BGP Attack - Best Defense ?

Guy_Shields at Stream.Com Guy_Shields at Stream.Com
Fri Aug 29 17:58:47 CDT 2008

You need to contact 1st their directly connected provider, 2nd contact your upstream provider and ask that they contact their peers and negate the announcement. 3rd if this is an ARIN provided block contact them as you do pay for your allocation and they will have the contacts to resolve the issue. You cannot normally announce smaller than a /24

----- Original Message -----
From: "Scott Weeks" [surfer at]
Sent: 08/29/2008 03:50 PM MST
To: <nanog at>
Subject: Re: BGP Attack - Best Defense ?

------- jfesler at wrote: -------
From: Jason Fesler <jfesler at>

> I am signed up for the Prefix Hijack Alert System 
> ( and would be alerted in about 6 hours (or 
> less?) about a prefix announcement change.

Would the alerts go to a mail server behind said BGP prefixes?

They would go to me.  They have been coming to me since I heard about this service on NANOG.  

Thanks folks at Colorado State University! :-)

Also, if you're gonna bother at all.. I'd humbly suggest that 6 hours is 
too long to wait.  Without naming names, consider if this response time is 
adequate, and if not, look at some of the commercial options.

I'm currently on an eyeball network and no one is physically close to me, since I'm in Hawaii (the most isolated land mass in the world).  Even though the TTL changes in this attack, the physics don't.  The gamers would probably be the first alert folks as they would see the delay regardless of what their traceroutes say...  ;-)  In this attack the traffic makes it to both end-points.  The middle is what changes.

Restating my question differently:  If the attacker is announcing a /24 of mine, I figure it out some how and I start announcing the same.  What happens if the attacker doesn't stop? 

This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please 
notify the sender immediately and destroy this e-mail. Any unauthorized 
copying, disclosure or distribution of the material in this e-mail is strictly 

More information about the NANOG mailing list