On Wed, Sep 14, 2016 at 04:04:43PM -0400, Bryan Fields wrote:
I'm a bit ambivalent about BGP hijacking as a DDOS mitigation strategy. Really there is no authority to say it's wrong. If your peers are cool with it, and their peers are cool with it who's to say it's wrong?
Meeting abuse with abuse never works out. It's tempting (and even trendy these days in portions of the security world which advocate striking back at putative attackers, never mind that attack attribution is almost entirely an unsolved problem in computing). It's emotionally satisfying. It's sometimes momentarily effective. But all it really does it open up still more attack vectors and accelerate the spiral to the bottom. Object lesson: Verizon's deployment of SAV as an alleged anti-spam measure ~15 years ago. It didn't take long for attackers to figure out how to leverage it to their advantage, which of course they did. So don't do it. It may take 5 minutes or 5 years, but it will eventually become apparent that it's a really bad idea. And when it does, you won't be able to get those 5 minutes or 5 years back, nor will you be able to undo the damage. ---rsk