[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Previous message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Next message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ricardo Patara
ricpatara at gmail.com
Wed Mar 20 16:11:24 CET 2019
> > If you are a victim (someone has abused your network), then just prove it and > the policy won't apply and the hivemind will even assist you in cleaning your > router. i've seem cases where is hard to prove you didn't do anything wrong. > Regards, > -Hank > >> On this line of one ISP trying to make damage to other. >> >> One might abuse a vulnerable router (thousand out there), create a tunnel to >> it and announce hijacked blocks originated from victims ASN. >> >> Both, victim ASN and vulnerable router owner, would be damaged and no traces >> of criminal. >> How could they defend themselves to the so called group of experts? >> >> And things in this line had happened already. >> >> Regards, >> >> On 20/03/2019 07:46, furio ercolessi wrote: >>> On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote: >>>>> >>>>> >>>>> And when everything is made clear, if a report is filed against AS1, AS1's >>>>> holder might have a problem, so i see a strong reason for not even trying >>>>> :-) >>>>> >>>>> >>>> Out of interest, take an AS1 with single malicious upstream AS2, what stops >>>> AS2 to pretend that AS1 has made bogus announcements and make them for its >>>> own purposes? This situation looks pretty real without RPKI or other >>>> advertisement strengthening methods, as I could see. How experts are >>>> supposed to behave in this situation? >>> >>> This has been seen many times, even chain situations like >>> >>> <upstreams and peers> - AS X >>> \ >>> AS 3 - AS 2 - AS 1 >>> / >>> <upstreams and peers> - AS Y >>> >>> where X and Y are legitimate ISPs, while {1,2,3} is basically a single rogue >>> entity - or a set of rogue entities closely working together with a common >>> criminal goal. >>> >>> In such a setup, AS 1 should be considered as the most "throw-away" resource, >>> while AS 3 would play the "customer of customer, not my business" role, >>> and AS 2 would play the "i notified my customer and will disconnect them >>> if they continue" role. When AS 1 is burnt, a new one is made - with >>> new people as contacts, new IP addresses, etc, so that no obvious correlation >>> can be made. Most of the bad guys infrastructure is in AS 3 and that remains >>> pretty stable because their bad nature can not be easily demonstrated. >>> >>> Whatever set of rules is made against hijacking, it should be assumed that >>> these groups will do everything to get around those rules, and many AS's >>> can be used to this end. Since there is no shortage of AS numbers, I >>> assume that anybody can get one easily so they can change them as if they >>> were underwear. >>> >>> And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs, >>> have also been seen. Those are even easier to get :-) >>> >>> So the ideal scheme to counteract BGP hijacking should be able to climb up >>> the BGP tree in some way, until "real" ISPs are reached. >>> >>> Nice discussion! >>> >>> furio ercolessi >>> >>> >> >>
- Previous message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Next message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]