nanog mailing list archives

Re: BGP Attack - Best Defense ?

From: Guy_Shields () Stream Com
Date: Fri, 29 Aug 2008 17:58:47 -0500

You need to contact 1st their directly connected provider, 2nd contact your upstream provider and ask that they contact 
their peers and negate the announcement. 3rd if this is an ARIN provided block contact them as you do pay for your 
allocation and they will have the contacts to resolve the issue. You cannot normally announce smaller than a /24

----- Original Message -----
From: "Scott Weeks" [surfer () mauigateway com]
Sent: 08/29/2008 03:50 PM MST
To: <nanog () merit edu>
Subject: Re: BGP Attack - Best Defense ?

------- jfesler () gigo com wrote: -------
From: Jason Fesler <jfesler () gigo com>

I am signed up for the Prefix Hijack Alert System
(phas.netsec.colostate.edu) and would be alerted in about 6 hours (or
less?) about a prefix announcement change.


Would the alerts go to a mail server behind said BGP prefixes?
---------------------------------------

They would go to me.  They have been coming to me since I heard about this service on NANOG.

Thanks folks at Colorado State University! :-)


--------------------------------------
Also, if you're gonna bother at all.. I'd humbly suggest that 6 hours is
too long to wait.  Without naming names, consider if this response time is
adequate, and if not, look at some of the commercial options.
--------------------------------------

I'm currently on an eyeball network and no one is physically close to me, since I'm in Hawaii (the most isolated land 
mass in the world).  Even though the TTL changes in this attack, the physics don't.  The gamers would probably be the 
first alert folks as they would see the delay regardless of what their traceroutes say...  ;-)  In this attack the 
traffic makes it to both end-points.  The middle is what changes.



Restating my question differently:  If the attacker is announcing a /24 of mine, I figure it out some how and I start 
announcing the same.  What happens if the attacker doesn't stop?





This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorized 
copying, disclosure or distribution of the material in this e-mail is strictly 
forbidden.

Current thread:

BGP Attack - Best Defense ? Scott Weeks (Aug 29)
- Re: BGP Attack - Best Defense ? Jason Fesler (Aug 29)
- Re: BGP Attack - Best Defense ? Steve Gibbard (Aug 29)
- <Possible follow-ups>
- Re: BGP Attack - Best Defense ? Scott Weeks (Aug 29)
- Re: BGP Attack - Best Defense ? Scott Weeks (Aug 29)
  - Re: BGP Attack - Best Defense ? Jon Lewis (Aug 29)
- Re: BGP Attack - Best Defense ? Guy_Shields (Aug 29)
- Re: BGP Attack - Best Defense ? Scott Weeks (Aug 29)
- Re: BGP Attack - Best Defense ? Guy_Shields (Aug 29)
- Re: BGP Attack - Best Defense ? Scott Weeks (Aug 29)
- Re: BGP Attack - Best Defense ? Guy_Shields (Aug 29)
- Re: BGP Attack - Best Defense ? Scott Weeks (Aug 29)