I thought I'd toss in a few comments, considering it's my fault that few people are understanding this thing yet.
On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <ge@linuxbox.org> wrote:
People (especially spammers) have been hijacking networks for a while
I'd like to 'clear the air' here. Clearly, I failed at Defcon, WIRED, AFP, and Forbes.
We all know sub-prefix hijacking is not news. What is news? Using as-path loop detection to selectively blackhole the hijacked route - which creates a transport path _back to_ the target.
That's all it is, nothing more. All but the WIRED follow-up article missed this point *completely.* They over-represented the 'hijacking' aspects, while only making mention of the 'interception' potential.
Lets end this thread with the point I had intended two weeks ago: we've presented a method by which all the theory spewed by academics can be actualized in a real network (the big-I internet) to effect interception of data between (nearly) arbitrary endpoints from (nearly) any edge or stub AS. That, I think, is interesting. Yep. While it was common knowledge that it is "easy" to jack space, it was really considered in terms of "denial of service" attack. It was known
On Thu, 28 Aug 2008, Anton Kapela wrote: that you could do traffic monitoring via manipulation of BGP communities and reinjecting traffic "closer" to the target via tunnels - however that technique is not generic. We've demonstrated ability to monitor traffic to arbitrary prefixes. Slides for presentation can be found here: http://eng.5ninesdata.com/~tkapela/iphd-2.ppt I'd also like to draw attention that it didn't draw much attention when Tony has posted immediately after the conference to the nanog-list, which has an extensive reading list - and I highly recommend that before further posting on this, you read through it. http://www.gossamer-threads.com/lists/nanog/users/107423 Added attention to the issue after our public demonstration is good news - more attention to the problem is likely to get people do use best practices in filtering. I'd also like to point out that while presentation went over a lot of people's heads at defcon, it appears that unexpectedly, it did went over people's heads here as well. To clear up some misunderstandings: *) Yes, this is a real problem. *) Yes, it has been known for years. *) There is no currently deployable solution to this problem yet. *) Filtering your customers using IRR is a requirement, however, it is not a solution - in fact, in the demonstration, we registered the /24 prefix we hijacked in IRR. RIRs need to integrate the allocation data with their IRR data. -alex [your former moderator]