Re: "Defensive" BGP hijacking?

Hello, We wanted to clarify that we are not the ones behind these attacks and we were not the ones behind the previous hijackings. We have also been the targets of DDoS attacks reaching up to 200+ Gbps (~20 times a day), every day since Krebs' original article that included our name. We believe th

Re: "Defensive" BGP hijacking?

Brian Krebs tweeted out that Prolexic reported a 665Gbps attack directed at his site. https://twitter.com/briankrebs/status/778398865619836928 On Tue, Sep 20, 2016 at 11:21 PM, Mel Beckman wrote: > While I was reading the krebsonsecurity.com article cited below, the > site, hosted at Akamai add

Re: "Defensive" BGP hijacking?

earlier on Twitter Krebs said he was hit by 665Gbps attack (so says Prolexic/Akamai). Could be ongoing/related. Justin Paine Head of Trust & Safety CloudFlare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Tue, Sep 20, 2016 at 8:21 PM, Mel Beckman wrote: > While I w

Re: "Defensive" BGP hijacking?

While I was reading the krebsonsecurity.com article cited below, the site, hosted at Akamai address 72.52.7.144, became non responsive and now appears to be offline. Traceroutes stop before the Akamai-SWIPed border within Telia, as if blackholed (but adjacent IPs pass through to Akamai): tracer

Re: "Defensive" BGP hijacking?

Lucy, you got some (*serious*) 'splainin to do... http://research.dyn.com/2016/09/backconnects-suspicious-bgp-hijacks/ http://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-hijacks/ -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signa

Re: "Defensive" BGP hijacking?

On Sep 20, 2016, at 10:48 AM, Christopher Morrow mailto:morrowc.li...@gmail.com>> wrote: On Tue, Sep 20, 2016 at 8:05 AM, John Curran mailto:jcur...@arin.net>> wrote: ... If you want to just use your legacy address block (wth the same services that where in place at ARIN's formation), then you do

Re: "Defensive" BGP hijacking?

On Tue, Sep 20, 2016 at 8:05 AM, John Curran wrote: > On Sep 19, 2016, at 11:58 PM, Christopher Morrow > wrote: > > > > (caution! I don't really think arin is evil!) > > Nor do I… (but I will remind folks that organizations evolve based on > participation, > so ongoing diligence and involvement

Re: "Defensive" BGP hijacking?

On Sep 19, 2016, at 11:58 PM, Christopher Morrow wrote: > > (caution! I don't really think arin is evil!) Nor do I… (but I will remind folks that organizations evolve based on participation, so ongoing diligence and involvement is definitely warranted.) > On Mon, Sep 19, 2016 at 1:16 PM, J

Re: "Defensive" BGP hijacking?

(caution! I don't really think arin is evil!) On Mon, Sep 19, 2016 at 1:16 PM, John Curran wrote: > On Sep 14, 2016, at 4:59 PM, Christopher Morrow > wrote: > > > > On Wed, Sep 14, 2016 at 4:04 PM, Bryan Fields > wrote: > > > >> On 9/14/16 3:09 AM, Scott Weeks wrote: > >>> > >>> Yes, RPKI. Th

Re: "Defensive" BGP hijacking?

On Sep 14, 2016, at 4:59 PM, Christopher Morrow wrote: > > On Wed, Sep 14, 2016 at 4:04 PM, Bryan Fields wrote: > >> On 9/14/16 3:09 AM, Scott Weeks wrote: >>> >>> Yes, RPKI. That's what I was waiting for. Now we can get to >>> a real discussion >> ... >> sure as heck not going to sign a leg

Re: "Defensive" BGP hijacking?

And here's the final bit. I'd like to think that is 100% conclusive proof of what happened. The IP range hijacked by backconnect.net, 72.20.0.0/24 returns interesting results on google: https://staminus.thecthulhu.com/zine.txt ## Global allows ALLOW_MAIN="" ALLOW_MAIN="$ALLOW_MAIN $R

Re: "Defensive" BGP hijacking?

I know Bryant Townsend (ex staminus employee), Marshal Webb (aka m_nerva, lulzsec informant) and others from backconnect.net performed a similar BGP hijacking against staminus earlier this year. https://bgpstream.com/event/21051 Shortly afterwards, on 10th of march a zine is released leaking the

Re: "Defensive" BGP hijacking?

So after reading your explanation of things... Your technical protections for your client proved sufficient to handle the attack. You took OFFENSIVE action by hijacking the IP space. By your own statements, it was only in response to threats against your company. You were no longer providing DDoS

Re: "Defensive" BGP hijacking?

On Fri, Sep 16, 2016 at 12:06 PM, Mel Beckman wrote: > > Preventing government manhandling needs to be a design goal. > Can you proffer some potential solutions or directions to look? At the end of the day the ISP or DNS operator or Enterprise is subject to local law enforcement action(s), so I

Re: "Defensive" BGP hijacking?

Doug, Although RPKI is voluntary and decisions are local, those decisions are also automated. DNS is voluntary, and decisions are local as well, yet the government has been able to leverage DNS to unilaterally seize domain names without due process. Like Maxwell's Demons, it's theoretically pos

Re: "Defensive" BGP hijacking?

Ah, the global system I was referring to was the RPKI as distributed repository of routing information. With consistent properties (data formats, security models, data validation techniques, etc) across all 5 RIRs. What an ISP does with the RPKI data, interns of route filtering, is always a local

Re: "Defensive" BGP hijacking?

Mel, If you are speaking of RPKI based origin validation, I am not sure "automated / global enforcement system" is a useful description. It does provide a consistent means for address holders to declare AS's authorized to announce prefixes, and a means for remote ASs to compare received updates

Re: "Defensive" BGP hijacking?

On Wed, Sep 14, 2016 at 04:04:43PM -0400, Bryan Fields wrote: > I'm a bit ambivalent about BGP hijacking as a DDOS mitigation strategy. > Really there is no authority to say it's wrong. If your peers are cool with > it, and their peers are cool with it who's to say it's wrong? Meeting abuse with

Re: "Defensive" BGP hijacking?

Doug, I was basing my comments on your statement "If only there were a global system.." However you slice or dice it, the tyranny implications have not yet been addressed. That certainly needs to be in front of any technical idea such as RPKI. Although I haven't participated in the OT&E, noth

Re: "Defensive" BGP hijacking?

> On Sep 13, 2016, at 8:08 PM, Ca By wrote: > > On Tuesday, September 13, 2016, Doug Montgomery > wrote: > >> If only there were a global system, with consistent and verifiable security >> properties, to permit address holders to declare the set of AS's authorized >> to announce their prefixes

Re: "Defensive" BGP hijacking?

--- br...@bryanfields.net wrote: From: Bryan Fields I'm a bit ambivalent about BGP hijacking as a DDOS mitigation strategy. Really there is no authority to say it's wrong. If your peers are cool with it, and their peers are cool with it who's to say it's wrong?

Re: "Defensive" BGP hijacking?

--- jfmezei_na...@vaxination.ca wrote: From: Jean-Francois Mezei I got to think about this (dangerous thing :-( Ideally, law enforcement should have the smarts and tools to get involved in DDoS and other similar situations and have the power to compell upstream provider(s) to shut service t

Re: "Defensive" BGP hijacking?

On Wed, Sep 14, 2016 at 4:04 PM, Bryan Fields wrote: > On 9/14/16 3:09 AM, Scott Weeks wrote: > > > > Yes, RPKI. That's what I was waiting for. Now we can get to > > a real discussion > > Problem is, RPKI does not work for people with legacy blocks who will not > sign > a Legacy RSA. ARIN does

Re: "Defensive" BGP hijacking?

On 9/14/16 3:09 AM, Scott Weeks wrote: > > Yes, RPKI. That's what I was waiting for. Now we can get to > a real discussion Problem is, RPKI does not work for people with legacy blocks who will not sign a Legacy RSA. ARIN doesn't own or have any say on how we use it, and we're sure as heck not

Re: "Defensive" BGP hijacking?

I got to think about this (dangerous thing :-( Ideally, law enforcement should have the smarts and tools to get involved in DDoS and other similar situations and have the power to compell upstream provider(s) to shut service to a suspect. The current situation appears to be more of a wild-west si

Re: "Defensive" BGP hijacking?

Scott and Doug, The problem with a new automated enforcement system is that it hobbles both agility and innovation. ISPs have enjoyed simple BGP management, entirely self-regulated, for decades. A global enforcement system, besides being dang hard to do correctly, brings the specter of governme

Re: "Defensive" BGP hijacking?

--- dougm.w...@gmail.com wrote: From: Doug Montgomery If only there were a global system, with consistent and verifiable security properties, to permit address holders to declare the set of AS's authorized to announce their prefixes, and routers anywhere on the Internet to independently verify

Re: "Defensive" BGP hijacking?

On 13/09/2016 23:22, Blake Hudson wrote: > Ca By wrote on 9/13/2016 2:53 PM: >> On Tuesday, September 13, 2016, Bryant Townsend >> wrote: >> >> Tip to the RIR policy folks, you may want to make this point very >> crisp. A >> BGP ASN is the fundamental accountability control in a inter-domain >> ro

Re: "Defensive" BGP hijacking?

On Tuesday, September 13, 2016, Doug Montgomery wrote: > If only there were a global system, with consistent and verifiable security > properties, to permit address holders to declare the set of AS's authorized > to announce their prefixes, and routers anywhere on the Internet to > independently

Re: "Defensive" BGP hijacking?

If only there were a global system, with consistent and verifiable security properties, to permit address holders to declare the set of AS's authorized to announce their prefixes, and routers anywhere on the Internet to independently verify the corresponding validity of received announcements. *co

Re: "Defensive" BGP hijacking?

@Blake - I think you misinterpreted my remarks of how this experience will shape the future company policy. I meant to portray that the company will not use these tactics again and that any future threats will be handled differently.

Re: "Defensive" BGP hijacking?

--- h...@slabnet.com wrote: On Tue 2016-Sep-13 13:32:56 -0700, Scott Weeks wrote: >--- bry...@backconnect.com wrote: >From: Bryant Townsend >@ca & Matt - No, we do not plan to ever intentionally perform a >non-authorized BGP hijack in the future. >

Re: "Defensive" BGP hijacking?

On Tue 2016-Sep-13 13:32:56 -0700, Scott Weeks wrote: --- bry...@backconnect.com wrote: From: Bryant Townsend @ca & Matt - No, we do not plan to ever intentionally perform a non-authorized BGP hijack in the future. Bryant, Who was the upstrea

Re: "Defensive" BGP hijacking?

--- bry...@backconnect.com wrote: From: Bryant Townsend @ca & Matt - No, we do not plan to ever intentionally perform a non-authorized BGP hijack in the future. Bryant, Who was the upstream provider? scott

Re: "Defensive" BGP hijacking?

Ca By wrote on 9/13/2016 2:53 PM: On Tuesday, September 13, 2016, Bryant Townsend wrote: @ca & Matt - No, we do not plan to ever intentionally perform a non-authorized BGP hijack in the future. Great answer. Thanks. Committing to pursuing a policy of weaponizing BGP would have triggered a s

Re: "Defensive" BGP hijacking?

On Tuesday, September 13, 2016, Bryant Townsend wrote: > @ca & Matt - No, we do not plan to ever intentionally perform a > non-authorized BGP hijack in the future. > > Great answer. Thanks. Committing to pursuing a policy of weaponizing BGP would have triggered a serious "terms of service" viol

Re: "Defensive" BGP hijacking?

@ca & Matt - No, we do not plan to ever intentionally perform a non-authorized BGP hijack in the future. @Steve - Correct, the attack had already been mitigated. The decision to hijack the attackers IP space was to deal with their threats, which if carried through could have potentially lead to ph

Re: "Defensive" BGP hijacking?

On Tue, Sep 13, 2016 at 10:25 AM Bryant Townsend wrote: > I also wanted to let Hugo (who started the thread) know > that we harbor no hard feelings about bringing this topic up, as it is > relevant to the community and does warrant discussion. Hugo, you may owe me > a beer the next time we meet.

Re: "Defensive" BGP hijacking?

Blake, I concur that these are key questions. Probably _the_ key questions. The fabric of the Internet is today based on trust, and BGP's integrity is the core of that trust. I realize that BGP hijacking is not uncommon. However, this is the first time I've seen in it used defensively. I don'

Re: "Defensive" BGP hijacking?

> On Sep 13, 2016, at 12:22 AM, Bryant Townsend wrote: > > *Events that caused us to perform the BGP hijack*: After the DDoS attacks > subsided, the attackers started to harass us by calling in using spoofed > phone numbers. Curious to what this was all about, we fielded various calls > which al

Re: "Defensive" BGP hijacking?

Bryant Townsend wrote on 9/13/2016 2:22 AM: This was the point where I decided I needed to go on the offensive to protect myself, my partner, visiting family, and my employees. The actions proved to be extremely effective, as all forms of harassment and threats from the attackers immediately st

Re: "Defensive" BGP hijacking?

t> Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com/> From: NANOG on behalf of Bryant Townsend Sent: Tuesday, September 13, 2016 3:22:43 AM To: nanog@nanog.org Subject: Re: "Defensive&

Re: "Defensive" BGP hijacking?

+1 to this question. Bryant, thanks for giving us your side of this story. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ On Tue, Sep 13, 2016 at 12:22 PM, Ca By wrote:

Re: "Defensive" BGP hijacking?

On Tuesday, September 13, 2016, Bryant Townsend wrote: > Hello Everyone, > > > I would like to give as much insight as I can in regards to the BGP hijack > being discussed in this thread. I won’t be going into specific details of > the attack, but we do plan to release more information on our web

Re: "Defensive" BGP hijacking?

Hello Everyone, I would like to give as much insight as I can in regards to the BGP hijack being discussed in this thread. I won’t be going into specific details of the attack, but we do plan to release more information on our website when we are able to. I also wanted to let Hugo (who started th

Re: "Defensive" BGP hijacking?

Redirecting someone's traffic, with out there permission or a court order, by a court in your jurisdiction, not a lot different then the "bad guys" themselves. On Sun, Sep 11, 2016 at 5:54 PM, Hugo Slabbert wrote: > Hopefully this is operational enough, though obviously leaning more > towards

Re: "Defensive" BGP hijacking?

--- m...@beckman.org wrote: From: Mel Beckman This looks to me like ISP community governance in the best sense. I look forward to thoughtful discussion. Yes, 100% agree! scott

Re: "Defensive" BGP hijacking?

Bryant from BackConnect (bry...@backconnect.com) has replied to me directly. He is a Nanog repeat attendee, but hasn't been subscribed to this list. Bryant says he is subscribing now and will post some clarifying comments shortly. I would share the content of his e

Re: "Defensive" BGP hijacking?

Well don't forget, normal attacks launched from vDOS were around 8 - 16gbps. On the Krebs article, he mentions "the company received an email directly from vDOS claiming credit for the attack" Now, if this holds true, it's likely that the operator of vDOS (Apple J4ck was his moniker) was directin

Re: "Defensive" BGP hijacking?

On 2016-09-12 14:15, valdis.kletni...@vt.edu wrote: > I don't see "hijacking" in your description of the iStop case - it appears > to have been fully coordinated and with permission. While I am not sure about fully coordinated and with permission, it is an example where it was a desirable outcom

Re: "Defensive" BGP hijacking?

On 2016-09-12 14:14, Hugo Slabbert wrote: > Was this all done at iStop's request and with their full support? When iStop's router stopped making BGP announcements to the world (because its last transit link was cut), and ISP3 highjacked the IP blocks and made BGP announcements pointing to ISP2, I

Re: "Defensive" BGP hijacking?

John, I appreciate you making this statement, and I appreciate ARIN’s attitude that this is a community issue. ISPs have done an amazing job of self-regulation, while still preserving their ability to innovate and be agile in the marketplace. BGP is a perfect example of that kind of self-polici

Re: "Defensive" BGP hijacking?

On Mon, 12 Sep 2016 14:07:47 -0400, Jean-Francois Mezei said: > So there are some cases where BGP hijacking may be desirable. I guess > this is where judgement kicks in. I don't see "hijacking" in your description of the iStop case - it appears to have been fully coordinated and with permission.

Re: "Defensive" BGP hijacking?

On Mon 2016-Sep-12 14:07:47 -0400, Jean-Francois Mezei wrote: On 2016-09-11 16:54, Hugo Slabbert wrote: Hopefully this is operational enough, though obviously leaning more towards the policy side of things: What does nanog think about a DDoS scrubber hijacking a network "for defensive pur

Re: "Defensive" BGP hijacking?

> On Sep 12, 2016, at 1:59 PM, Florian Weimer wrote: > > * Mel Beckman: > >> If we can't police ourselves, someone we don't like will do it for us. > > That hasn't happened with with IP spoofing, has it? As far as I > understand it, it is still a major contributing factor in > denial-of-serv

Re: "Defensive" BGP hijacking?

On 2016-09-11 16:54, Hugo Slabbert wrote: > Hopefully this is operational enough, though obviously leaning more towards > the policy side of things: > > What does nanog think about a DDoS scrubber hijacking a network "for > defensive purposes"? Different spin but still "highjacking": Many moo

Re: "Defensive" BGP hijacking?

* Mel Beckman: > If we can't police ourselves, someone we don't like will do it for us. That hasn't happened with with IP spoofing, has it? As far as I understand it, it is still a major contributing factor in denial-of-service attacks. Self-regulation has been mostly unsuccessful, and yet not

Re: "Defensive" BGP hijacking?

This behavior is never defensible nor acceptable. In addition to being in the wrong with BGP hijacking a prefix, it appears that Mr. Townsend had the wrong target, too. We've been attacked a few dozen times by this botnet, and they could never muster anything near 200 gbps worth of traffic. They w

Re: "Defensive" BGP hijacking?

On Sep 12, 2016, at 12:08 PM, Scott Weeks mailto:sur...@mauigateway.com>> wrote: Are the RIRs the internet police? Thank you Scott for posing that question… :-) As others have noted, ARIN does indeed revoke resources, but to be clear, this is generally due to fraudulent activities _related_ to

Re: "Defensive" BGP hijacking?

Scott Weeks wrote on 9/12/2016 11:31 AM: I am somewhat in agreement with Mel: "This thoughtless action requires a response from the community, and an apology from BackConnect. If we can't police ourselves, someone we don't like will do it for us. " But the first part seems to verge on vigil

Re: "Defensive" BGP hijacking?

On Mon 2016-Sep-12 09:31:41 -0700, Scott Weeks wrote: Full disclosure: I had a working relationship with Bryant when he was still at Staminus. Bryant (if you're on list): I mean no harm by this and never had any trouble working with you. I just believe this is a conversation that needs to

Re: "Defensive" BGP hijacking?

--- bl...@ispn.net wrote: From: Blake Hudson Scott Weeks wrote on 9/12/2016 11:08 AM: > From: NANOG on behalf > of Blake Hudson > My suggestion is that BackConnect/Bryant Townsend should have their ASN > revoked for fraudulently announcing another organization's address > space. They are not l

Re: "Defensive" BGP hijacking?

Scott Weeks wrote on 9/12/2016 11:08 AM: From: NANOG on behalf of Blake Hudson My suggestion is that BackConnect/Bryant Townsend should have their ASN revoked for fraudulently announcing another organization's address space. They are not law enforcement, they did not have a warrant or judi

Re: "Defensive" BGP hijacking?

__ > From: NANOG on behalf of Blake Hudson > > Sent: Monday, September 12, 2016 11:24:03 AM > To: nanog@nanog.org > Subject: Re: "Defensive" BGP hijacking? > > > Hugo Slabbert wrote on 9/11/2016 3:54 PM: >> Hopefully this is operational enough, t

Re: "Defensive" BGP hijacking?

From: NANOG on behalf of Blake Hudson My suggestion is that BackConnect/Bryant Townsend should have their ASN revoked for fraudulently announcing another organization's address space. They are not law enforcement, they did not have a warrant or judicial oversight, they were not in immediate

Re: "Defensive" BGP hijacking?

4:03 AM To: nanog@nanog.org Subject: Re: "Defensive" BGP hijacking? Hugo Slabbert wrote on 9/11/2016 3:54 PM: > Hopefully this is operational enough, though obviously leaning more towards > the policy side of things: > > What does nanog think about a DDoS scrubber hijackin

Re: "Defensive" BGP hijacking?

Hugo Slabbert wrote on 9/11/2016 3:54 PM: Hopefully this is operational enough, though obviously leaning more towards the policy side of things: What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"? http://krebsonsecurity.com/2016/09/alleged-vdos-proprieto

Re: "Defensive" BGP hijacking?

On Sunday, September 11, 2016, Hugo Slabbert wrote: > Hopefully this is operational enough, though obviously leaning more > towards the policy side of things: > > What does nanog think about a DDoS scrubber hijacking a network "for > defensive purposes"? Not ok. Never. > > http://krebsonsecu

Re: "Defensive" BGP hijacking?

"Defensive" BGP hijacking?

Hopefully this is operational enough, though obviously leaning more towards the policy side of things: What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"? http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/ "For about six hours,