-------- Forwarded Message --------
Subject: [apops] new BGP hijack & visibility tool “BGPalerter”
Date: Wed, 14 Aug 2019 17:06:59 +0200
From: Job Snijders <job(a)ntt.net>
To: Massimo Candela <massimo(a)us.ntt.net>, apops(a)apops.net <apops(a)apops.net>
Dear APOPS,
Recently NTT investigated how to best monitor the visibility of our own
and our subsidiaries’ IP resources in the BGP Default-Free Zone. We were
specifically looking how to get near real-time alerts funneled into an
actionable pipeline for our NOC & Operations department when BGP hijacks
happen.
Previously we relied on a commercial “BGP Monitoring as a Service”
offering, but with the advent of RIPE NCC’s “RIS Live” streaming API [1]
we saw greater potential for a self-hosted approach designed
specifically for custom integrations with various business processes. We
decided to write our own tool “BGPalerter” and share the source code
with the Internet community.
BGPalerter allows operators to specify in great detail how to distribute
meaningful information from the firehose from various BGP data sources
(we call them “connectors”), through data processors (called
“monitors”), finally outputted through “reports” into whatever mechanism
is appropriate (Slack, IRC, email, or a call to your ticketing system’s
API).
The source code is available on Github, under a liberal open source
license to foster community collaboration:
https://github.com/nttgin/BGPalerter
If you wish to contribute to the project, please use Github’s “issues”
or “pull request” features. Any help is welcome! We’d love suggestions
for new features, updates to the documentation, help with setting up a
CI regression testing pipeline, or packaging for common platforms.
Kind regards,
Job & Massimo
NTT Ltd
[1]: https://ris-live.ripe.net/
In response to feedback from operational security communities,
CAIDA's source address validation measurement project
(https://spoofer.caida.org) is automatically generating monthly
reports of ASes originating prefixes in BGP for systems from which
we received packets with a spoofed source address.
We are publishing these reports to network and security operations
lists in order to ensure this information reaches operational
contacts in these ASes.
This report summarises tests conducted within ind.
Inferred improvements during Jul 2019:
none inferred
Source Address Validation issues inferred during Jul 2019:
ASN Name First-Spoofed Last-Spoofed
24560 AIRTELBROADBAND 2016-03-12 2019-07-22
55836 RELIANCEJIO-IN 2017-03-03 2019-07-30
132976 KINGSBROADBAND 2018-09-17 2019-07-23
9829 BSNL-NIB 2019-03-07 2019-07-22
23860 ALLIANCE-GATEWAY 2019-07-31 2019-07-31
Further information for these tests where we received spoofed
packets is available at:
https://spoofer.caida.org/recent_tests.php?country_include=ind&no_block=1
Please send any feedback or suggestions to spoofer-info(a)caida.org