (or outdated entries) would not affect PHAS.

    3. Some folks questioned whether PHAS would detect cases of hijack if
    origin AS was unchanged: from the above, one can see that PHAS catches
    any sub prefix announcements, and any changes to the last hop (i.e.
    next hop to origin AS).

    It is true that the current version of PHAS does not detect AS path
    manipulations beyond the last hop. We are developing solutions to this
    problem and hoping to combine the new solution into PHAS soon.

    Our recent results also show that the farther away from the origin the
    hijacker inserts his AS number, the less impact it would have on the
    Internet. For folks interested in how the impact of a hijack may vary
    depending on which prefix is involved and the hijacker's location, we
    have a paper in DSN 2007 with some interesting results.
    http://www.cs.ucla.edu/~mohit/cameraReady/hijack-dsn.pdf

    Thanks

    -Mohit

  • Next message: Greg VILLAIN: "Re: [admin] [summary] RE: YouTube IP Hijacking"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    		Powered By FreeBSD   Powered By FreeBSD