[191535] in North American Network Operators' Group
Re: "Defensive" BGP hijacking?
daemon@ATHENA.MIT.EDU (Justin Paine via NANOG)
Tue Sep 20 23:27:35 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <3988530B-1624-4017-ADAB-E68DEBE12BDB@beckman.org>
Date: Tue, 20 Sep 2016 20:26:52 -0700
To: Mel Beckman <mel@beckman.org>
From: Justin Paine via NANOG <nanog@nanog.org>
Reply-To: Justin Paine <justin@cloudflare.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
earlier on Twitter Krebs said he was hit by 665Gbps attack (so says
Prolexic/Akamai). Could be ongoing/related.
____________
Justin Paine
Head of Trust & Safety
CloudFlare Inc.
PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
On Tue, Sep 20, 2016 at 8:21 PM, Mel Beckman <mel@beckman.org> wrote:
> While I was reading the krebsonsecurity.com article cited below, the site=
, hosted at Akamai address 72.52.7.144, became non responsive and now appea=
rs to be offline. Traceroutes stop before the Akamai-SWIPed border within T=
elia, as if blackholed (but adjacent IPs pass through to Akamai):
>
> traceroute to krebsonsecurity.com (72.52.7.144), 64 hops max, 40 byte pac=
kets
> 1 router1.sb.becknet.com (206.83.0.1) 0.771 ms 0.580 ms 0.342 ms
> 2 206-190-77-9.static.twtelecom.net (206.190.77.9) 0.715 ms 1.026 ms =
0.744 ms
> 3 ae1-90g.ar7.lax1.gblx.net (67.17.75.18) 9.532 ms 6.567 ms 2.912 ms
> 4 ae10.edge1.losangeles9.level3.net (4.68.111.21) 2.919 ms 2.925 ms =
2.904 ms
> 5 telia-level3-4x10g.losangeles.level3.net (4.68.70.130) 3.981 ms 3.5=
67 ms 3.401 ms
> 6 sjo-b21-link.telia.net (62.115.116.40) 11.209 ms 11.140 ms 11.161 =
ms
> 7 * * *
> 8 * * *
> 9 * * *
> 10 * * *
>
> Weird coincidence?
>
> -mel beckman
>
>> On Sep 20, 2016, at 6:46 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
>>
>> Lucy, you got some (*serious*) 'splainin to do...
>>
>> http://research.dyn.com/2016/09/backconnects-suspicious-bgp-hijacks/
>> http://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-h=
ijacks/
>>
>> --
>> Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
>> pgp key: B178313E | also on Signal
>>
>>> On Sun 2016-Sep-18 22:25:44 -0400, Tom Beecher <beecher@beecher.cc> wro=
te:
>>>
>>> So after reading your explanation of things...
>>>
>>> Your technical protections for your client proved sufficient to handle =
the
>>> attack. You took OFFENSIVE action by hijacking the IP space. By your ow=
n
>>> statements, it was only in response to threats against your company. Yo=
u
>>> were no longer providing DDoS protection to a client. You were exacting=
a
>>> vendetta against someone who was being MEAN to you. Even if that person
>>> probably deserved it, you still cannot do what was done.
>>>
>>> I appreciate the desire to want to protect friends and family from
>>> anonymous threats, and also realize how ill equipped law enforcement
>>> usually is while something like this is occurring.
>>>
>>> However, in my view, by taking the action you did, you have shown your
>>> company isn't ready to be operating in the security space. Being threat=
ened
>>> by bad actors is a nominal part of doing business in the security space=
.
>>> Unfortunately you didn't handle it well, and I think that will stick to=
you
>>> for a long time.
>>>
>>> On Tue, Sep 13, 2016 at 3:29 PM, Bryant Townsend <bryant@backconnect.co=
m>
>>> wrote:
>>>
>>>> @ca & Matt - No, we do not plan to ever intentionally perform a
>>>> non-authorized BGP hijack in the future.
>>>>
>>>> @Steve - Correct, the attack had already been mitigated. The decision =
to
>>>> hijack the attackers IP space was to deal with their threats, which if
>>>> carried through could have potentially lead to physical harm. Although=
the
>>>> hijack gave us a unique insight into the attackers services, it was no=
t a
>>>> factor that influenced my decision.
>>>>
>>>> @Blake & Mel - We will likely cover some of these questions in a futur=
e
>>>> blog post.
>>>>
