"Defensive" BGP hijacking?

Jean-Francois Mezei jfmezei_nanog at vaxination.ca
Wed Sep 14 19:00:24 UTC 2016

I got to think about this (dangerous thing :-(

Ideally, law enforcement should have the smarts and tools to get
involved in DDoS and other similar situations and have the power to
compell upstream provider(s) to shut service to a suspect.

The current situation appears to be more of a wild-west situation where
everyone takes the law into their own hands. It sort of works but
everyone knows this lead lead to abuses.

If you start to tolerate falsifying BGP, it will likely lead to regular
abuses (including intelligence agencies who stad to gain by redirecting
traffic to their servers) as well as corporate spies etc. So mechanisms
to enforce 0 tolerance are perhaps necessary, even if this means that a
few legitimate BGP tricks to save customers from a failing ISP will no
longer work.

Falsifying BGP can be done by one person without any sanity checks.
There is no check for evidence or whether this action is warranted. On
the other hand, there is a sanity check if you have to convince an
upstream provider to cut access to one of their customers.

More information about the NANOG mailing list