Home Potential Prefix Hijacks Potential Sub-Prefix Hijacks Alert Notification Forum Hijack Search

There are two ways in which to receive IAR alerts. The first, is to register your email and AS number with the IAR website. The IAR will then email you each time an alert pertaining to one of your AS numbers is discovered. Please read more about this method here.

The second method, which eliminates false positives, involves running the light-weight IARTracker program on your server. This program regularly scans the list of recent alerts and compares them to the topology information that you provide. In the event that a suspicious route is found, an email will be sent to you. No registration is required and you do not reveal any network information with this method. Please read more about this method here.


Method 1: Email alerts

How to Subscribe
If you would like to be notified of alerts pertaining to particular Autonomous Systems (such as your own), then register yourself in the forum with your correct e-mail address and add the ASs you are interested in receiving alerts for in the field labeled "Monitor Autonomous Systems:"

What Messages will I Receive?
If one of the ASs you have listed is either the victim or originator of a suspicious route, you will be notified of the event via email. Multiple events with the same timestamp will be combined within a single email.

Privacy Notice:
Your registration is required to prevent spam. Your personal information will never be distributed to a third party without your permission. Data may be analyzed in an aggregated and anonymous fashion.


Method 2: The IAR Tracker tool

The IAR Tracker in detail
The IAR Tracker is a program that is run on your server. It reads the RSS feed of IAR alerts and compares the alerts to the list of legitimate prefixes and neighbors of your AS that you provide. True positive alerts are then forwarded on to your attention via email.

How do I download and install IAR Tracker?
Please download the tarball here. To install it, you must have python and sendmail on the host machine. Further documentation can be found within the tarball.

What does the configuration file look like?
The configuration file contains a list of prefixes and neighbors for each AS that you would like to monitor. For ASes in which you do not have complete information, you can configure the IAR tracker to send you all alerts pertaining to those AS numbers.

An example configuration file:

------ BEGIN FILE ------

# User information
scan time: 30
email: blah@blah.org
feed: http://iar.cs.unm.edu/rss.xml


# Watch list
Watch: 65041
Watch: 65042


# Topology information
BEGIN_ASN: 65002
   Prefix: 10.0.0.0/8
   Prefix: 192.168.1.0/24 :65041,65009

   BEGIN_GROUP: PEERS
      Neighbor: 65042
   END_GROUP: PEERS

   BEGIN_GROUP: PROVIDERS
      Neighbor: 65001
      Neighbor: 65022
   END_GROUP: PROVIDERS

   BEGIN_GROUP: CUSTOMERS
      Neighbor: 65041
   END_GROUP: CUSTOMERS

   # Standard export rules
   EXPORT: CUSTOMERS :PEERS,PROVIDERS,CUSTOMERS
   EXPORT: PEERS :CUSTOMERS
   EXPORT: PROVIDERS :CUSTOMERS
END_ASN: 65002

------ END FILE ------