Je suis un homme du siècle dernier, j’essaie de m’adapter, mais je n’en ai pas vraiment envie.
“But there’s actually been a significant uptick this year in a completely different kind of attack, one that can be carried out by anybody, at a distance, using Internet route hijacking. [...] In practical terms, this means that Man-In-the-Middle BGP route hijacking has now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real.”
How fast can the current monitoring tools detect such abnormal routes and their BGP announcements ? How are the fishy route variations discriminated from the acceptable ones ? How far can that be automated ? Whitelisting ? Blacklisting ?
How fast: depends if the tool polls (for instance by downloading RouteViews) or have near-real-time BGP updates (a real BGP feed). Discriminated? From static configs (the same you have in the IRRs) you have to maintain by hand (painful). Automated? Almost impossible, BGP is a real mess.
False positives are indeed a big problem with these BGP alarm systems.
