"Defensive" BGP hijacking?

Hopefully this is operational enough, though obviously leaning more towards the policy side of things:

What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"?


"For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.”

Hopefully this is operational enough, though obviously leaning more
towards the policy side of things:

What does nanog think about a DDoS scrubber hijacking a network "for
defensive purposes"?

Not ok.



My suggestion is that BackConnect/Bryant Townsend should have their ASN revoked for fraudulently announcing another organization's address space. They are not law enforcement, they did not have a warrant or judicial oversight, they were not in immediate mortal peril, etc, etc.

I'm in the "never acceptable" camp. Filtering routes/peers? Sure. Disconnecting one of your own customers to stop an attack originating from them? Sure. Hijacking an AS you have no permission to control? No.

Obviously my views and not of my employer.

Spencer Ryan | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net>
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)

Once we let providers cross the line from legal to illegal actions, we're no better than the crooks, and the Internet will descend into lawless chaos. BackConnect's illicit action undoubtedly injured innocent parties, so it's not self defense, any more than shooting wildly into a crowd to stop an attacker would be self defense.

This thoughtless action requires a response from the community, and an apology from BackConnect.

If we can't police ourselves, someone we don't like will do it for us.

-mel beckman

This behavior is never defensible nor acceptable.

In addition to being in the wrong with BGP hijacking a prefix, it
appears that Mr. Townsend had the wrong target, too. We've been
attacked a few dozen times by this botnet, and they could never muster
anything near 200 gbps worth of traffic. They were orders of magnitude
smaller, only around 8-16 gbps depending on attack.

Mr. Townsend's motives were wrong and so was his information.


* Mel Beckman:

If we can't police ourselves, someone we don't like will do it for us.

That hasn't happened with with IP spoofing, has it? As far as I
understand it, it is still a major contributing factor in
denial-of-service attacks. Self-regulation has been mostly
unsuccessful, and yet nothing has happened on the political level.

Different spin but still "highjacking":

Many moons ago, iStop, a small ISP in Canada saw its services from Bell
Canada (access to last mile) cut. However, its core network and transit
was still functional for a number of months.

ISP2 quickly offered to rescue the stranded customers. Once registred
with ISP2, a customer would see the DSL signal re-instated by Bell (now
paid by ISP2) but would continue to be handed IPs that belonged to iStop.

ISP2 made use of the continuing transit capacity from the iStop router
which therefore continued to make BGP announcements for the iStop IP
blocks (and the iStop router then just sent everythingt o ISP2's router
for distribution to end users). During this time, the iStop IP blocks
continued to belong to iStop from ARIn's point of view.

Eventually the transit to the iStop router stopped. That day, former
iStop customers now on ISP2 saw their access to internet essentially
killed. At that point, the iStop IP blocks still had not been transfered
to ISP2.

To save the day, ISP3 kicked in and started to make BGP annoucements for
iStop IPs and redirected the traffic to ISP2.

At that point, ISP3 hijacked iStop's IPs, but it was done to help the
situation, not to steal traffic or anything. (In fact, I think the GBP
announcements from ISP3 pointed to ISP2 routers).

Eventually, the iStop IP blocks was transfered to ISP2 which was then
legally able to do the BGP announcements for those IPs.

So there are some cases where BGP hijacking may be desirable. I guess
this is where judgement kicks in.

IP spoofing filtering is more of a technical issue than the social issue of
BGP filtering.

BGP filtering is feasible in hardware and software today. You can put a 600k
line config on most devices without issues, and automate policy generation
with a tool like bgpq3 or similar.

Most hardware requires a recirculation of the packet to do a lookup on the
source IP address. This means halving your NPU performance of something that
hasn’t been in the 40 bytes per packet range for quite some time.

- Jared

Was this all done at iStop's request and with their full support?

I don't see "hijacking" in your description of the iStop case - it appears
to have been fully coordinated and with permission.

When iStop's router stopped making BGP announcements to the world
(because its last transit link was cut), and ISP3 highjacked the IP
blocks and made BGP announcements pointing to ISP2, I don't think there
was much of iStop left to complain, and it was to the benefit of end
users, so this highjacking was not nefarious.

Either ISP2 was asleep at the switch and let this happen, or perhaps
they had a deal ith iStop that they would not do BGP until block of IPs
was transfered, so they got a friend at ISP3 to do the deed for them.

The transfer of IP to ISP2 happened shortly after that day, after which
ISP2 did the proper BGP announcements for IPs now assigned to it.

While I am not sure about fully coordinated and with permission, it is
an example where it was a desirable outcome to maintain service to
customers who would otherwise have have been left without service.

I pointed this as an example where "highjacking" can sometimes be
desirable. An automated system would likekely block such announcements
from ISP3 about ISP1's IP blocks pointing to ISP2's routers as it could
be seen as highly suspect.

Then again, with many mergers and acquisitions, this type or arrangement
may be common as acquiring ISP1 may start to make BGP announcements of
ISP2's IPs before those IPs have had time to be transfered.

Well don't forget, normal attacks launched from vDOS were around 8 -

On the Krebs article, he mentions "the company received an email directly
from vDOS claiming credit for the attack"

Now, if this holds true, it's likely that the operator of vDOS (Apple J4ck
was his moniker) was directing the full resources of the network towards
BackConnect. Given that Brian indicated that at any given time vDOS could
be launching 10 - 15 times (9 "DDoS years" or something in a few months),
the full force of the vDOS network could easily amount to 200gbps.

Bryant from BackConnect (bryant@backconnect.com<mailto:bryant@backconnect.com>) has replied to me directly. He is a Nanog repeat attendee, but hasn't been subscribed to this list. Bryant says he is subscribing now and will post some clarifying comments shortly. I would share the content of his email, but he didn't explicitly give me permission for that, so I'll let him repeat anything that needs repeating.

This looks to me like ISP community governance in the best sense. I look forward to thoughtful discussion.

-mel beckman

Redirecting someone's traffic, with out there permission or a court order,
by a court in your jurisdiction, not a lot different then the "bad guys"