You might find a hijacked prefix advertised solely to a single asn at an ix where it peers, and this for the purpose of spamming to or otherwise attacking whoever owns the asn. Most of these targeted announcements might not even be visible to anyone else. —srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Nick Hilliard <nick@foobar.org> Sent: Friday, April 5, 2019 3:19 AM To: Carlos Friaças Cc: anti-abuse-wg@ripe.net; Ronald F. Guilmette Subject: Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 89, Issue 15 Carlos Friaças via anti-abuse-wg wrote on 04/04/2019 21:58:
On Thu, 4 Apr 2019, Ronald F. Guilmette wrote:
Wny have Tier 1 providers not stepped up and done a much better job of policing hijacks better than they have done?
Not all hijacks reach the so-called DFZ.
"Partial visibility" hijacks can happen without touching any of the Tier-1s....
People generally hijack prefixes in order to make money. If hijacked prefixes are not generally visible in the internet, then the value of the hijacking is a good deal lower because the reach is smaller. In order to stop something like hijacking from being a problem, you don't need to make it impossible to perpetrate - you just need to reduce the value to the point that it's not worth doing it. What makes hijacking attractive is when transit service providers don't filter ingress prefixes from their customers. The value of hijacking at an IXP will be proportional to the size of the IXP and whether the IXP has implemented filtering policies at their route servers. Direct peering sessions are troublesome, as they generally don't implement prefix filtering. But transit providers are where the bulk of the problem lies, and where efforts need to be concentrated in order to handle the issue. MANRS is one part of this effort. Nick