[191388] in North American Network Operators' Group
Re: "Defensive" BGP hijacking?
daemon@ATHENA.MIT.EDU (Hugo Slabbert)
Mon Sep 12 14:14:42 2016
X-Original-To: nanog@nanog.org
Date: Mon, 12 Sep 2016 11:14:02 -0700
From: Hugo Slabbert <hugo@slabnet.com>
To: Jean-Francois Mezei <jfmezei_nanog@vaxination.ca>
In-Reply-To: <57D6EEF3.90106@vaxination.ca>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--KFztAG8eRSV9hGtP
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon 2016-Sep-12 14:07:47 -0400, Jean-Francois Mezei <jfmezei_nanog@vaxin=
ation.ca> wrote:
>On 2016-09-11 16:54, Hugo Slabbert wrote:
>> Hopefully this is operational enough, though obviously leaning more towa=
rds the policy side of things:
>>
>> What does nanog think about a DDoS scrubber hijacking a network "for def=
ensive purposes"?
>
>
>Different spin but still "highjacking":
>
>Many moons ago, iStop, a small ISP in Canada saw its services from Bell
>Canada (access to last mile) cut. However, its core network and transit
>was still functional for a number of months.
>
>ISP2 quickly offered to rescue the stranded customers. Once registred
>with ISP2, a customer would see the DSL signal re-instated by Bell (now
>paid by ISP2) but would continue to be handed IPs that belonged to iStop.
>
>ISP2 made use of the continuing transit capacity from the iStop router
>which therefore continued to make BGP announcements for the iStop IP
>blocks (and the iStop router then just sent everythingt o ISP2's router
>for distribution to end users). During this time, the iStop IP blocks
>continued to belong to iStop from ARIn's point of view.
>
>Eventually the transit to the iStop router stopped. That day, former
>iStop customers now on ISP2 saw their access to internet essentially
>killed. At that point, the iStop IP blocks still had not been transfered
>to ISP2.
>
>To save the day, ISP3 kicked in and started to make BGP annoucements for
>iStop IPs and redirected the traffic to ISP2.
>
>At that point, ISP3 hijacked iStop's IPs, but it was done to help the
>situation, not to steal traffic or anything. (In fact, I think the GBP
>announcements from ISP3 pointed to ISP2 routers).
>
>Eventually, the iStop IP blocks was transfered to ISP2 which was then
>legally able to do the BGP announcements for those IPs.
>
>So there are some cases where BGP hijacking may be desirable. I guess
>this is where judgement kicks in.
>
Was this all done at iStop's request and with their full support?
--=20
Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
pgp key: B178313E | also on Signal
--KFztAG8eRSV9hGtP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCgAGBQJX1vBqAAoJEFsnhBAb2KmAShIP/21OpE/ppV4HGphG/T/HhxIV
eZesa79Yd2S4ejVI2YXhvgIwuTpTb/xH4sDdoD2c6kg9I1fMaM9gM5TbCcbJo2df
rMU3kDM4p1A0WadHSxob+G73nAs/P/C+6qE/0HptxzHioCgjDxU8EAx6VvOIko0Q
Tn8wiIQUbxT2ZAtvBWH94SeiF/IdgH6UB5EQZzlEoHIO7M+5hLSI8qAymp3vGGH+
z7mz1vAwZXrvvZgwGsLdCh1LJT9Blbedw/6r/l8ynoKCSBn1uQLpjsr0pjezMw4z
rG7xQ3zPtQpdzSIS1p915uJyvHojkMJ+PupOkf19+si6u5wxiDAbDnUOflbK8J03
1QWXgalhITvnUhNdg81BhC5DaF5DFnnH1FNOsg23MHHSIBzjr85dQwJXI19jFM4b
uRPM43ysnAUp7UQK1EGPcIuJ1rlH0KbIVNsP6RBgJ+L3ev273Yqy3oHGPSjvxoyw
qtfBzjnh5Pw42Z/m02YWrry7d1a7Vw0mgsVl8noEwiPu3XX0AZNclDCAQpzHMTKI
8DXos7UXLLWGXKO1eqXy/tLZKMkt88/mnpbTUkJo29B/+wRPPFJODGOK+5QbT9fu
W+7xMN2UPt+fbP1+b9Uzyo8QAs/eU5huhztFJIu2O/L0xfiJ3ROntUQfGMo59XOk
zj6hoOFA2JRKW0S71I8W
=pMRQ
-----END PGP SIGNATURE-----
--KFztAG8eRSV9hGtP--
