"Defensive" BGP hijacking?
beecher at beecher.cc
Wed Sep 21 03:28:47 UTC 2016
Brian Krebs tweeted out that Prolexic reported a 665Gbps attack directed at
On Tue, Sep 20, 2016 at 11:21 PM, Mel Beckman <mel at beckman.org> wrote:
> While I was reading the krebsonsecurity.com article cited below, the
> site, hosted at Akamai address 18.104.22.168, became non responsive and now
> appears to be offline. Traceroutes stop before the Akamai-SWIPed border
> within Telia, as if blackholed (but adjacent IPs pass through to Akamai):
> traceroute to krebsonsecurity.com (22.214.171.124), 64 hops max, 40 byte
> 1 router1.sb.becknet.com (126.96.36.199) 0.771 ms 0.580 ms 0.342 ms
> 2 206-190-77-9.static.twtelecom.net (188.8.131.52) 0.715 ms 1.026 ms
> 0.744 ms
> 3 ae1-90g.ar7.lax1.gblx.net (184.108.40.206) 9.532 ms 6.567 ms 2.912 ms
> 4 ae10.edge1.losangeles9.level3.net (220.127.116.11) 2.919 ms 2.925 ms
> 2.904 ms
> 5 telia-level3-4x10g.losangeles.level3.net (18.104.22.168) 3.981 ms
> 3.567 ms 3.401 ms
> 6 sjo-b21-link.telia.net (22.214.171.124) 11.209 ms 11.140 ms 11.161
> 7 * * *
> 8 * * *
> 9 * * *
> 10 * * *
> Weird coincidence?
> -mel beckman
> > On Sep 20, 2016, at 6:46 PM, Hugo Slabbert <hugo at slabnet.com> wrote:
> > Lucy, you got some (*serious*) 'splainin to do...
> > http://research.dyn.com/2016/09/backconnects-suspicious-bgp-hijacks/
> > http://krebsonsecurity.com/2016/09/ddos-mitigation-firm-
> > --
> > Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com
> > pgp key: B178313E | also on Signal
> >> On Sun 2016-Sep-18 22:25:44 -0400, Tom Beecher <beecher at beecher.cc>
> >> So after reading your explanation of things...
> >> Your technical protections for your client proved sufficient to handle
> >> attack. You took OFFENSIVE action by hijacking the IP space. By your own
> >> statements, it was only in response to threats against your company. You
> >> were no longer providing DDoS protection to a client. You were exacting
> >> vendetta against someone who was being MEAN to you. Even if that person
> >> probably deserved it, you still cannot do what was done.
> >> I appreciate the desire to want to protect friends and family from
> >> anonymous threats, and also realize how ill equipped law enforcement
> >> usually is while something like this is occurring.
> >> However, in my view, by taking the action you did, you have shown your
> >> company isn't ready to be operating in the security space. Being
> >> by bad actors is a nominal part of doing business in the security space.
> >> Unfortunately you didn't handle it well, and I think that will stick to
> >> for a long time.
> >> On Tue, Sep 13, 2016 at 3:29 PM, Bryant Townsend <
> bryant at backconnect.com>
> >> wrote:
> >>> @ca & Matt - No, we do not plan to ever intentionally perform a
> >>> non-authorized BGP hijack in the future.
> >>> @Steve - Correct, the attack had already been mitigated. The decision
> >>> hijack the attackers IP space was to deal with their threats, which if
> >>> carried through could have potentially lead to physical harm. Although
> >>> hijack gave us a unique insight into the attackers services, it was
> not a
> >>> factor that influenced my decision.
> >>> @Blake & Mel - We will likely cover some of these questions in a future
> >>> blog post.
More information about the NANOG