Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 89, Issue 15
Also I would to remind all the community that usually what happens to communities that cannot regulate themselves is that some outsider comes and regulated them...
Yes, this is also my opinion. The community should do something against this abusive behavior. If it isn't done by the community there might be some regulation coming from outside, i.e. political entities. And I doubt that this will be the better way to handle this problem. Best regards, Karl-Josef
Hi, On Thu, Apr 04, 2019 at 08:32:39PM +0200, Karl-Josef Ziegler wrote:
Also I would to remind all the community that usually what happens to communities that cannot regulate themselves is that some outsider comes and regulated them...
Yes, this is also my opinion. The community should do something against this abusive behavior. If it isn't done by the community there might be some regulation coming from outside, i.e. political entities. And I doubt that this will be the better way to handle this problem.
Still targeting the wrong crowd. A few willing Tier1 ISPs would have way more effect than all policies we do in RIPE land against a rogue ISP that might not even *be* a RIPE member (or a member of any LIR). Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
In message <20190404183631.GZ97529@Space.Net>, Gert Doering <gert@space.net> wrote:
Still targeting the wrong crowd. A few willing Tier1 ISPs would have way more effect than all policies we do in RIPE land against a rogue ISP that might not even *be* a RIPE member (or a member of any LIR).
It is a fair point, but it raises an obvious question, which I ask now in all seriousness, because I really and truly do not know the answer: Wny have Tier 1 providers not stepped up and done a much better job of policing hijacks better than they have done? Regards, rfg
Hi, On Thu, 4 Apr 2019, Ronald F. Guilmette wrote:
In message <20190404183631.GZ97529@Space.Net>, Gert Doering <gert@space.net> wrote:
Still targeting the wrong crowd. A few willing Tier1 ISPs would have way more effect than all policies we do in RIPE land against a rogue ISP that might not even *be* a RIPE member (or a member of any LIR).
It is a fair point, but it raises an obvious question, which I ask now in all seriousness, because I really and truly do not know the answer:
Wny have Tier 1 providers not stepped up and done a much better job of policing hijacks better than they have done?
Not all hijacks reach the so-called DFZ. "Partial visibility" hijacks can happen without touching any of the Tier-1s.... Regards, Carlos
Regards, rfg
Carlos Friaças via anti-abuse-wg wrote on 04/04/2019 21:58:
On Thu, 4 Apr 2019, Ronald F. Guilmette wrote:
Wny have Tier 1 providers not stepped up and done a much better job of policing hijacks better than they have done?
Not all hijacks reach the so-called DFZ.
"Partial visibility" hijacks can happen without touching any of the Tier-1s....
People generally hijack prefixes in order to make money. If hijacked prefixes are not generally visible in the internet, then the value of the hijacking is a good deal lower because the reach is smaller. In order to stop something like hijacking from being a problem, you don't need to make it impossible to perpetrate - you just need to reduce the value to the point that it's not worth doing it. What makes hijacking attractive is when transit service providers don't filter ingress prefixes from their customers. The value of hijacking at an IXP will be proportional to the size of the IXP and whether the IXP has implemented filtering policies at their route servers. Direct peering sessions are troublesome, as they generally don't implement prefix filtering. But transit providers are where the bulk of the problem lies, and where efforts need to be concentrated in order to handle the issue. MANRS is one part of this effort. Nick
You might find a hijacked prefix advertised solely to a single asn at an ix where it peers, and this for the purpose of spamming to or otherwise attacking whoever owns the asn. Most of these targeted announcements might not even be visible to anyone else. —srs ________________________________ From: anti-abuse-wg <anti-abuse-wg-bounces@ripe.net> on behalf of Nick Hilliard <nick@foobar.org> Sent: Friday, April 5, 2019 3:19 AM To: Carlos Friaças Cc: anti-abuse-wg@ripe.net; Ronald F. Guilmette Subject: Re: [anti-abuse-wg] anti-abuse-wg Digest, Vol 89, Issue 15 Carlos Friaças via anti-abuse-wg wrote on 04/04/2019 21:58:
On Thu, 4 Apr 2019, Ronald F. Guilmette wrote:
Wny have Tier 1 providers not stepped up and done a much better job of policing hijacks better than they have done?
Not all hijacks reach the so-called DFZ.
"Partial visibility" hijacks can happen without touching any of the Tier-1s....
People generally hijack prefixes in order to make money. If hijacked prefixes are not generally visible in the internet, then the value of the hijacking is a good deal lower because the reach is smaller. In order to stop something like hijacking from being a problem, you don't need to make it impossible to perpetrate - you just need to reduce the value to the point that it's not worth doing it. What makes hijacking attractive is when transit service providers don't filter ingress prefixes from their customers. The value of hijacking at an IXP will be proportional to the size of the IXP and whether the IXP has implemented filtering policies at their route servers. Direct peering sessions are troublesome, as they generally don't implement prefix filtering. But transit providers are where the bulk of the problem lies, and where efforts need to be concentrated in order to handle the issue. MANRS is one part of this effort. Nick
Which is why services like RIPE RIS are so valuable to the community. If anybody would just send its full BGP table to RIS detecting hijacks (and later proofing that they happened) would be much easier. If you do not know what I am talking about, read: https://www.ripe.net/analyse/internet-measurements/routing-information-servi... ...and setup a BGP session to RIS. Wolfgang
On 5. Apr 2019, at 01:43, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
You might find a hijacked prefix advertised solely to a single asn at an ix where it peers, and this for the purpose of spamming to or otherwise attacking whoever owns the asn. Most of these targeted announcements might not even be visible to anyone else.
-- Wolfgang Tremmel Phone +49 69 1730902 26 | Fax +49 69 4056 2716 | Mobile +49 171 8600 816 | wolfgang.tremmel@de-cix.net Executive Directors: Harald A. Summa and Sebastian Seifert | Trade Registry: AG Cologne, HRB 51135 DE-CIX Management GmbH | Lindleystrasse 12 | 60314 Frankfurt am Main | Germany | www.de-cix.net
I've seen presos on RIS for donkeys years - the earliest one I can find online was in APRICOT 2001 What do you think is going to drive more adoption of this (and filtering based on IRR data)? We all know who is using them and who isn’t. The ones who don't use it leak routes, a lot. Come to think of it, Philip and Geoff have been presenting their CIDR report on aggregation for even longer than that. I haven't seen their list of prefixes that could do with a ton of aggregation getting any smaller .. Based on all this, I remain unconvinced that this problem is going to be solved by other than policy based means. --srs On 05/04/19, 12:44 PM, "anti-abuse-wg on behalf of Wolfgang Tremmel" <anti-abuse-wg-bounces@ripe.net on behalf of wolfgang.tremmel@de-cix.net> wrote: Which is why services like RIPE RIS are so valuable to the community. If anybody would just send its full BGP table to RIS detecting hijacks (and later proofing that they happened) would be much easier. If you do not know what I am talking about, read: https://www.ripe.net/analyse/internet-measurements/routing-information-servi... ...and setup a BGP session to RIS. Wolfgang > On 5. Apr 2019, at 01:43, Suresh Ramasubramanian <ops.lists@gmail.com> wrote: > > You might find a hijacked prefix advertised solely to a single asn at an ix where it peers, and this for the purpose of spamming to or otherwise attacking whoever owns the asn. Most of these targeted announcements might not even be visible to anyone else. > -- Wolfgang Tremmel Phone +49 69 1730902 26 | Fax +49 69 4056 2716 | Mobile +49 171 8600 816 | wolfgang.tremmel@de-cix.net Executive Directors: Harald A. Summa and Sebastian Seifert | Trade Registry: AG Cologne, HRB 51135 DE-CIX Management GmbH | Lindleystrasse 12 | 60314 Frankfurt am Main | Germany | www.de-cix.net
In message <28F8CA64-F298-4A5B-99D0-411F96C56004@gmail.com>, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
Come to think of it, Philip and Geoff have been presenting their CIDR report on aggregation for even longer than that. I haven't seen their list of prefixes that could do with a ton of aggregation getting any smaller ..
Yea. And according to what I see from time to time on bgp.he.net, plenty of entities are still announcing bogons. And according to what I see from time to time on RIPE Routing History, quite a few people are or have been announcing ridiculous routes, like for /2. All in all, not a pretty picture. In fact it all gives the impression of a pretty absurd level of anarchy. Regards, rfg
Hi, Thanks Wolfgang and Suresh, That's something i have been probably saying in between the lines: it would be easier for anyone on the Internet to evaluate if an hijack took place if more people (or most people) would share their routing views. :-) Carlos On Fri, 5 Apr 2019, Wolfgang Tremmel wrote:
Which is why services like RIPE RIS are so valuable to the community. If anybody would just send its full BGP table to RIS detecting hijacks (and later proofing that they happened) would be much easier.
If you do not know what I am talking about, read: https://www.ripe.net/analyse/internet-measurements/routing-information-servi...
...and setup a BGP session to RIS.
Wolfgang
On 5. Apr 2019, at 01:43, Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
You might find a hijacked prefix advertised solely to a single asn at an ix where it peers, and this for the purpose of spamming to or otherwise attacking whoever owns the asn. Most of these targeted announcements might not even be visible to anyone else.
-- Wolfgang Tremmel
Phone +49 69 1730902 26 | Fax +49 69 4056 2716 | Mobile +49 171 8600 816 | wolfgang.tremmel@de-cix.net Executive Directors: Harald A. Summa and Sebastian Seifert | Trade Registry: AG Cologne, HRB 51135 DE-CIX Management GmbH | Lindleystrasse 12 | 60314 Frankfurt am Main | Germany | www.de-cix.net
Hi, On Thu, 4 Apr 2019, Nick Hilliard wrote:
People generally hijack prefixes in order to make money. If hijacked prefixes are not generally visible in the internet, then the value of the hijacking is a good deal lower because the reach is smaller.
It depends on the purpose, and if visibility is a key issue or not. :-)
In order to stop something like hijacking from being a problem, you don't need to make it impossible to perpetrate - you just need to reduce the value to the point that it's not worth doing it.
The problem of that approach is the diversity of goals...
What makes hijacking attractive is when transit service providers don't filter ingress prefixes from their customers. The value of hijacking at an IXP will be proportional to the size of the IXP and whether the IXP has implemented filtering policies at their route servers. Direct peering sessions are troublesome, as they generally don't implement prefix filtering.
Yes. Trust is generally higher between peers/BGP speakers in a small environment, which might become a vulnerability... But the value depends on the purpose. If the value for the hijacker is in announcing a bogus route just to _one_ network, it's irrelevant if the IXP has 20 members or 200 members.
But transit providers are where the bulk of the problem lies, and where efforts need to be concentrated in order to handle the issue.
I'm not completely sure about that.
MANRS is one part of this effort.
Let's hope MANRS can seriously take off in terms of adoption! Cheers, Carlos
Nick
On 04/04/2019 21:36, Gert Doering wrote:
Hi,
On Thu, Apr 04, 2019 at 08:32:39PM +0200, Karl-Josef Ziegler wrote:
Also I would to remind all the community that usually what happens to communities that cannot regulate themselves is that some outsider comes and regulated them... Yes, this is also my opinion. The community should do something against this abusive behavior. If it isn't done by the community there might be some regulation coming from outside, i.e. political entities. And I doubt that this will be the better way to handle this problem. Still targeting the wrong crowd. A few willing Tier1 ISPs would have way more effect than all policies we do in RIPE land against a rogue ISP that might not even *be* a RIPE member (or a member of any LIR).
Back in 2014 when I ran down a BGP hijack and approached the tier-1 (CAIDA top 5) that enabled the hijack to take place, their response was: "/But as you point out - we are xxxxxxxxx. There needs to be // //a degree of trust between us and our customer. Also it would be highly // //impractical to have proactive monitoring on all route changes. But there // //are certain things we block and others that we monitor of interest. This // //situation is now one of them. /" Less than a year ago I approached a tier-1 that ranked in the top 25 about another BGP hijack. I approached them 36 hours *after *the hijack took place and the response I received from their NOC was that they approached the hijacker (a direct customer of theirs) and the response from the hijacker which they forwarded to me was: /We checked the prefixes mentioned in our network and we do not seen these prefixes and do not advertise to ASN xxxx [HN: tier-1 ASN].// //Also these prefixes are not seen in internet from our network (ASN : xxxxx ). [HN: ASN of hijacker]/ Of course the prefixes are not seen, since the hijack was for a few hours. The tier-1 closed the case. So if the Internet (5xRIR) could guarantee me that within a year, the top 100 ASNs in the Internet were filtering properly and stopping BGP hijacking from occurring, I would pull my support for this proposal and agree with you. Regards, Hank
Gert Doering -- NetMaster
On Thu, Apr 04, 2019 at 08:32:39PM +0200, Karl-Josef Ziegler wrote:
Yes, this is also my opinion. The community should do something against this abusive behavior. If it isn't done by the community there might be some regulation coming from outside, i.e. political entities. And I doubt that this will be the better way to handle this problem.
I am starting to come around to the opinion that such regulation would actually be preferrable to this. Legislative regulation, at least in democratic societies, imposes responsibilities but it also gives *rights*. Namely constitutionality, the right to have such regulation applied transparently and fairly and, most importantly, the right to judicial review. None of which applies to the vigilante kind of "justice" the proponents wish the RIPE NCC to become the enforcer of. Given these two choices, I know which way I'd vote. rgds, SL
On Thu, 4 Apr 2019, Sascha Luck [ml] wrote:
On Thu, Apr 04, 2019 at 08:32:39PM +0200, Karl-Josef Ziegler wrote:
Yes, this is also my opinion. The community should do something against this abusive behavior. If it isn't done by the community there might be some regulation coming from outside, i.e. political entities. And I doubt that this will be the better way to handle this problem.
I am starting to come around to the opinion that such regulation would actually be preferrable to this. Legislative regulation, at least in democratic societies, imposes responsibilities but it also gives *rights*. Namely constitutionality, the right to have such regulation applied transparently and fairly and, most importantly, the right to judicial review. None of which applies to the vigilante kind of "justice" the proponents wish the RIPE NCC to become the enforcer of. Given these two choices, I know which way I'd vote.
Hi, So you seem to prefer regulation over self-regulation? And who would be doing that regulation? - some EC org (service region goes way beyond EU...) - the Dutch Telecoms Regulator? - ITU-T? - ...? Honestly, i don't have a clue... Regards, Carlos
rgds, SL
On Fri, Apr 05, 2019 at 08:23:12AM +0100, Carlos Friaas wrote:
So you seem to prefer regulation over self-regulation?
Not per se, just that I'd prefer governmental regulation over the kind of regulation 2019-03 envisions.
And who would be doing that regulation? - some EC org (service region goes way beyond EU...)
We will see this "EU Internet Regulator" within the term of the next EU Commission / EUPARL. The (probably) next commisssion president Manfred Weber has committed to this: http://www.spiegel.de/politik/ausland/manfred-weber-das-internet-muss-europa... (Sorry, it's in German. There is no other source I can find) Now, this will happen whether 2019-03 passes or not, the question is will they leave resource management alone, because it works, or will it transfer into the domain of this regulator? As for the service region, the EU cares only about the EU. Whatever happens to the rest of the SR is not their concern. rgds, SL
Hi, On Fri, 5 Apr 2019, Sascha Luck [ml] wrote: (...)
And who would be doing that regulation? - some EC org (service region goes way beyond EU...)
We will see this "EU Internet Regulator" within the term of the next EU Commission / EUPARL. The (probably) next commisssion president Manfred Weber has committed to this: http://www.spiegel.de/politik/ausland/manfred-weber-das-internet-muss-europa... (Sorry, it's in German. There is no other source I can find)
Now, this will happen whether 2019-03 passes or not, the question is will they leave resource management alone, because it works, or will it transfer into the domain of this regulator?
"Will _try_ to transfer." -- again, the service region is wider... Imho, that will also depend on this regulator's f-u-n-d-i-n-g model. Or are we supposed to see the uprising of a "FIR" (EU Federal Internet Registry), building on the NIR concept...? :-)
As for the service region, the EU cares only about the EU. Whatever happens to the rest of the SR is not their concern.
Splitting the service region in two (EU and non-EU) sounds a bit impractical... :-) Regards, Carlos
rgds, SL
On Fri, Apr 05, 2019 at 01:48:07PM +0100, Carlos Friaas wrote:
Imho, that will also depend on this regulator's f-u-n-d-i-n-g model.
Or are we supposed to see the uprising of a "FIR" (EU Federal Internet Registry), building on the NIR concept...? :-)
That's exactly what I think *will* happen. And it may happen independently of whatever goes on here or in the NCC. (Probably with a "ripedb" built at great cost by a defence contractor which is down half the time and leaks like a sieve) However, I think that if the NCC starts amassing "regulatory" power, this may happen sooner than later...
Splitting the service region in two (EU and non-EU) sounds a bit impractical... :-)
Not really any more so than the creation of AfriNIC. rgds, SL
participants (9)
-
Carlos Friaças
-
Gert Doering
-
Hank Nussbacher
-
Karl-Josef Ziegler
-
Nick Hilliard
-
Ronald F. Guilmette
-
Sascha Luck [ml]
-
Suresh Ramasubramanian
-
Wolfgang Tremmel