On Mon, Jun 5, 2017 at 6:56 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
So, I guess then, if you're clever, you look and see who the ASN you've just successfully hijacked has historically peered with, and then you somehow arrange to send route announcements to those guys, right? (I'm talking about AS206776 and AS57344 here, BTW.)
But see, this is where I get lost. I mean how do you push your route announcements to these guys?
Hi Ron, You actually got lost a couple steps back. First, you want to control the POC emails for the IP addresses. Controlling just the POC emails for the AS number won't do you any good. Let's say you have gained control of the POC emails for the IP address block. Stay completely away from the historical BGP peers. They might know the real registrant and get suspicious when you show up. Go to somebody else, dummy up some letterhead for the purported registrant and write yourself a letter authorizing the ISP to whom the letter is presented to route those IP addresses. Explain that you're a networking contractor working for the organization holding the registration and give them adequate contact information for yourself: postal address, email, phone. Not "1234 Main, box 30" but "1234 Main, Suite 30". Paid for with the cash-bought debit card. You get the idea. Then you pay the ISP to connect you to the Internet and present your letter. Until the inevitable complaints roll it, that's it: you have control of those IP addresses.
(I don't actually know that much about how BGP actually works in practice, so please bear with me.) How do you know what IP address to send your announcements to?
You don't. Even if the session wasn't disabled when the customer stopped paying, you're not physically connected to the same network interface where it was configured. This reasoning path is a dead end. I've read article after article after article bemoanging the fact that
"BGP isn't secure",
They're talking about a different problem: ISPs are supposed to configure end-user BGP sessions per BCP38 which limits which BGP announcements the customer can make. Some ISPs are sloppy and incompetent and don't do this. Unfortunately, once you're a level or two upstream the backbone ISP actually can't do much to limit the BGP announcements because it's often impractical to determine whether a block of IP addresses can legitimately be announced from a given peer. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>