"Defensive" BGP hijacking?
Hopefully this is operational enough, though obviously leaning more towards the policy side of things: What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"? http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-isra... "For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.” -- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
On Sunday, September 11, 2016, Hugo Slabbert <hugo@slabnet.com> wrote:
Hopefully this is operational enough, though obviously leaning more towards the policy side of things:
What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"?
Not ok. Never.
http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in- israel/
"For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.”
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com <javascript:;> pgp key: B178313E | also on Signal
Hugo Slabbert wrote on 9/11/2016 3:54 PM:
Hopefully this is operational enough, though obviously leaning more towards the policy side of things:
What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"?
http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-isra...
"For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.”
https://bgpstream.com/event/54711 My suggestion is that BackConnect/Bryant Townsend should have their ASN revoked for fraudulently announcing another organization's address space. They are not law enforcement, they did not have a warrant or judicial oversight, they were not in immediate mortal peril, etc, etc.
I'm in the "never acceptable" camp. Filtering routes/peers? Sure. Disconnecting one of your own customers to stop an attack originating from them? Sure. Hijacking an AS you have no permission to control? No. Obviously my views and not of my employer. Spencer Ryan | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com/> ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Blake Hudson <blake@ispn.net> Sent: Monday, September 12, 2016 11:24:03 AM To: nanog@nanog.org Subject: Re: "Defensive" BGP hijacking? Hugo Slabbert wrote on 9/11/2016 3:54 PM:
Hopefully this is operational enough, though obviously leaning more towards the policy side of things:
What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"?
http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-isra...
"For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.”
https://bgpstream.com/event/54711 My suggestion is that BackConnect/Bryant Townsend should have their ASN revoked for fraudulently announcing another organization's address space. They are not law enforcement, they did not have a warrant or judicial oversight, they were not in immediate mortal peril, etc, etc.
Once we let providers cross the line from legal to illegal actions, we're no better than the crooks, and the Internet will descend into lawless chaos. BackConnect's illicit action undoubtedly injured innocent parties, so it's not self defense, any more than shooting wildly into a crowd to stop an attacker would be self defense. This thoughtless action requires a response from the community, and an apology from BackConnect. If we can't police ourselves, someone we don't like will do it for us. -mel beckman
On Sep 12, 2016, at 8:47 AM, Ryan, Spencer <sryan@arbor.net> wrote:
I'm in the "never acceptable" camp. Filtering routes/peers? Sure. Disconnecting one of your own customers to stop an attack originating from them? Sure. Hijacking an AS you have no permission to control? No.
Obviously my views and not of my employer.
Spencer Ryan | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com/>
________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Blake Hudson <blake@ispn.net> Sent: Monday, September 12, 2016 11:24:03 AM To: nanog@nanog.org Subject: Re: "Defensive" BGP hijacking?
Hugo Slabbert wrote on 9/11/2016 3:54 PM:
Hopefully this is operational enough, though obviously leaning more towards the policy side of things:
What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"?
http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-isra...
"For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.”
https://bgpstream.com/event/54711
My suggestion is that BackConnect/Bryant Townsend should have their ASN revoked for fraudulently announcing another organization's address space. They are not law enforcement, they did not have a warrant or judicial oversight, they were not in immediate mortal peril, etc, etc.
* Mel Beckman:
If we can't police ourselves, someone we don't like will do it for us.
That hasn't happened with with IP spoofing, has it? As far as I understand it, it is still a major contributing factor in denial-of-service attacks. Self-regulation has been mostly unsuccessful, and yet nothing has happened on the political level.
On Sep 12, 2016, at 1:59 PM, Florian Weimer <fw@deneb.enyo.de> wrote:
* Mel Beckman:
If we can't police ourselves, someone we don't like will do it for us.
That hasn't happened with with IP spoofing, has it? As far as I understand it, it is still a major contributing factor in denial-of-service attacks. Self-regulation has been mostly unsuccessful, and yet nothing has happened on the political level.
IP spoofing filtering is more of a technical issue than the social issue of BGP filtering. BGP filtering is feasible in hardware and software today. You can put a 600k line config on most devices without issues, and automate policy generation with a tool like bgpq3 or similar. Most hardware requires a recirculation of the packet to do a lookup on the source IP address. This means halving your NPU performance of something that hasn’t been in the 40 bytes per packet range for quite some time. - Jared
This behavior is never defensible nor acceptable. In addition to being in the wrong with BGP hijacking a prefix, it appears that Mr. Townsend had the wrong target, too. We've been attacked a few dozen times by this botnet, and they could never muster anything near 200 gbps worth of traffic. They were orders of magnitude smaller, only around 8-16 gbps depending on attack. Mr. Townsend's motives were wrong and so was his information. -richard On Sun, Sep 11, 2016 at 8:54 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
Hopefully this is operational enough, though obviously leaning more towards the policy side of things:
What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"?
http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-isra...
"For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.”
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
Well don't forget, normal attacks launched from vDOS were around 8 - 16gbps. On the Krebs article, he mentions "the company received an email directly from vDOS claiming credit for the attack" Now, if this holds true, it's likely that the operator of vDOS (Apple J4ck was his moniker) was directing the full resources of the network towards BackConnect. Given that Brian indicated that at any given time vDOS could be launching 10 - 15 times (9 "DDoS years" or something in a few months), the full force of the vDOS network could easily amount to 200gbps.
This behavior is never defensible nor acceptable.
In addition to being in the wrong with BGP hijacking a prefix, it appears that Mr. Townsend had the wrong target, too. We've been attacked a few dozen times by this botnet, and they could never muster anything near 200 gbps worth of traffic. They were orders of magnitude smaller, only around 8-16 gbps depending on attack.
Mr. Townsend's motives were wrong and so was his information.
Bryant from BackConnect (bryant@backconnect.com<mailto:bryant@backconnect.com>) has replied to me directly. He is a Nanog repeat attendee, but hasn't been subscribed to this list. Bryant says he is subscribing now and will post some clarifying comments shortly. I would share the content of his email, but he didn't explicitly give me permission for that, so I'll let him repeat anything that needs repeating. This looks to me like ISP community governance in the best sense. I look forward to thoughtful discussion. -mel beckman On Sep 12, 2016, at 2:03 PM, Paras Jha <paras@protrafsolutions.com<mailto:paras@protrafsolutions.com>> wrote: Well don't forget, normal attacks launched from vDOS were around 8 - 16gbps. On the Krebs article, he mentions "the company received an email directly from vDOS claiming credit for the attack" Now, if this holds true, it's likely that the operator of vDOS (Apple J4ck was his moniker) was directing the full resources of the network towards BackConnect. Given that Brian indicated that at any given time vDOS could be launching 10 - 15 times (9 "DDoS years" or something in a few months), the full force of the vDOS network could easily amount to 200gbps. This behavior is never defensible nor acceptable. In addition to being in the wrong with BGP hijacking a prefix, it appears that Mr. Townsend had the wrong target, too. We've been attacked a few dozen times by this botnet, and they could never muster anything near 200 gbps worth of traffic. They were orders of magnitude smaller, only around 8-16 gbps depending on attack. Mr. Townsend's motives were wrong and so was his information.
On 2016-09-11 16:54, Hugo Slabbert wrote:
Hopefully this is operational enough, though obviously leaning more towards the policy side of things:
What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"?
Different spin but still "highjacking": Many moons ago, iStop, a small ISP in Canada saw its services from Bell Canada (access to last mile) cut. However, its core network and transit was still functional for a number of months. ISP2 quickly offered to rescue the stranded customers. Once registred with ISP2, a customer would see the DSL signal re-instated by Bell (now paid by ISP2) but would continue to be handed IPs that belonged to iStop. ISP2 made use of the continuing transit capacity from the iStop router which therefore continued to make BGP announcements for the iStop IP blocks (and the iStop router then just sent everythingt o ISP2's router for distribution to end users). During this time, the iStop IP blocks continued to belong to iStop from ARIn's point of view. Eventually the transit to the iStop router stopped. That day, former iStop customers now on ISP2 saw their access to internet essentially killed. At that point, the iStop IP blocks still had not been transfered to ISP2. To save the day, ISP3 kicked in and started to make BGP annoucements for iStop IPs and redirected the traffic to ISP2. At that point, ISP3 hijacked iStop's IPs, but it was done to help the situation, not to steal traffic or anything. (In fact, I think the GBP announcements from ISP3 pointed to ISP2 routers). Eventually, the iStop IP blocks was transfered to ISP2 which was then legally able to do the BGP announcements for those IPs. So there are some cases where BGP hijacking may be desirable. I guess this is where judgement kicks in.
On Mon 2016-Sep-12 14:07:47 -0400, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote:
On 2016-09-11 16:54, Hugo Slabbert wrote:
Hopefully this is operational enough, though obviously leaning more towards the policy side of things:
What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"?
Different spin but still "highjacking":
Many moons ago, iStop, a small ISP in Canada saw its services from Bell Canada (access to last mile) cut. However, its core network and transit was still functional for a number of months.
ISP2 quickly offered to rescue the stranded customers. Once registred with ISP2, a customer would see the DSL signal re-instated by Bell (now paid by ISP2) but would continue to be handed IPs that belonged to iStop.
ISP2 made use of the continuing transit capacity from the iStop router which therefore continued to make BGP announcements for the iStop IP blocks (and the iStop router then just sent everythingt o ISP2's router for distribution to end users). During this time, the iStop IP blocks continued to belong to iStop from ARIn's point of view.
Eventually the transit to the iStop router stopped. That day, former iStop customers now on ISP2 saw their access to internet essentially killed. At that point, the iStop IP blocks still had not been transfered to ISP2.
To save the day, ISP3 kicked in and started to make BGP annoucements for iStop IPs and redirected the traffic to ISP2.
At that point, ISP3 hijacked iStop's IPs, but it was done to help the situation, not to steal traffic or anything. (In fact, I think the GBP announcements from ISP3 pointed to ISP2 routers).
Eventually, the iStop IP blocks was transfered to ISP2 which was then legally able to do the BGP announcements for those IPs.
So there are some cases where BGP hijacking may be desirable. I guess this is where judgement kicks in.
Was this all done at iStop's request and with their full support? -- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
On 2016-09-12 14:14, Hugo Slabbert wrote:
Was this all done at iStop's request and with their full support?
When iStop's router stopped making BGP announcements to the world (because its last transit link was cut), and ISP3 highjacked the IP blocks and made BGP announcements pointing to ISP2, I don't think there was much of iStop left to complain, and it was to the benefit of end users, so this highjacking was not nefarious. Either ISP2 was asleep at the switch and let this happen, or perhaps they had a deal ith iStop that they would not do BGP until block of IPs was transfered, so they got a friend at ISP3 to do the deed for them. The transfer of IP to ISP2 happened shortly after that day, after which ISP2 did the proper BGP announcements for IPs now assigned to it.
On Mon, 12 Sep 2016 14:07:47 -0400, Jean-Francois Mezei said:
So there are some cases where BGP hijacking may be desirable. I guess this is where judgement kicks in.
I don't see "hijacking" in your description of the iStop case - it appears to have been fully coordinated and with permission.
On 2016-09-12 14:15, Valdis.Kletnieks@vt.edu wrote:
I don't see "hijacking" in your description of the iStop case - it appears to have been fully coordinated and with permission.
While I am not sure about fully coordinated and with permission, it is an example where it was a desirable outcome to maintain service to customers who would otherwise have have been left without service. I pointed this as an example where "highjacking" can sometimes be desirable. An automated system would likekely block such announcements from ISP3 about ISP1's IP blocks pointing to ISP2's routers as it could be seen as highly suspect. Then again, with many mergers and acquisitions, this type or arrangement may be common as acquiring ISP1 may start to make BGP announcements of ISP2's IPs before those IPs have had time to be transfered.
Redirecting someone's traffic, with out there permission or a court order, by a court in your jurisdiction, not a lot different then the "bad guys" themselves. On Sun, Sep 11, 2016 at 5:54 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
Hopefully this is operational enough, though obviously leaning more towards the policy side of things:
What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"?
http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in- israel/
"For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.”
-- Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com pgp key: B178313E | also on Signal
participants (13)
-
Blake Hudson
-
Ca By
-
FHR
-
Florian Weimer
-
Hugo Slabbert
-
Jared Mauch
-
Jean-Francois Mezei
-
jim deleskie
-
Mel Beckman
-
Paras Jha
-
Richard Hesse
-
Ryan, Spencer
-
Valdis.Kletnieks@vt.edu