Re: "Defensive" BGP hijacking?

2016-09-12 Thread Scott Weeks 


--- m...@beckman.org wrote:
From: Mel Beckman 

This looks to me like ISP community governance in the 
best sense. I look forward to thoughtful discussion.



Yes, 100% agree!

scott

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Mel Beckman 
Bryant from BackConnect (bry...@backconnect.com) 
has replied to me directly. He is a Nanog repeat attendee, but hasn't been 
subscribed to this list. Bryant says he is subscribing now and will post some 
clarifying comments shortly. I would share the content of his email, but he 
didn't explicitly give me permission for that, so I'll let him repeat anything 
that needs repeating.

This looks to me like ISP community governance in the best sense. I look 
forward to thoughtful discussion.

 -mel beckman

On Sep 12, 2016, at 2:03 PM, Paras Jha 
> wrote:

Well don't forget, normal attacks launched from vDOS were around 8 -
16gbps.

On the Krebs article, he mentions "the company received an email directly
from vDOS claiming credit for the attack"

Now, if this holds true, it's likely that the operator of vDOS (Apple J4ck
was his moniker) was directing the full resources of the network towards
BackConnect. Given that Brian indicated that at any given time vDOS could
be launching 10 - 15 times (9 "DDoS years" or something in a few months),
the full force of the vDOS network could easily amount to 200gbps.

This behavior is never defensible nor acceptable.

In addition to being in the wrong with BGP hijacking a prefix, it
appears that Mr. Townsend had the wrong target, too. We've been
attacked a few dozen times by this botnet, and they could never muster
anything near 200 gbps worth of traffic. They were orders of magnitude
smaller, only around 8-16 gbps depending on attack.

Mr. Townsend's motives were wrong and so was his information.

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Paras Jha 
Well don't forget, normal attacks launched from vDOS were around 8 -
16gbps.

On the Krebs article, he mentions "the company received an email directly
from vDOS claiming credit for the attack"

Now, if this holds true, it's likely that the operator of vDOS (Apple J4ck
was his moniker) was directing the full resources of the network towards
BackConnect. Given that Brian indicated that at any given time vDOS could
be launching 10 - 15 times (9 "DDoS years" or something in a few months),
the full force of the vDOS network could easily amount to 200gbps.

> This behavior is never defensible nor acceptable.
>
> In addition to being in the wrong with BGP hijacking a prefix, it
> appears that Mr. Townsend had the wrong target, too. We've been
> attacked a few dozen times by this botnet, and they could never muster
> anything near 200 gbps worth of traffic. They were orders of magnitude
> smaller, only around 8-16 gbps depending on attack.
>
> Mr. Townsend's motives were wrong and so was his information.

Re: Lawsuits for falsyfying DNS responses ?

2016-09-12 Thread William Herrin 
On Mon, Sep 12, 2016 at 1:41 PM, Jean-Francois Mezei
 wrote:
> To do so, it will provide ISPs with list of web sites to block
>
> Are there examples of an ISP getting sued because it redirected traffic
> that should have gone to original site ?

Hi,

You're talking about two different things here: blocking a DNS domain
and redirecting a domain.

While both are technologically ineffective countermeasures against
undesired content, I would expect the legal implications to be
different.

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web:

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Jean-Francois Mezei 
On 2016-09-12 14:15, valdis.kletni...@vt.edu wrote:

> I don't see "hijacking" in your description of the iStop case - it appears
> to have been fully coordinated and with permission.


While I am not sure about fully coordinated and with permission, it is
an example where it was a desirable outcome to maintain service to
customers who would otherwise have have been left without service.

I pointed this as an example where "highjacking" can sometimes be
desirable. An automated system would likekely block such announcements
from ISP3 about ISP1's IP blocks pointing to ISP2's routers as it could
be seen as highly suspect.

Then again, with many mergers and acquisitions, this type or arrangement
may be common as acquiring ISP1 may start to make BGP announcements of
ISP2's IPs before those IPs have had time to be transfered.

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Jean-Francois Mezei 
On 2016-09-12 14:14, Hugo Slabbert wrote:

> Was this all done at iStop's request and with their full support?

When iStop's router stopped making BGP announcements to the world
(because its last transit link was cut), and ISP3 highjacked the IP
blocks and made BGP announcements pointing to ISP2, I don't think there
was much of iStop left to complain, and it was to the benefit of end
users, so this highjacking was not nefarious.

Either ISP2 was asleep at the switch and let this happen, or perhaps
they had a deal ith iStop that they would not do BGP until block of IPs
was transfered, so they got a friend at ISP3 to do the deed for them.

The transfer of IP to ISP2 happened shortly after that day, after which
ISP2 did the proper BGP announcements for IPs now assigned to it.

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Mel Beckman 
John,

I appreciate you making this statement, and I appreciate ARIN’s attitude that 
this is a community issue. ISPs have done an amazing job of self-regulation, 
while still preserving their ability to innovate and be agile in the 
marketplace. BGP is a perfect example of that kind of self-policing. 

Outside regulation is rarely preferable to community self control, and I think 
a clear path forward is for those of us in the community to contact BackConnect 
and respectfully ask that they recognize their incorrect actions and repudiate 
this practice for the future. Everyone deserves a chance to recognize their 
mistakes and apologize, so I think we owe BackConnect this much. 

Nanog seems like a great place for BackConnect to reply to the ISP community as 
well.

 -mel


> On Sep 12, 2016, at 10:27 AM, John Curran  wrote:
> 
> On Sep 12, 2016, at 12:08 PM, Scott Weeks 
> > wrote:
> 
> Are the RIRs the internet police?
> 
> Thank you Scott for posing that question…  :-)
> 
> As others have noted, ARIN does indeed revoke resources, but to be clear,
> this is generally due to fraudulent activities _related_ to the registry 
> itself
> (i.e. if you commit fraud in the course of obtaining resources, ARIN will
> revoke those resources once we have determined the fraud beyond
> reasonable doubt; see )
> 
> The specific circumstances raised (of a party announcing an AS# which they
> do not control) can only happen if the others in the industry allow such, and
> therefore it is entirely within the community to address.   While It is 
> possible
> that some peering and/or transit agreements have been broken (for example,
> those agreements which state that the party should only announce routes that
> they have permission to do so), but in any case, the act of announcing someone
> else’s number resources stems from usage that the community is allowing to
> occur, either thru action or inaction, and is not any fraudulent act with 
> respect
> the Internet number registry itself.
> 
> ARIN is not a law enforcement entity (although we do work with them on
> occasion with regard to registry fraud), and it really is up to the industry 
> to
> “police” Internet routing to the extent necessary and desirable to keep the
> Internet running.
> 
> Thanks,
> /John
> 
> John Curran
> President and CEO
> ARIN
> 
>

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Valdis . Kletnieks 
On Mon, 12 Sep 2016 14:07:47 -0400, Jean-Francois Mezei said:

> So there are some cases where BGP hijacking may be desirable. I guess
> this is where judgement kicks in.

I don't see "hijacking" in your description of the iStop case - it appears
to have been fully coordinated and with permission.





pgpfgWD007XFy.pgp
Description: PGP signature

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Hugo Slabbert 


On Mon 2016-Sep-12 14:07:47 -0400, Jean-Francois Mezei 
 wrote:


On 2016-09-11 16:54, Hugo Slabbert wrote:

Hopefully this is operational enough, though obviously leaning more towards the 
policy side of things:

What does nanog think about a DDoS scrubber hijacking a network "for defensive 
purposes"?



Different spin but still "highjacking":

Many moons ago, iStop, a small ISP in Canada saw its services from Bell
Canada (access to last mile) cut.  However, its core network and transit
was still functional for a number of months.

ISP2 quickly offered to rescue the stranded customers. Once registred
with ISP2, a customer would see the DSL signal re-instated by Bell (now
paid by ISP2) but would continue to be handed IPs that belonged to iStop.

ISP2 made use of the continuing transit capacity from the iStop router
which therefore continued to make BGP announcements for the iStop IP
blocks (and the iStop router then just sent everythingt o ISP2's router
for distribution to end users). During this time, the iStop IP blocks
continued to belong to iStop from ARIn's point of view.

Eventually the transit to the iStop router stopped. That day, former
iStop customers now on ISP2 saw their access to internet essentially
killed. At that point, the iStop IP blocks still had not been transfered
to ISP2.

To save the day, ISP3 kicked in and started to make BGP annoucements for
iStop IPs and redirected the traffic to ISP2.

At that point, ISP3 hijacked iStop's IPs, but it was done to help the
situation, not to steal traffic or anything. (In fact, I think the GBP
announcements from ISP3 pointed to ISP2 routers).

Eventually, the iStop IP blocks was transfered to ISP2 which was then
legally able to do the BGP announcements for those IPs.

So there are some cases where BGP hijacking may be desirable. I guess
this is where judgement kicks in.



Was this all done at iStop's request and with their full support?

--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal


signature.asc
Description: Digital signature

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Jared Mauch 

> On Sep 12, 2016, at 1:59 PM, Florian Weimer  wrote:
> 
> * Mel Beckman:
> 
>> If we can't police ourselves, someone we don't like will do it for us. 
> 
> That hasn't happened with with IP spoofing, has it?  As far as I
> understand it, it is still a major contributing factor in
> denial-of-service attacks.  Self-regulation has been mostly
> unsuccessful, and yet nothing has happened on the political level.

IP spoofing filtering is more of a technical issue than the social issue of
BGP filtering.

BGP filtering is feasible in hardware and software today.  You can put a 600k 
line config on most devices without issues, and automate policy generation 
with a tool like bgpq3 or similar.

Most hardware requires a recirculation of the packet to do a lookup on the
source IP address.  This means halving your NPU performance of something that
hasn’t been in the 40 bytes per packet range for quite some time.

- Jared

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Jean-Francois Mezei 
On 2016-09-11 16:54, Hugo Slabbert wrote:
> Hopefully this is operational enough, though obviously leaning more towards 
> the policy side of things:
> 
> What does nanog think about a DDoS scrubber hijacking a network "for 
> defensive purposes"?


Different spin but still "highjacking":

Many moons ago, iStop, a small ISP in Canada saw its services from Bell
Canada (access to last mile) cut.  However, its core network and transit
was still functional for a number of months.

ISP2 quickly offered to rescue the stranded customers. Once registred
with ISP2, a customer would see the DSL signal re-instated by Bell (now
paid by ISP2) but would continue to be handed IPs that belonged to iStop.

ISP2 made use of the continuing transit capacity from the iStop router
which therefore continued to make BGP announcements for the iStop IP
blocks (and the iStop router then just sent everythingt o ISP2's router
for distribution to end users). During this time, the iStop IP blocks
continued to belong to iStop from ARIn's point of view.

Eventually the transit to the iStop router stopped. That day, former
iStop customers now on ISP2 saw their access to internet essentially
killed. At that point, the iStop IP blocks still had not been transfered
to ISP2.

To save the day, ISP3 kicked in and started to make BGP annoucements for
iStop IPs and redirected the traffic to ISP2.

At that point, ISP3 hijacked iStop's IPs, but it was done to help the
situation, not to steal traffic or anything. (In fact, I think the GBP
announcements from ISP3 pointed to ISP2 routers).

Eventually, the iStop IP blocks was transfered to ISP2 which was then
legally able to do the BGP announcements for those IPs.

So there are some cases where BGP hijacking may be desirable. I guess
this is where judgement kicks in.

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Florian Weimer 
* Mel Beckman:

> If we can't police ourselves, someone we don't like will do it for us. 

That hasn't happened with with IP spoofing, has it?  As far as I
understand it, it is still a major contributing factor in
denial-of-service attacks.  Self-regulation has been mostly
unsuccessful, and yet nothing has happened on the political level.

Lawsuits for falsyfying DNS responses ?

2016-09-12 Thread Jean-Francois Mezei 
As many may know, the province of Québec has passed a law to protect the
interests of its lottery corporation.

To do so, it will provide ISPs with list of web sites to block (aka:
only allow its own gambing web site).

There is an opportunity to comment this week in which I will submit.

(I've gathered many arguments over the past little while already). But
have a specific question today:

Are there examples of an ISP getting sued because it redirected traffic
that should have gone to original site ?

For instance, user asks for www.google.com and ISP's DNS responds with
an IP that points to a bing server?

If the risk of a lawsuit is real, then it brings new dimension to
arguments already made agains that (stupiod) Québec law.

(And it also creates interesting issues for DNS servers from companies
such as Google which may have a anycast server located in Québec but are
not considered an ISP and won't receive those documenst from the gov
with list of websites to block.

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Richard Hesse 
This behavior is never defensible nor acceptable.

In addition to being in the wrong with BGP hijacking a prefix, it
appears that Mr. Townsend had the wrong target, too. We've been
attacked a few dozen times by this botnet, and they could never muster
anything near 200 gbps worth of traffic. They were orders of magnitude
smaller, only around 8-16 gbps depending on attack.

Mr. Townsend's motives were wrong and so was his information.

-richard

On Sun, Sep 11, 2016 at 8:54 PM, Hugo Slabbert  wrote:
> Hopefully this is operational enough, though obviously leaning more towards 
> the policy side of things:
>
> What does nanog think about a DDoS scrubber hijacking a network "for 
> defensive purposes"?
>
> http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/
>
> "For about six hours, we were seeing attacks of more than 200 Gbps hitting 
> us,” Townsend explained. “What we were doing was for defensive purposes. We 
> were simply trying to get them to stop and to gather as much information as 
> possible about the botnet they were using and report that to the proper 
> authorities.”
>
> --
> Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
> pgp key: B178313E   | also on Signal

Re: "Defensive" BGP hijacking?

2016-09-12 Thread John Curran 
On Sep 12, 2016, at 12:08 PM, Scott Weeks 
> wrote:

Are the RIRs the internet police?

Thank you Scott for posing that question…  :-)

As others have noted, ARIN does indeed revoke resources, but to be clear,
this is generally due to fraudulent activities _related_ to the registry itself
(i.e. if you commit fraud in the course of obtaining resources, ARIN will
revoke those resources once we have determined the fraud beyond
reasonable doubt; see )

The specific circumstances raised (of a party announcing an AS# which they
do not control) can only happen if the others in the industry allow such, and
therefore it is entirely within the community to address.   While It is possible
that some peering and/or transit agreements have been broken (for example,
those agreements which state that the party should only announce routes that
they have permission to do so), but in any case, the act of announcing someone
else’s number resources stems from usage that the community is allowing to
occur, either thru action or inaction, and is not any fraudulent act with 
respect
the Internet number registry itself.

ARIN is not a law enforcement entity (although we do work with them on
occasion with regard to registry fraud), and it really is up to the industry to
“police” Internet routing to the extent necessary and desirable to keep the
Internet running.

Thanks,
/John

John Curran
President and CEO
ARIN

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Blake Hudson 


Scott Weeks wrote on 9/12/2016 11:31 AM:


I am somewhat in agreement with Mel:

"This thoughtless action requires a response from the community, and an
apology from BackConnect.   If we can't police ourselves, someone we
don't like will do it for us. "

But the first part seems to verge on vigilantism.  Solutions are hard.
BGP filters should be in place.  Maybe that's the non-vigilante response.
Force filters somehow.

However, this has all been discussed over and over here...  ;-)


scott

I agree that Mel's response is well reasoned and thoughtful.

Regarding my mention of a pattern of fraudulent behavior: RIPE indicates 
that BackConnect has recently announced 55 IP prefixes via BGP 
(https://stat.ripe.net/widget/as-routing-consistency#w.resource=AS203959), 
even though they only appear to have 5 IP4 allocations and are currently 
only announcing 8 /24 prefixes. Given BackConnect's position as an 
anti-ddos provider it would not be unusual for them to announce the IP 
space of other organizations. One would likely need to confirm with the 
owners of each of these 55 prefixes as to whether BackConnect had 
authorization to announce this address space.


Based on the announcement of 82.118.233.0/24, it appears that BGP 
filters are either not in place for BackConnect or are modified without 
sufficient procedures to verify authorization.

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Hugo Slabbert 


On Mon 2016-Sep-12 09:31:41 -0700, Scott Weeks  wrote:

Full disclosure:  I had a working relationship with Bryant when he was 
still at Staminus.


Bryant (if you're on list):
I mean no harm by this and never had any trouble working with you.  I just 
believe this is a conversation that needs to be had.



--- bl...@ispn.net wrote:
From: Blake Hudson 
Scott Weeks wrote on 9/12/2016 11:08 AM:

From: NANOG  on behalf
of Blake Hudson 




My suggestion is that BackConnect/Bryant Townsend should have their ASN
revoked for fraudulently announcing another organization's address
space. They are not law enforcement, they did not have a warrant or
judicial oversight, they were not in immediate mortal peril, etc, etc.
-


Are the RIRs the internet police?



ARIN has policies against fraudulently obtaining resources and has
policies for revoking said resources. One could argue that announcing
another org's IP resources without authorization is fraud and that said
ip resources were fraudulently obtained during the time they were
announced by BlackConnect. That said, this ASN was obtained through RIPE
(despite the person/company being located in Calfornia, USA) and I did
not see any RIPE policies related to fraud.

My thought is that if Mr Townsend shows disregard for the stability of
the internet by hijacking other's IP space, he should not be allowed to
participate. There are comments to the Kreb's article indicating that
this was not an isolated incident by Mr Townsend and instead represents
one event in a pattern of behavior.
-


I am somewhat in agreement with Mel:

"This thoughtless action requires a response from the community, and an
apology from BackConnect.   If we can't police ourselves, someone we
don't like will do it for us. "

But the first part seems to verge on vigilantism.  


Operators are free to do whatever they like inside their own networks as 
long as they don't impact others.  Barring RPKI coverage, we're still 
talking about an element of trust in BGP to believe what AS 203959 tells 
us.  If I no longer believe what 203959 advertises, I don't have to accept 
anything with aspath .* 203959 .* in it.  I don't see routing policy 
decisions in my own network as vigilantism.


Solutions are hard. BGP filters should be in place.  Maybe that's the 
non-vigilante response. Force filters somehow.


However, this has all been discussed over and over here...  ;-)


scott


--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal


signature.asc
Description: Digital signature

flag/global cloud exchange 15412 contact

2016-09-12 Thread Jared Mauch 
Is there someone out here from 15412 I can talk to regarding some BGP related 
issues?

thanks,

- jared

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Scott Weeks 
--- bl...@ispn.net wrote:
From: Blake Hudson 
Scott Weeks wrote on 9/12/2016 11:08 AM:
> From: NANOG  on behalf
> of Blake Hudson 


> My suggestion is that BackConnect/Bryant Townsend should have their ASN
> revoked for fraudulently announcing another organization's address
> space. They are not law enforcement, they did not have a warrant or
> judicial oversight, they were not in immediate mortal peril, etc, etc.
> -
>
>
> Are the RIRs the internet police?


ARIN has policies against fraudulently obtaining resources and has 
policies for revoking said resources. One could argue that announcing 
another org's IP resources without authorization is fraud and that said 
ip resources were fraudulently obtained during the time they were 
announced by BlackConnect. That said, this ASN was obtained through RIPE 
(despite the person/company being located in Calfornia, USA) and I did 
not see any RIPE policies related to fraud.

My thought is that if Mr Townsend shows disregard for the stability of 
the internet by hijacking other's IP space, he should not be allowed to 
participate. There are comments to the Kreb's article indicating that 
this was not an isolated incident by Mr Townsend and instead represents 
one event in a pattern of behavior.
-


I am somewhat in agreement with Mel: 

"This thoughtless action requires a response from the community, and an 
apology from BackConnect.   If we can't police ourselves, someone we 
don't like will do it for us. "

But the first part seems to verge on vigilantism.  Solutions are hard.
BGP filters should be in place.  Maybe that's the non-vigilante response.
Force filters somehow.

However, this has all been discussed over and over here...  ;-)


scott

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Blake Hudson 



Scott Weeks wrote on 9/12/2016 11:08 AM:



From: NANOG  on behalf
of Blake Hudson 

My suggestion is that BackConnect/Bryant Townsend should have their ASN
revoked for fraudulently announcing another organization's address
space. They are not law enforcement, they did not have a warrant or
judicial oversight, they were not in immediate mortal peril, etc, etc.
-


Are the RIRs the internet police?

scott



ARIN has policies against fraudulently obtaining resources and has 
policies for revoking said resources. One could argue that announcing 
another org's IP resources without authorization is fraud and that said 
ip resources were fraudulently obtained during the time they were 
announced by BlackConnect. That said, this ASN was obtained through RIPE 
(despite the person/company being located in Calfornia, USA) and I did 
not see any RIPE policies related to fraud.


My thought is that if Mr Townsend shows disregard for the stability of 
the internet by hijacking other's IP space, he should not be allowed to 
participate. There are comments to the Kreb's article indicating that 
this was not an isolated incident by Mr Townsend and instead represents 
one event in a pattern of behavior.

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Mel Beckman 
Once we let providers cross the line from legal to illegal actions, we're no 
better than the crooks, and the Internet will descend into lawless chaos. 
BackConnect's illicit action undoubtedly injured innocent parties, so it's not 
self defense, any more than shooting wildly into a crowd to stop an attacker 
would be self defense. 

This thoughtless action requires a response from the community, and an apology 
from BackConnect. 

If we can't police ourselves, someone we don't like will do it for us. 

 -mel beckman

> On Sep 12, 2016, at 8:47 AM, Ryan, Spencer  wrote:
> 
> I'm in the "never acceptable" camp. Filtering routes/peers? Sure. 
> Disconnecting one of your own customers to stop an attack originating from 
> them? Sure. Hijacking an AS you have no permission to control? No.
> 
> 
> Obviously my views and not of my employer.
> 
> Spencer Ryan | Senior Systems Administrator | 
> sr...@arbor.net
> Arbor Networks
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
> 
> 
> 
> From: NANOG  on behalf of Blake Hudson 
> 
> Sent: Monday, September 12, 2016 11:24:03 AM
> To: nanog@nanog.org
> Subject: Re: "Defensive" BGP hijacking?
> 
> 
> Hugo Slabbert wrote on 9/11/2016 3:54 PM:
>> Hopefully this is operational enough, though obviously leaning more towards 
>> the policy side of things:
>> 
>> What does nanog think about a DDoS scrubber hijacking a network "for 
>> defensive purposes"?
>> 
>> http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/
>> 
>> "For about six hours, we were seeing attacks of more than 200 Gbps hitting 
>> us,” Townsend explained. “What we were doing was for defensive purposes. We 
>> were simply trying to get them to stop and to gather as much information as 
>> possible about the botnet they were using and report that to the proper 
>> authorities.”
>> 
> 
> 
> https://bgpstream.com/event/54711
> 
> My suggestion is that BackConnect/Bryant Townsend should have their ASN
> revoked for fraudulently announcing another organization's address
> space. They are not law enforcement, they did not have a warrant or
> judicial oversight, they were not in immediate mortal peril, etc, etc.

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Scott Weeks 



From: NANOG  on behalf 
of Blake Hudson 

My suggestion is that BackConnect/Bryant Townsend should have their ASN
revoked for fraudulently announcing another organization's address
space. They are not law enforcement, they did not have a warrant or
judicial oversight, they were not in immediate mortal peril, etc, etc.
-


Are the RIRs the internet police?

scott

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Ryan, Spencer 
I'm in the "never acceptable" camp. Filtering routes/peers? Sure. Disconnecting 
one of your own customers to stop an attack originating from them? Sure. 
Hijacking an AS you have no permission to control? No.


Obviously my views and not of my employer.

Spencer Ryan | Senior Systems Administrator | 
sr...@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com



From: NANOG  on behalf of Blake Hudson 
Sent: Monday, September 12, 2016 11:24:03 AM
To: nanog@nanog.org
Subject: Re: "Defensive" BGP hijacking?


Hugo Slabbert wrote on 9/11/2016 3:54 PM:
> Hopefully this is operational enough, though obviously leaning more towards 
> the policy side of things:
>
> What does nanog think about a DDoS scrubber hijacking a network "for 
> defensive purposes"?
>
> http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/
>
> "For about six hours, we were seeing attacks of more than 200 Gbps hitting 
> us,” Townsend explained. “What we were doing was for defensive purposes. We 
> were simply trying to get them to stop and to gather as much information as 
> possible about the botnet they were using and report that to the proper 
> authorities.”
>


https://bgpstream.com/event/54711

My suggestion is that BackConnect/Bryant Townsend should have their ASN
revoked for fraudulently announcing another organization's address
space. They are not law enforcement, they did not have a warrant or
judicial oversight, they were not in immediate mortal peril, etc, etc.

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Blake Hudson 


Hugo Slabbert wrote on 9/11/2016 3:54 PM:

Hopefully this is operational enough, though obviously leaning more towards the 
policy side of things:

What does nanog think about a DDoS scrubber hijacking a network "for defensive 
purposes"?

http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/

"For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” 
Townsend explained. “What we were doing was for defensive purposes. We were simply 
trying to get them to stop and to gather as much information as possible about the 
botnet they were using and report that to the proper authorities.”




https://bgpstream.com/event/54711

My suggestion is that BackConnect/Bryant Townsend should have their ASN 
revoked for fraudulently announcing another organization's address 
space. They are not law enforcement, they did not have a warrant or 
judicial oversight, they were not in immediate mortal peril, etc, etc.

Re: comcast and msoft ports

2016-09-12 Thread Jared Mauch 

> On Sep 12, 2016, at 7:43 AM, jared mauch  wrote:
> 
> And expect your SSH DSA keys to require a workaround, or just generate new 
> ecdsa and RSA keys.

Sorry, brain-keyboard output meant to say: ED25519

[-t dsa | ecdsa | ed25519 | rsa | rsa1]

https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

macOS sierra inherits this as it provides OpenSSH 7.2.

- jared

Re: comcast and msoft ports

2016-09-12 Thread Gregg Heimer 
Yes of course they do. If you need NetBIOS and SMB, create a VPN tunnel.

List of ports
https://customer.xfinity.com/help-and-support/internet/list-of-blocked-ports/

On Sep 11, 2016 2:45 PM, Ca By  wrote:
On Sunday, September 11, 2016, Randy Bush  wrote:

> anyone know if comcast residential filters 139/445?
>
> randy
>


https://customer.xfinity.com/help-and-support/internet/list-of-blocked-ports/




Montgomery County Community College is proud to be designated as an Achieving 
the Dream Leader College for its commitment to student access and success.

Re: comcast and msoft ports

2016-09-12 Thread Jared Mauch 

> On Sep 11, 2016, at 4:02 PM, Ca By  wrote:
> 
> On Sunday, September 11, 2016, Filip Hruska  wrote:
> 
>> If you really need them, you'll need to use some sort of tunneling
>> mechanism, ie PPTP.
>> 
>> 
> 
> Friendly reminder, next week ios 10 drops
> 
> 
> Prepare servers for iOS 10 & macOS Sierra. Crypto Deprecations:
> - SSLv3
> - RC4
> - PPTP VPN
> support.apple.com/en-us/HT206871
> support.apple.com/en-us/HT206844
> 

And expect your SSH DSA keys to require a workaround, or just generate new 
ecdsa and RSA keys.

- Jared