Re: Revealed: The Internet's well known BGP behavior

this is geting too complex ...:-) --- On Sat, 8/30/08, Patrick W. Gilmore <[EMAIL PROTECTED]> wrote: > From: Patrick W. Gilmore <[EMAIL PROTECTED]> > Subject: Re: Revealed: The Internet's well known BGP behavior > To: "nanog@nanog.org" > Date: Saturday, Au

Re: Revealed: The Internet's well known BGP behavior

The biggest issue with using a heavy hammer to effect traffic is that you don't always know why the other side is routing the way they are. Could be simple cost (peer vs transit) or a larger issue like congestion. Either way think before you route. I'm thinking Pandora's box hasn't just been open

Re: Revealed: The Internet's well known BGP behavior

True but I can still believe in a warm and fuzzy internet if I try really hard Then my cell phone rings and back to the real world. -jim On Sat, Aug 30, 2008 at 12:01 AM, Patrick W. Gilmore <[EMAIL PROTECTED]> wrote: > On Aug 29, 2008, at 22:41, "jim deleskie" <[EMAIL PROTECTED]> wrote: > >>

Re: Revealed: The Internet's well known BGP behavior

> On 30/08/2008, at 9:58 AM, Florian Weimer wrote: > > > * Alex Pilosov: > > > >> We've demonstrated ability to monitor traffic to arbitrary > >> prefixes. Slides for presentation can be found here: > >> http://eng.5ninesdata.com/~tkapela/iphd-2.ppt > > > > The interesting question is whether it's

Re: Revealed: The Internet's well known BGP behavior

* jim deleskie: > Announcing a smaller bit of one of you block is fine, more then that > most everyone I know does it or has done and is commonly accepted. > Breaking up someone else' s block and making that announcement even if > its to modify traffic between 2 peered networks is typically not >

Re: Revealed: The Internet's well known BGP behavior

On 30/08/2008, at 9:58 AM, Florian Weimer wrote: * Alex Pilosov: We've demonstrated ability to monitor traffic to arbitrary prefixes. Slides for presentation can be found here: http://eng.5ninesdata.com/~tkapela/iphd-2.ppt The interesting question is whether it's acceptable to use this trick

Re: Revealed: The Internet's well known BGP behavior

On Aug 29, 2008, at 22:41, "jim deleskie" <[EMAIL PROTECTED]> wrote: I'm afraid of the answer to that question No you are not, since you already know the answer. -- TTFN, patrick On Fri, Aug 29, 2008 at 11:25 PM, Adrian Chadd <[EMAIL PROTECTED]> wrote: On Fri, Aug 29, 2008, jim delesk

Re: Revealed: The Internet's well known BGP behavior

I'm afraid of the answer to that question On Fri, Aug 29, 2008 at 11:25 PM, Adrian Chadd <[EMAIL PROTECTED]> wrote: > On Fri, Aug 29, 2008, jim deleskie wrote: >> Announcing a smaller bit of one of you block is fine, more then that >> most everyone I know does it or has done and is commonly accept

Re: Revealed: The Internet's well known BGP behavior

On Fri, Aug 29, 2008, jim deleskie wrote: > Announcing a smaller bit of one of you block is fine, more then that > most everyone I know does it or has done and is commonly accepted. > Breaking up someone else' s block and making that announcement even if > its to modify traffic between 2 peered net

Re: Revealed: The Internet's well known BGP behavior

Announcing a smaller bit of one of you block is fine, more then that most everyone I know does it or has done and is commonly accepted. Breaking up someone else' s block and making that announcement even if its to modify traffic between 2 peered networks is typically not looked as proper. Modify y

Re: Revealed: The Internet's well known BGP behavior

* Alex Pilosov: > We've demonstrated ability to monitor traffic to arbitrary > prefixes. Slides for presentation can be found here: > http://eng.5ninesdata.com/~tkapela/iphd-2.ppt The interesting question is whether it's acceptable to use this trick for non-malicious day-to-day traffic engineerin

Re: Revealed: The Internet's well known BGP behavior

Jon Lewis wrote: Do you utilize the IRR, have an as-set, and put all customer AS/CIDR's into the IRR? I've honestly never heard from LVL3 about our advertisements. Other providers have varied from just needing a web form, email, phone call, or those combined with faxed LOAs. The latter gets

Re: Revealed: The Internet's well known BGP behavior

On Aug 28, 2008, at 3:47 PM, Deepak Jain wrote: We can go into lots of reasons why the Internet runs this way. I think we can all agree 1) Its amazing it runs as well as it does, and 2) No one has clearly articulated a financial reason for any large organizations to significantly change t

Re: Revealed: The Internet's well known BGP behavior

*) Filtering your customers using IRR is a requirement, however, it is not a solution - in fact, in the demonstration, we registered the /24 prefix we hijacked in IRR. RIRs need to integrate the allocation data with their IRR data. further clarification... [if this is obvious, just skip over

Re: Revealed: The Internet's well known BGP behavior

Steven M. Bellovin wrote: > On Thu, 28 Aug 2008 10:16:16 -0500 > "Anton Kapela" <[EMAIL PROTECTED]> wrote: > >> I thought I'd toss in a few comments, considering it's my fault that >> few people are understanding this thing yet. >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED

Re: Revealed: The Internet's well known BGP behavior

On Thu, 28 Aug 2008, Anton Kapela wrote: > I thought I'd toss in a few comments, considering it's my fault that > few people are understanding this thing yet. > > >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > >>> > >>> People (especially spammers) have been hijacking

Re: Revealed: The Internet's well known BGP behavior

Thank you for making your presentation. Gadi. On Thu, 28 Aug 2008, Anton Kapela wrote: I thought I'd toss in a few comments, considering it's my fault that few people are understanding this thing yet. On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: People (e

Re: Revealed: The Internet's well known BGP behavior

> To quote Bruce Schneier quoting an NSA maxim, attacks only get better; > they never get worse. We now have running code of one way to do this. > I think most NANOG readers can see many more ways to do it. A real > solution will take years to deploy, but it will never happen if we > don't start.

RE: Revealed: The Internet's well known BGP behavior

l Message- From: Eric Spaeth [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2008 1:41 AM To: Jon Lewis; [EMAIL PROTECTED] Subject: Re: Revealed: The Internet's well known BGP behavior Jon Lewis wrote: At 11:32 PM 27-08-08 -0500, John Lee wrote: They didn't have control of any

Re: Revealed: The Internet's well known BGP behavior

On Thu, 28 Aug 2008 10:16:16 -0500 "Anton Kapela" <[EMAIL PROTECTED]> wrote: > I thought I'd toss in a few comments, considering it's my fault that > few people are understanding this thing yet. > > >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED]> > >> wrote: > >>> > >>> People

RE: Revealed: The Internet's well known BGP behavior

First, thank you all for the usually intelligent/enlightening discussion. My first post to this list and apologies in advance if discussion of end point (customer) networks is off-topic: I haven't seen the presentation that some of you have referred to. If someone can provide a link that would b

RE: Revealed: The Internet's well known BGP behavior

8, 2008 1:41 AM >To: Jon Lewis; [EMAIL PROTECTED] >Subject: Re: Revealed: The Internet's well known BGP behavior > >Jon Lewis wrote: >>> At 11:32 PM 27-08-08 -0500, John Lee wrote: >>> >>> They didn't have control of any routers other than their own.

Re: Revealed: The Internet's well known BGP behavior

I thought I'd toss in a few comments, considering it's my fault that few people are understanding this thing yet. >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: >>> >>> People (especially spammers) have been hijacking networks for a while I'd like to 'clear the air' her

Re: Revealed: The Internet's well known BGP behavior

On Aug 28, 2008, at 6:25 AM, Suresh Ramasubramanian wrote: Most of the spammer acquired /16s have been 1. pre arin 2. caused by buying up assets of long defunct companies .. assets that just happen to include a /16 nobody knew about Not exactly hijacks this lot .. just like those "barely lega

RE: Revealed: The Internet's well known BGP behavior

> I stand by my assertion that most people do not run > traceroutes all day and watch for it to change. > > That some people are diligent does not change the fact the > overwhelming majority of people are not. > > Or the fact that with the right placement of equipment (read > "luck") and coo

RE: Revealed: The Internet's well known BGP behavior

> Lastly, can you show me a single inter-AS MPLS deployment? When you > can, then you can use that as a method to avoid this h4x0r. Just some quick googling found this from back in 2006. "Sprint has expanded its global MPLS network capabi

Re: Revealed: The Internet's well known BGP behavior

Most of the spammer acquired /16s have been 1. pre arin 2. caused by buying up assets of long defunct companies .. assets that just happen to include a /16 nobody knew about Not exactly hijacks this lot .. just like those "barely legal" teen mags. srs On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evro

Re: Revealed: The Internet's well known BGP behavior

On Wed, 27 Aug 2008, Patrick W. Gilmore wrote: On Aug 27, 2008, at 11:07 PM, John Lee wrote: 1. The technique is not new it is well known BGP behavior and not stealthy to people who route for a living. Using existing technology in novel ways is still novel. Plus it makes the technique more

Re: Revealed: The Internet's well known BGP behavior

Jon Lewis wrote: At 11:32 PM 27-08-08 -0500, John Lee wrote: They didn't have control of any routers other than their own. What they had to find is a single clueless upstream ISP that would allow them to announce prefixes that didn't belong to them. Clueless or big and inattentive? AFAIK,

Re: Revealed: The Internet's well known BGP behavior

On 2008/08/28 06:45 AM Hank Nussbacher wrote: They didn't have control of any routers other than their own. What they had to find is a single clueless upstream ISP that would allow them to announce prefixes that didn't belong to them. Leaving aside the ability blackhole prefixes that don't

RE: Revealed: The Internet's well known BGP behavior

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Hank Nussbacher <[EMAIL PROTECTED]> wrote: >At 11:32 PM 27-08-08 -0500, John Lee wrote: >>Thanks guys, going back to my Comer one more time. My issue, question was >> whether the organization doing the hijacking controlled all of the >>routers i

Re: Revealed: The Internet's well known BGP behavior

On Aug 28, 2008, at 1:40 AM, Jim Popovitch wrote: On Thu, Aug 28, 2008 at 1:22 AM, Patrick W. Gilmore <[EMAIL PROTECTED]> wrote: Assuming it is in the "wrong" place, you may be able to detect the intrusion. But most people do not run traceroutes all day and watch for it to change. If you ru

Re: Revealed: The Internet's well known BGP behavior

On Thu, Aug 28, 2008 at 1:22 AM, Patrick W. Gilmore <[EMAIL PROTECTED]> wrote: > Assuming it is in the "wrong" place, you may be able to detect the > intrusion. But most people do not run traceroutes all day and watch for it > to change. If you run the traceroute after the attack starts, well, ho

Re: Revealed: The Internet's well known BGP behavior

On Aug 28, 2008, at 12:32 AM, John Lee wrote: Thanks guys, going back to my Comer one more time. My issue, question was whether the organization doing the hijacking controlled all of the routers in the new modified path or only some of them? That is correct. However, once a packet hits the

RE: Revealed: The Internet's well known BGP behavior

On Thu, 28 Aug 2008, Hank Nussbacher wrote: At 11:32 PM 27-08-08 -0500, John Lee wrote: Thanks guys, going back to my Comer one more time. My issue, question was whether the organization doing the hijacking controlled all of the routers in the new modified path or only some of them? John (IS

RE: Revealed: The Internet's well known BGP behavior

At 11:32 PM 27-08-08 -0500, John Lee wrote: Thanks guys, going back to my Comer one more time. My issue, question was whether the organization doing the hijacking controlled all of the routers in the new modified path or only some of them? John (ISDN) Lee They didn't have control of any rout

RE: Revealed: The Internet's well known BGP behavior

] Sent: Thursday, August 28, 2008 12:10 AM To: NANOG list Subject: Re: Revealed: The Internet's well known BGP behavior On Aug 27, 2008, at 11:47 PM, John Lee wrote: > The traceroute utility that I used gave me a list of hops that the > packet I was interested in transited and a t

Re: Revealed: The Internet's well known BGP behavior

John Lee wrote: > Adrian, > > The traceroute utility that I used gave me a list of hops that the > packet I was interested in transited and a time when it transited the > hop. When the TTL was reached it would terminate the listing. > But if I can control your traffic I could change everything,

Re: Revealed: The Internet's well known BGP behavior

On Aug 27, 2008, at 11:47 PM, John Lee wrote: The traceroute utility that I used gave me a list of hops that the packet I was interested in transited and a time when it transited the hop. When the TTL was reached it would terminate the listing. You are very confused how traceroute works. B

RE: Revealed: The Internet's well known BGP behavior

: Patrick W. Gilmore; NANOG list Subject: Re: Revealed: The Internet's well known BGP behavior On Wed, Aug 27, 2008, John Lee wrote: > Patrick, > > VPN's and MPLS control intermediate hops and IPsec and SSL do not allow the > info to be seen. > > Rewriting the TTL only h

Re: Revealed: The Internet's well known BGP behavior

On Wed, Aug 27, 2008, John Lee wrote: > Patrick, > > VPN's and MPLS control intermediate hops and IPsec and SSL do not allow the > info to be seen. > > Rewriting the TTL only hides the number of hop count, trace route will still > show the hops the packet has transited. No, traceroute shows th

RE: Revealed: The Internet's well known BGP behavior

ick W. Gilmore [EMAIL PROTECTED] Sent: Wednesday, August 27, 2008 11:18 PM To: NANOG list Subject: Re: Revealed: The Internet's well known BGP behavior On Aug 27, 2008, at 11:07 PM, John Lee wrote: > 1. The technique is not new it is well known BGP behavior and not > stealthy to people

Re: Revealed: The Internet's well known BGP behavior

what do mpls, ipsec tunnels, ssl have anything to do with someone announcing your address space and hijacking youre prefixes?? i think we all know this is not new.. and these guys didnt claim it to be.. they're not presenting this to a 'xNOG' crowd, defcon has a different type of audience..im not

Re: Revealed: The Internet's well known BGP behavior

On Aug 27, 2008, at 11:07 PM, John Lee wrote: 1. The technique is not new it is well known BGP behavior and not stealthy to people who route for a living. Using existing technology in novel ways is still novel. Plus it makes the technique more accessible. (Perhaps that is not a good thing

RE: Revealed: The Internet's well known BGP behavior

1. The technique is not new it is well known BGP behavior and not stealthy to people who route for a living. 2. When your networks use VPNs, MPLS, IPsec, SSL et al you can control what packets are going where. 3. When you are running some number of trace routes per hour to see how and where yo