nanog mailing list archives
Re: "Defensive" BGP hijacking?
From: Doug Montgomery <dougm.work () gmail com>
Date: Tue, 13 Sep 2016 15:09:57 -0400
If only there were a global system, with consistent and verifiable security properties, to permit address holders to declare the set of AS's authorized to announce their prefixes, and routers anywhere on the Internet to independently verify the corresponding validity of received announcements. *cough https://www.nanog.org/meetings/abstract?id=2846 cough* I now return us to our discussion of network police, questionnaires for network security, and the use of beer as a motivating force. dougm On Tue, Sep 13, 2016 at 2:51 PM, Mel Beckman <mel () beckman org> wrote:
Blake, I concur that these are key questions. Probably _the_ key questions. The fabric of the Internet is today based on trust, and BGP's integrity is the core of that trust. I realize that BGP hijacking is not uncommon. However, this is the first time I've seen in it used defensively. I don't see a way to ever bless this kind of defensive use without compromising that core trust. If Internet reachability depends on individual providers believing that they are justified in violating that trust when they are attacked, how can the Internet stand? In addition to the question posed to Bryant about whether he would take this action again, I would like to add: what about the innocent parties impacted by your actions? Or do you take the position there were no innocent parties in the hijacked prefixes? -mel via cellOn Sep 13, 2016, at 11:40 AM, Blake Hudson <blake () ispn net> wrote: Bryant Townsend wrote on 9/13/2016 2:22 AM:This was the point where I decided I needed to go on the offensive to protect myself, my partner, visiting family, and my employees. The actions proved to be extremely effective,asall forms of harassment and threats from the attackers immediatelystopped.Bryant, what actions, exactly, did you take? This topic seemsintentionally glossed over while you spend a much larger amount of time explaining the back story and your motivations rather than your actions.Questions I was left with: 1. What prefixes have you announced without permission (not just this event)? 2. How did you identify these prefixes? 3. Did you attempt to contact the owner of these prefixes? 4. Did you attempt to contact the origin or transit AS of these prefixes? 5. What was the process to get your upstream AS to accept these prefix announcements? 6. Was your upstream AS complicit in allowing you to announce prefixes you did not have authorization to announce?
-- DougM at Work
Current thread:
- Re: "Defensive" BGP hijacking?, (continued)
- Re: "Defensive" BGP hijacking? Scott Weeks (Sep 12)
- Re: "Defensive" BGP hijacking? Hugo Slabbert (Sep 12)
- Re: "Defensive" BGP hijacking? Blake Hudson (Sep 12)
- Re: "Defensive" BGP hijacking? Scott Weeks (Sep 12)
- Re: "Defensive" BGP hijacking? Bryant Townsend (Sep 13)
- Re: "Defensive" BGP hijacking? Ca By (Sep 13)
- Re: "Defensive" BGP hijacking? Matt Freitag (Sep 13)
- Re: "Defensive" BGP hijacking? Ryan, Spencer (Sep 13)
- Re: "Defensive" BGP hijacking? Blake Hudson (Sep 13)
- Re: "Defensive" BGP hijacking? Mel Beckman (Sep 13)
- Re: "Defensive" BGP hijacking? Doug Montgomery (Sep 13)
- Re: "Defensive" BGP hijacking? Ca By (Sep 13)
- Re: "Defensive" BGP hijacking? Sandra Murphy (Sep 14)
- Re: "Defensive" BGP hijacking? Ca By (Sep 13)
- Re: "Defensive" BGP hijacking? Scott Weeks (Sep 12)
- Re: "Defensive" BGP hijacking? Bryant Townsend (Sep 13)
- Re: "Defensive" BGP hijacking? Ca By (Sep 13)
- Re: "Defensive" BGP hijacking? Blake Hudson (Sep 13)
- Re: "Defensive" BGP hijacking? Hank Nussbacher (Sep 13)