This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Previous message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Next message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hank Nussbacher
hank at efes.iucc.ac.il
Wed Mar 20 15:54:04 CET 2019
On Wed, 20 Mar 2019, Ricardo Patara wrote: If you are a victim (someone has abused your network), then just prove it and the policy won't apply and the hivemind will even assist you in cleaning your router. Regards, -Hank > On this line of one ISP trying to make damage to other. > > One might abuse a vulnerable router (thousand out there), create a tunnel to > it and announce hijacked blocks originated from victims ASN. > > Both, victim ASN and vulnerable router owner, would be damaged and no traces > of criminal. > How could they defend themselves to the so called group of experts? > > And things in this line had happened already. > > Regards, > > On 20/03/2019 07:46, furio ercolessi wrote: >> On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote: >>>> >>>> >>>> And when everything is made clear, if a report is filed against AS1, >>>> AS1's >>>> holder might have a problem, so i see a strong reason for not even trying >>>> :-) >>>> >>>> >>> Out of interest, take an AS1 with single malicious upstream AS2, what >>> stops >>> AS2 to pretend that AS1 has made bogus announcements and make them for its >>> own purposes? This situation looks pretty real without RPKI or other >>> advertisement strengthening methods, as I could see. How experts are >>> supposed to behave in this situation? >> >> This has been seen many times, even chain situations like >> >> <upstreams and peers> - AS X >> \ >> AS 3 - AS 2 - AS 1 >> / >> <upstreams and peers> - AS Y >> >> where X and Y are legitimate ISPs, while {1,2,3} is basically a single >> rogue >> entity - or a set of rogue entities closely working together with a common >> criminal goal. >> >> In such a setup, AS 1 should be considered as the most "throw-away" >> resource, >> while AS 3 would play the "customer of customer, not my business" role, >> and AS 2 would play the "i notified my customer and will disconnect them >> if they continue" role. When AS 1 is burnt, a new one is made - with >> new people as contacts, new IP addresses, etc, so that no obvious >> correlation >> can be made. Most of the bad guys infrastructure is in AS 3 and that >> remains >> pretty stable because their bad nature can not be easily demonstrated. >> >> Whatever set of rules is made against hijacking, it should be assumed that >> these groups will do everything to get around those rules, and many AS's >> can be used to this end. Since there is no shortage of AS numbers, I >> assume that anybody can get one easily so they can change them as if they >> were underwear. >> >> And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs, >> have also been seen. Those are even easier to get :-) >> >> So the ideal scheme to counteract BGP hijacking should be able to climb up >> the BGP tree in some way, until "real" ISPs are reached. >> >> Nice discussion! >> >> furio ercolessi >> >> > >
- Previous message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
- Next message (by thread): [anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]