[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Previous message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Next message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hank Nussbacher
hank at efes.iucc.ac.il
Wed Mar 20 15:54:04 CET 2019
On Wed, 20 Mar 2019, Ricardo Patara wrote: If you are a victim (someone has abused your network), then just prove it and the policy won't apply and the hivemind will even assist you in cleaning your router. Regards, -Hank > On this line of one ISP trying to make damage to other. > > One might abuse a vulnerable router (thousand out there), create a tunnel to > it and announce hijacked blocks originated from victims ASN. > > Both, victim ASN and vulnerable router owner, would be damaged and no traces > of criminal. > How could they defend themselves to the so called group of experts? > > And things in this line had happened already. > > Regards, > > On 20/03/2019 07:46, furio ercolessi wrote: >> On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote: >>>> >>>> >>>> And when everything is made clear, if a report is filed against AS1, >>>> AS1's >>>> holder might have a problem, so i see a strong reason for not even trying >>>> :-) >>>> >>>> >>> Out of interest, take an AS1 with single malicious upstream AS2, what >>> stops >>> AS2 to pretend that AS1 has made bogus announcements and make them for its >>> own purposes? This situation looks pretty real without RPKI or other >>> advertisement strengthening methods, as I could see. How experts are >>> supposed to behave in this situation? >> >> This has been seen many times, even chain situations like >> >> <upstreams and peers> - AS X >> \ >> AS 3 - AS 2 - AS 1 >> / >> <upstreams and peers> - AS Y >> >> where X and Y are legitimate ISPs, while {1,2,3} is basically a single >> rogue >> entity - or a set of rogue entities closely working together with a common >> criminal goal. >> >> In such a setup, AS 1 should be considered as the most "throw-away" >> resource, >> while AS 3 would play the "customer of customer, not my business" role, >> and AS 2 would play the "i notified my customer and will disconnect them >> if they continue" role. When AS 1 is burnt, a new one is made - with >> new people as contacts, new IP addresses, etc, so that no obvious >> correlation >> can be made. Most of the bad guys infrastructure is in AS 3 and that >> remains >> pretty stable because their bad nature can not be easily demonstrated. >> >> Whatever set of rules is made against hijacking, it should be assumed that >> these groups will do everything to get around those rules, and many AS's >> can be used to this end. Since there is no shortage of AS numbers, I >> assume that anybody can get one easily so they can change them as if they >> were underwear. >> >> And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs, >> have also been seen. Those are even easier to get :-) >> >> So the ideal scheme to counteract BGP hijacking should be able to climb up >> the BGP tree in some way, until "real" ISPs are reached. >> >> Nice discussion! >> >> furio ercolessi >> >> > >
- Previous message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Next message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]