
Artemis – Neutralizing BGP hijacking within a minute - okket
https://blog.apnic.net/2018/07/19/artemis-neutralizing-bgp-hijacking-within-a-minute/
======
nickcw
This looks great at monitoring and detection.

However the mitigation strategies look weak.

The two mitigation techniques are

> The first one is based on a ‘do-it-yourself’ approach, where the network
> reacts by prefix de-aggregation in order to attract traffic back to its own
> routers. This technique is effective for all unfiltered prefixes, less
> specific than /24.

I can't see this being very useful in practice - surely the attackers will
just advertise /24's anyway.

Eg the high profile attack on Amazon DNS was by announcing a more specific
/24.

> For attacks on /24 prefixes, ARTEMIS can enable a mitigation solution
> similar to the DDoS protection as-a-service offered today. In particular,
> the affected AS can request that other (collaborating) networks announce the
> hijacked prefix from their own premises (multiple origin AS), and then
> tunnel the traffic they attract back to the victim (for example, via the
> victim’s upstream providers).

Well that would work but requires a whole lot of setup in advance. Perhaps
someone like Cloudflare will offer this as a service otherwise I can't see it
being widely deployed as it is lots of tricky network configuration in core
routers which (in my experience) operators tend to be very cautious about.

~~~
wmf
Several vendors offer scrubbing as a service already, so it shouldn't require
any additional engineering to use it to try to mitigate BGP hijacking. How
effective it would be depends on how widely dispersed the scrubbers are, since
you're relying on the scrubbers being closer to users than the hijackers.

(Disclaimer: I didn't read the paper.)

------
peterwwillis
In case the page goes down, here is the ARTEMIS paper
[https://arxiv.org/pdf/1801.01085.pdf](https://arxiv.org/pdf/1801.01085.pdf)
and here is their website
[http://www.inspire.edu.gr/artemis/](http://www.inspire.edu.gr/artemis/).

Their wiki
[https://wiki.onosproject.org/display/ONOS/ARTEMIS%3A+an+Auto...](https://wiki.onosproject.org/display/ONOS/ARTEMIS%3A+an+Automated+System+against+BGP+Prefix+Hijacking)
has a quickstart guide. You install git, ExaBGP, Quagga, mininet, Java 8,
ONOS, Python 3 modules, configure ONOS, and then run it. Should be easy to get
a Vagrant node up to play with.

------
hueving
This is primarily a hijack detection framework with flexible operations on
detection. How to actually "neutralize" the attack is up to the operator and
there isn't really anything new offered in that regard from what I can tell.

~~~
maltalex
Moreover, it's only control-plane hijack detection which is the easier
problem. If a hijack is performed at the data-plane, good luck even detecting
it.

------
eecc
Can’t they sign route updates and get over it?

