"Defensive" BGP hijacking?

Jean-Francois Mezei jfmezei_nanog at vaxination.ca
Mon Sep 12 18:07:47 UTC 2016

On 2016-09-11 16:54, Hugo Slabbert wrote:
> Hopefully this is operational enough, though obviously leaning more towards the policy side of things:
> What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"?

Different spin but still "highjacking":

Many moons ago, iStop, a small ISP in Canada saw its services from Bell
Canada (access to last mile) cut.  However, its core network and transit
was still functional for a number of months.

ISP2 quickly offered to rescue the stranded customers. Once registred
with ISP2, a customer would see the DSL signal re-instated by Bell (now
paid by ISP2) but would continue to be handed IPs that belonged to iStop.

ISP2 made use of the continuing transit capacity from the iStop router
which therefore continued to make BGP announcements for the iStop IP
blocks (and the iStop router then just sent everythingt o ISP2's router
for distribution to end users). During this time, the iStop IP blocks
continued to belong to iStop from ARIn's point of view.

Eventually the transit to the iStop router stopped. That day, former
iStop customers now on ISP2 saw their access to internet essentially
killed. At that point, the iStop IP blocks still had not been transfered
to ISP2.

To save the day, ISP3 kicked in and started to make BGP annoucements for
iStop IPs and redirected the traffic to ISP2.

At that point, ISP3 hijacked iStop's IPs, but it was done to help the
situation, not to steal traffic or anything. (In fact, I think the GBP
announcements from ISP3 pointed to ISP2 routers).

Eventually, the iStop IP blocks was transfered to ISP2 which was then
legally able to do the BGP announcements for those IPs.

So there are some cases where BGP hijacking may be desirable. I guess
this is where judgement kicks in.

More information about the NANOG mailing list