[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Previous message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Next message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sascha Luck [ml]
aawg at c4inet.net
Wed Mar 20 16:12:29 CET 2019
>If you are a victim (someone has abused your network), then just prove >it and the policy won't apply and the hivemind will even assist you in >cleaning your router. LOL, two of the oldest lies in history neatly rolled into one statement: "If you have done nothing wrong you have nothing to fear" and "I'm from $agency, I'm here to help you" rgds, Sascha Luck > >Regards, >-Hank > >>On this line of one ISP trying to make damage to other. >> >>One might abuse a vulnerable router (thousand out there), create a >>tunnel to it and announce hijacked blocks originated from victims >>ASN. >> >>Both, victim ASN and vulnerable router owner, would be damaged and >>no traces of criminal. >>How could they defend themselves to the so called group of experts? >> >>And things in this line had happened already. >> >>Regards, >> >>On 20/03/2019 07:46, furio ercolessi wrote: >>>On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote: >>>>> >>>>> >>>>>And when everything is made clear, if a report is filed >>>>>against AS1, AS1's >>>>>holder might have a problem, so i see a strong reason for not even trying >>>>>:-) >>>>> >>>>> >>>>Out of interest, take an AS1 with single malicious upstream AS2, >>>>what stops >>>>AS2 to pretend that AS1 has made bogus announcements and make them for its >>>>own purposes? This situation looks pretty real without RPKI or other >>>>advertisement strengthening methods, as I could see. How experts are >>>>supposed to behave in this situation? >>> >>>This has been seen many times, even chain situations like >>> >>><upstreams and peers> - AS X >>> \ >>> AS 3 - AS 2 - AS 1 >>> / >>><upstreams and peers> - AS Y >>> >>>where X and Y are legitimate ISPs, while {1,2,3} is basically a >>>single rogue >>>entity - or a set of rogue entities closely working together with a common >>>criminal goal. >>> >>>In such a setup, AS 1 should be considered as the most >>>"throw-away" resource, >>>while AS 3 would play the "customer of customer, not my business" role, >>>and AS 2 would play the "i notified my customer and will disconnect them >>>if they continue" role. When AS 1 is burnt, a new one is made - with >>>new people as contacts, new IP addresses, etc, so that no obvious >>>correlation >>>can be made. Most of the bad guys infrastructure is in AS 3 and >>>that remains >>>pretty stable because their bad nature can not be easily demonstrated. >>> >>>Whatever set of rules is made against hijacking, it should be assumed that >>>these groups will do everything to get around those rules, and many AS's >>>can be used to this end. Since there is no shortage of AS numbers, I >>>assume that anybody can get one easily so they can change them as if they >>>were underwear. >>> >>>And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs, >>>have also been seen. Those are even easier to get :-) >>> >>>So the ideal scheme to counteract BGP hijacking should be able to climb up >>>the BGP tree in some way, until "real" ISPs are reached. >>> >>>Nice discussion! >>> >>>furio ercolessi >>> >>> >> >> >
- Previous message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Next message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]