ARIN has policies against fraudulently obtaining resources and has
policies for revoking said resources. One could argue that announcing
another org's IP resources without authorization is fraud and that said
ip resources were fraudulently obtained during the time they were
announced by BlackConnect. That said, this ASN was obtained through RIPE
(despite the person/company being located in Calfornia, USA) and I did
not see any RIPE policies related to fraud.
My thought is that if Mr Townsend shows disregard for the stability of
the internet by hijacking other's IP space, he should not be allowed to
participate. There are comments to the Kreb's article indicating that
this was not an isolated incident by Mr Townsend and instead represents
one event in a pattern of behavior.
Full disclosure: I had a working relationship with Bryant when he was still at Staminus.
Bryant (if you're on list):
I mean no harm by this and never had any trouble working with you. I just believe this is a conversation that needs to be had.
From: Blake Hudson <blake@ispn.net>
of Blake Hudson <blake@ispn.net>
My suggestion is that BackConnect/Bryant Townsend should have their ASN
revoked for fraudulently announcing another organization's address
space. They are not law enforcement, they did not have a warrant or
judicial oversight, they were not in immediate mortal peril, etc, etc.
-------------------------------------------------
Are the RIRs the internet police?
ARIN has policies against fraudulently obtaining resources and has
policies for revoking said resources. One could argue that announcing
another org's IP resources without authorization is fraud and that said
ip resources were fraudulently obtained during the time they were
announced by BlackConnect. That said, this ASN was obtained through RIPE
(despite the person/company being located in Calfornia, USA) and I did
not see any RIPE policies related to fraud.
My thought is that if Mr Townsend shows disregard for the stability of
the internet by hijacking other's IP space, he should not be allowed to
participate. There are comments to the Kreb's article indicating that
this was not an isolated incident by Mr Townsend and instead represents
one event in a pattern of behavior.
-------------------------------------------------
I am somewhat in agreement with Mel:
"This thoughtless action requires a response from the community, and an
apology from BackConnect. If we can't police ourselves, someone we
don't like will do it for us. "
But the first part seems to verge on vigilantism.
Operators are free to do whatever they like inside their own networks as long as they don't impact others. Barring RPKI coverage, we're still talking about an element of trust in BGP to believe what AS 203959 tells us. If I no longer believe what 203959 advertises, I don't have to accept anything with aspath .* 203959 .* in it. I don't see routing policy decisions in my own network as vigilantism.
I agree that Mel's response is well reasoned and thoughtful.
Regarding my mention of a pattern of fraudulent behavior: RIPE indicates that BackConnect has recently announced 55 IP prefixes via BGP (https://stat.ripe.net/widget/as-routing-consistency#w.resource=AS203959), even though they only appear to have 5 IP4 allocations and are currently only announcing 8 /24 prefixes. Given BackConnect's position as an anti-ddos provider it would not be unusual for them to announce the IP space of other organizations. One would likely need to confirm with the owners of each of these 55 prefixes as to whether BackConnect had authorization to announce this address space.
Based on the announcement of 82.118.233.0/24, it appears that BGP filters are either not in place for BackConnect or are modified without sufficient procedures to verify authorization.