On 30/08/2008, at 9:58 AM, Florian Weimer wrote:
* Alex Pilosov:
We've demonstrated ability to monitor traffic to arbitrary
prefixes. Slides for presentation can be found here:
http://eng.5ninesdata.com/~tkapela/iphd-2.ppt
The interesting question is whether it's acceptable to use
True but I can still believe in a warm and fuzzy internet if I try
really hard Then my cell phone rings and back to the real world.
-jim
On Sat, Aug 30, 2008 at 12:01 AM, Patrick W. Gilmore [EMAIL PROTECTED] wrote:
On Aug 29, 2008, at 22:41, jim deleskie [EMAIL PROTECTED] wrote:
I'm
The biggest issue with using a heavy hammer to effect traffic is that
you don't always know why the other side is routing the way they are.
Could be simple cost (peer vs transit) or a larger issue like
congestion. Either way think before you route.
I'm thinking Pandora's box hasn't just been
if this is
geting too complex ...:-)
--- On Sat, 8/30/08, Patrick W. Gilmore [EMAIL PROTECTED] wrote:
From: Patrick W. Gilmore [EMAIL PROTECTED]
Subject: Re: Revealed: The Internet's well known BGP behavior
To: nanog@nanog.org nanog@nanog.org
Date: Saturday, August 30, 2008, 5:01 AM
On Aug 29, 2008
Jon Lewis wrote:
Do you utilize the IRR, have an as-set, and put all customer AS/CIDR's
into the IRR? I've honestly never heard from LVL3 about our
advertisements. Other providers have varied from just needing a web
form, email, phone call, or those combined with faxed LOAs. The
latter
Announcing a smaller bit of one of you block is fine, more then that
most everyone I know does it or has done and is commonly accepted.
Breaking up someone else' s block and making that announcement even if
its to modify traffic between 2 peered networks is typically not
looked as proper. Modify
On Fri, Aug 29, 2008, jim deleskie wrote:
Announcing a smaller bit of one of you block is fine, more then that
most everyone I know does it or has done and is commonly accepted.
Breaking up someone else' s block and making that announcement even if
its to modify traffic between 2 peered
I'm afraid of the answer to that question
On Fri, Aug 29, 2008 at 11:25 PM, Adrian Chadd [EMAIL PROTECTED] wrote:
On Fri, Aug 29, 2008, jim deleskie wrote:
Announcing a smaller bit of one of you block is fine, more then that
most everyone I know does it or has done and is commonly accepted.
On Aug 29, 2008, at 22:41, jim deleskie [EMAIL PROTECTED] wrote:
I'm afraid of the answer to that question
No you are not, since you already know the answer.
--
TTFN,
patrick
On Fri, Aug 29, 2008 at 11:25 PM, Adrian Chadd
[EMAIL PROTECTED] wrote:
On Fri, Aug 29, 2008, jim deleskie
On 30/08/2008, at 9:58 AM, Florian Weimer wrote:
* Alex Pilosov:
We've demonstrated ability to monitor traffic to arbitrary
prefixes. Slides for presentation can be found here:
http://eng.5ninesdata.com/~tkapela/iphd-2.ppt
The interesting question is whether it's acceptable to use this
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Hank Nussbacher [EMAIL PROTECTED] wrote:
At 11:32 PM 27-08-08 -0500, John Lee wrote:
Thanks guys, going back to my Comer one more time. My issue, question was
whether the organization doing the hijacking controlled all of the
routers in the
Jon Lewis wrote:
At 11:32 PM 27-08-08 -0500, John Lee wrote:
They didn't have control of any routers other than their own. What
they had to find is a single clueless upstream ISP that would allow
them to announce prefixes that didn't belong to them.
Clueless or big and inattentive? AFAIK,
On Wed, 27 Aug 2008, Patrick W. Gilmore wrote:
On Aug 27, 2008, at 11:07 PM, John Lee wrote:
1. The technique is not new it is well known BGP behavior and not stealthy
to people who route for a living.
Using existing technology in novel ways is still novel. Plus it makes the
technique more
Most of the spammer acquired /16s have been
1. pre arin
2. caused by buying up assets of long defunct companies .. assets that
just happen to include a /16 nobody knew about
Not exactly hijacks this lot .. just like those barely legal teen mags.
srs
On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron
Lastly, can you show me a single inter-AS MPLS deployment? When you
can, then you can use that as a method to avoid this h4x0r.
Just some quick googling found this
http://www.xchangemag.com/hotnews/64h27164418.html from back in 2006.
Sprint has expanded its global MPLS network
I stand by my assertion that most people do not run
traceroutes all day and watch for it to change.
That some people are diligent does not change the fact the
overwhelming majority of people are not.
Or the fact that with the right placement of equipment (read
luck) and cooperation
On Aug 28, 2008, at 6:25 AM, Suresh Ramasubramanian wrote:
Most of the spammer acquired /16s have been
1. pre arin
2. caused by buying up assets of long defunct companies .. assets that
just happen to include a /16 nobody knew about
Not exactly hijacks this lot .. just like those barely
I thought I'd toss in a few comments, considering it's my fault that
few people are understanding this thing yet.
On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron [EMAIL PROTECTED] wrote:
People (especially spammers) have been hijacking networks for a while
I'd like to 'clear the air' here.
; [EMAIL PROTECTED]
Subject: Re: Revealed: The Internet's well known BGP behavior
Jon Lewis wrote:
At 11:32 PM 27-08-08 -0500, John Lee wrote:
They didn't have control of any routers other than their own. What
they had to find is a single clueless upstream ISP that would allow
them
On Thu, 28 Aug 2008 10:16:16 -0500
Anton Kapela [EMAIL PROTECTED] wrote:
I thought I'd toss in a few comments, considering it's my fault that
few people are understanding this thing yet.
On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron [EMAIL PROTECTED]
wrote:
People (especially spammers)
Steven M. Bellovin wrote:
On Thu, 28 Aug 2008 10:16:16 -0500
Anton Kapela [EMAIL PROTECTED] wrote:
I thought I'd toss in a few comments, considering it's my fault that
few people are understanding this thing yet.
On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron [EMAIL PROTECTED]
wrote:
People
*) Filtering your customers using IRR is a requirement, however, it is not
a solution - in fact, in the demonstration, we registered the /24 prefix
we hijacked in IRR. RIRs need to integrate the allocation data with their
IRR data.
further clarification... [if this is obvious, just skip
On Aug 28, 2008, at 3:47 PM, Deepak Jain wrote:
We can go into lots of reasons why the Internet runs this way. I
think we can all agree 1) Its amazing it runs as well as it does,
and 2) No one has clearly articulated a financial reason for any
large organizations to significantly change
1. The technique is not new it is well known BGP behavior and not stealthy to
people who route for a living.
2. When your networks use VPNs, MPLS, IPsec, SSL et al you can control what
packets are going where.
3. When you are running some number of trace routes per hour to see how and
where
On Aug 27, 2008, at 11:07 PM, John Lee wrote:
1. The technique is not new it is well known BGP behavior and not
stealthy to people who route for a living.
Using existing technology in novel ways is still novel. Plus it makes
the technique more accessible. (Perhaps that is not a good
what do mpls, ipsec tunnels, ssl have anything to do with someone
announcing your address space and hijacking youre prefixes??
i think we all know this is not new.. and these guys didnt claim it to
be.. they're not presenting this to a 'xNOG' crowd, defcon has a
different type of audience..im not
. Gilmore [EMAIL PROTECTED]
Sent: Wednesday, August 27, 2008 11:18 PM
To: NANOG list
Subject: Re: Revealed: The Internet's well known BGP behavior
On Aug 27, 2008, at 11:07 PM, John Lee wrote:
1. The technique is not new it is well known BGP behavior and not
stealthy to people who route
On Wed, Aug 27, 2008, John Lee wrote:
Patrick,
VPN's and MPLS control intermediate hops and IPsec and SSL do not allow the
info to be seen.
Rewriting the TTL only hides the number of hop count, trace route will still
show the hops the packet has transited.
No, traceroute shows the hops
: Patrick W. Gilmore; NANOG list
Subject: Re: Revealed: The Internet's well known BGP behavior
On Wed, Aug 27, 2008, John Lee wrote:
Patrick,
VPN's and MPLS control intermediate hops and IPsec and SSL do not allow the
info to be seen.
Rewriting the TTL only hides the number of hop count, trace
On Aug 27, 2008, at 11:47 PM, John Lee wrote:
The traceroute utility that I used gave me a list of hops that the
packet I was interested in transited and a time when it transited
the hop. When the TTL was reached it would terminate the listing.
You are very confused how traceroute works.
John Lee wrote:
Adrian,
The traceroute utility that I used gave me a list of hops that the
packet I was interested in transited and a time when it transited the
hop. When the TTL was reached it would terminate the listing.
But if I can control your traffic I could change everything,
At 11:32 PM 27-08-08 -0500, John Lee wrote:
Thanks guys, going back to my Comer one more time. My issue, question was
whether the organization doing the hijacking controlled all of the routers
in the new modified path or only some of them?
John (ISDN) Lee
They didn't have control of any
On Thu, 28 Aug 2008, Hank Nussbacher wrote:
At 11:32 PM 27-08-08 -0500, John Lee wrote:
Thanks guys, going back to my Comer one more time. My issue, question was
whether the organization doing the hijacking controlled all of the routers
in the new modified path or only some of them?
John
On Aug 28, 2008, at 1:40 AM, Jim Popovitch wrote:
On Thu, Aug 28, 2008 at 1:22 AM, Patrick W. Gilmore
[EMAIL PROTECTED] wrote:
Assuming it is in the wrong place, you may be able to detect the
intrusion. But most people do not run traceroutes all day and
watch for it
to change. If you run
34 matches
Mail list logo
