[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

Hi,

If someone falls in this case, i would expect them to be able to export 
logs into a different (preferably non-hacked) system, to facilitate an 
audit in case this is needed... ;-)

The spirit of this proposal is to value the core purpose of having a RIR, 
which is hindered by hijacks.

In my interpretation, someone which has his/her router hacked didn't 
knowingly violate the policy, because he/she didn't actually enable the 
config changes that generated the hijack. The attacker will then be 
responsible for generating the hijack, and thus the policy violation...

Regards,
Carlos


On Wed, 20 Mar 2019, JORDI PALET MARTINEZ via anti-abuse-wg wrote:

> Hi Ricardo,
>
> I've the feeling that if you're attacked, you will have some forensic info about that, or at least you will need to place a claim to authorities to probe it and try to minimize your responsibilities, like in the case of GDPR breach, etc..
>
> In fact, if you haven't realized it and still under attack, this kind of policy will help you to:
> 1) Know that your network is being misused by others
> 2) Engage with the community about that
> 3) Take the opportunity to learn about how to avoid it
>
> I'm convinced there are sufficient oportunities, thru the process to avoid creating a trouble to innocents:
> 1st initial NCC validation of the info provided
> 2nd experts evaluation
> 3rd your response to the expert's report
> 4th appeal
> 5th Board ratification
>
> I also believe that when what you describe happens, it will happen to several folks (not neccesarily at the same time), so experts will consider it. You don't think so?
>
> Remember that in the extreme case (this is just life, we like it or not), if you are responsible for a network and is being missused "because you did your job incorrectly", you are still reponsible for the harm caused and even legal consecuences and damages to third parties. If it was a vulnerabilty from the vendor, you can sue him as well.
>
> Regards,
> Jordi
>
>
>
> El 20/3/19 14:36, "anti-abuse-wg en nombre de Ricardo Patara" <anti-abuse-wg-bounces at ripe.net en nombre de ricpatara at gmail.com> escribió:
>
>    On this line of one ISP trying to make damage to other.
>
>    One might abuse a vulnerable router (thousand out there), create a tunnel to it
>    and announce hijacked blocks originated from victims ASN.
>
>    Both, victim ASN and vulnerable router owner, would be damaged and no traces of
>    criminal.
>    How could they defend themselves to the so called group of experts?
>
>    And things in this line had happened already.
>
>    Regards,
>
>    On 20/03/2019 07:46, furio ercolessi wrote:
>    > On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote:
>    >>>
>    >>>
>    >>> And when everything is made clear, if a report is filed against AS1, AS1's
>    >>> holder might have a problem, so i see a strong reason for not even trying
>    >>> :-)
>    >>>
>    >>>
>    >> Out of interest, take an AS1 with single malicious upstream AS2, what stops
>    >> AS2 to pretend that AS1 has made bogus announcements and make them for its
>    >> own purposes? This situation looks pretty real without RPKI or other
>    >> advertisement strengthening methods, as I could see. How experts are
>    >> supposed to behave in this situation?
>    >
>    > This has been seen many times, even chain situations like
>    >
>    > <upstreams and peers> - AS X
>    >                               \
>    >                                 AS 3 - AS 2 - AS 1
>    >                               /
>    > <upstreams and peers> - AS Y
>    >
>    > where X and Y are legitimate ISPs, while {1,2,3} is basically a single rogue
>    > entity - or a set of rogue entities closely working together with a common
>    > criminal goal.
>    >
>    > In such a setup, AS 1 should be considered as the most "throw-away" resource,
>    > while AS 3 would play the "customer of customer, not my business" role,
>    > and AS 2 would play the  "i notified my customer and will disconnect them
>    > if they continue" role.  When AS 1 is burnt, a new one is made - with
>    > new people as contacts, new IP addresses, etc, so that no obvious correlation
>    > can be made.  Most of the bad guys infrastructure is in AS 3 and that remains
>    > pretty stable because their bad nature can not be easily demonstrated.
>    >
>    > Whatever set of rules is made against hijacking, it should be assumed that
>    > these groups will do everything to get around those rules, and many AS's
>    > can be used to this end.  Since there is no shortage of AS numbers, I
>    > assume that anybody can get one easily so they can change them as if they
>    > were underwear.
>    >
>    > And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs,
>    > have also been seen.  Those are even easier to get :-)
>    >
>    > So the ideal scheme to counteract BGP hijacking should be able to climb up
>    > the BGP tree in some way, until "real" ISPs are reached.
>    >
>    > Nice discussion!
>    >
>    > furio ercolessi
>    >
>    >
>
>
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
>
>
>
>
>