Re: "Defensive" BGP hijacking?

2016-09-12 Thread Scott Weeks
--- m...@beckman.org wrote: From: Mel Beckman This looks to me like ISP community governance in the best sense. I look forward to thoughtful discussion. Yes, 100% agree! scott

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Mel Beckman
Bryant from BackConnect (bry...@backconnect.com) has replied to me directly. He is a Nanog repeat attendee, but hasn't been subscribed to this list. Bryant says he is subscribing now and will post some clarifying comments shortly. I would share the content of his e

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Paras Jha
Well don't forget, normal attacks launched from vDOS were around 8 - 16gbps. On the Krebs article, he mentions "the company received an email directly from vDOS claiming credit for the attack" Now, if this holds true, it's likely that the operator of vDOS (Apple J4ck was his moniker) was directin

Re: Lawsuits for falsyfying DNS responses ?

2016-09-12 Thread William Herrin
On Mon, Sep 12, 2016 at 1:41 PM, Jean-Francois Mezei wrote: > To do so, it will provide ISPs with list of web sites to block > > Are there examples of an ISP getting sued because it redirected traffic > that should have gone to original site ? Hi, You're talking about two different things here:

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Jean-Francois Mezei
On 2016-09-12 14:15, valdis.kletni...@vt.edu wrote: > I don't see "hijacking" in your description of the iStop case - it appears > to have been fully coordinated and with permission. While I am not sure about fully coordinated and with permission, it is an example where it was a desirable outcom

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Jean-Francois Mezei
On 2016-09-12 14:14, Hugo Slabbert wrote: > Was this all done at iStop's request and with their full support? When iStop's router stopped making BGP announcements to the world (because its last transit link was cut), and ISP3 highjacked the IP blocks and made BGP announcements pointing to ISP2, I

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Mel Beckman
John, I appreciate you making this statement, and I appreciate ARIN’s attitude that this is a community issue. ISPs have done an amazing job of self-regulation, while still preserving their ability to innovate and be agile in the marketplace. BGP is a perfect example of that kind of self-polici

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Valdis . Kletnieks
On Mon, 12 Sep 2016 14:07:47 -0400, Jean-Francois Mezei said: > So there are some cases where BGP hijacking may be desirable. I guess > this is where judgement kicks in. I don't see "hijacking" in your description of the iStop case - it appears to have been fully coordinated and with permission.

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Hugo Slabbert
On Mon 2016-Sep-12 14:07:47 -0400, Jean-Francois Mezei wrote: On 2016-09-11 16:54, Hugo Slabbert wrote: Hopefully this is operational enough, though obviously leaning more towards the policy side of things: What does nanog think about a DDoS scrubber hijacking a network "for defensive pur

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Jared Mauch
> On Sep 12, 2016, at 1:59 PM, Florian Weimer wrote: > > * Mel Beckman: > >> If we can't police ourselves, someone we don't like will do it for us. > > That hasn't happened with with IP spoofing, has it? As far as I > understand it, it is still a major contributing factor in > denial-of-serv

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Jean-Francois Mezei
On 2016-09-11 16:54, Hugo Slabbert wrote: > Hopefully this is operational enough, though obviously leaning more towards > the policy side of things: > > What does nanog think about a DDoS scrubber hijacking a network "for > defensive purposes"? Different spin but still "highjacking": Many moo

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Florian Weimer
* Mel Beckman: > If we can't police ourselves, someone we don't like will do it for us. That hasn't happened with with IP spoofing, has it? As far as I understand it, it is still a major contributing factor in denial-of-service attacks. Self-regulation has been mostly unsuccessful, and yet not

Lawsuits for falsyfying DNS responses ?

2016-09-12 Thread Jean-Francois Mezei
As many may know, the province of Québec has passed a law to protect the interests of its lottery corporation. To do so, it will provide ISPs with list of web sites to block (aka: only allow its own gambing web site). There is an opportunity to comment this week in which I will submit. (I've gat

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Richard Hesse
This behavior is never defensible nor acceptable. In addition to being in the wrong with BGP hijacking a prefix, it appears that Mr. Townsend had the wrong target, too. We've been attacked a few dozen times by this botnet, and they could never muster anything near 200 gbps worth of traffic. They w

Re: "Defensive" BGP hijacking?

2016-09-12 Thread John Curran
On Sep 12, 2016, at 12:08 PM, Scott Weeks mailto:sur...@mauigateway.com>> wrote: Are the RIRs the internet police? Thank you Scott for posing that question… :-) As others have noted, ARIN does indeed revoke resources, but to be clear, this is generally due to fraudulent activities _related_ to

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Blake Hudson
Scott Weeks wrote on 9/12/2016 11:31 AM: I am somewhat in agreement with Mel: "This thoughtless action requires a response from the community, and an apology from BackConnect. If we can't police ourselves, someone we don't like will do it for us. " But the first part seems to verge on vigil

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Hugo Slabbert
On Mon 2016-Sep-12 09:31:41 -0700, Scott Weeks wrote: Full disclosure: I had a working relationship with Bryant when he was still at Staminus. Bryant (if you're on list): I mean no harm by this and never had any trouble working with you. I just believe this is a conversation that needs to

flag/global cloud exchange 15412 contact

2016-09-12 Thread Jared Mauch
Is there someone out here from 15412 I can talk to regarding some BGP related issues? thanks, - jared

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Scott Weeks
--- bl...@ispn.net wrote: From: Blake Hudson Scott Weeks wrote on 9/12/2016 11:08 AM: > From: NANOG on behalf > of Blake Hudson > My suggestion is that BackConnect/Bryant Townsend should have their ASN > revoked for fraudulently announcing another organization's address > space. They are not l

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Blake Hudson
Scott Weeks wrote on 9/12/2016 11:08 AM: From: NANOG on behalf of Blake Hudson My suggestion is that BackConnect/Bryant Townsend should have their ASN revoked for fraudulently announcing another organization's address space. They are not law enforcement, they did not have a warrant or judi

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Mel Beckman
Once we let providers cross the line from legal to illegal actions, we're no better than the crooks, and the Internet will descend into lawless chaos. BackConnect's illicit action undoubtedly injured innocent parties, so it's not self defense, any more than shooting wildly into a crowd to stop a

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Scott Weeks
From: NANOG on behalf of Blake Hudson My suggestion is that BackConnect/Bryant Townsend should have their ASN revoked for fraudulently announcing another organization's address space. They are not law enforcement, they did not have a warrant or judicial oversight, they were not in immediate

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Ryan, Spencer
I'm in the "never acceptable" camp. Filtering routes/peers? Sure. Disconnecting one of your own customers to stop an attack originating from them? Sure. Hijacking an AS you have no permission to control? No. Obviously my views and not of my employer. Spencer Ryan | Senior Systems Administrator

Re: "Defensive" BGP hijacking?

2016-09-12 Thread Blake Hudson
Hugo Slabbert wrote on 9/11/2016 3:54 PM: Hopefully this is operational enough, though obviously leaning more towards the policy side of things: What does nanog think about a DDoS scrubber hijacking a network "for defensive purposes"? http://krebsonsecurity.com/2016/09/alleged-vdos-proprieto

Re: comcast and msoft ports

2016-09-12 Thread Jared Mauch
> On Sep 12, 2016, at 7:43 AM, jared mauch wrote: > > And expect your SSH DSA keys to require a workaround, or just generate new > ecdsa and RSA keys. Sorry, brain-keyboard output meant to say: ED25519 [-t dsa | ecdsa | ed25519 | rsa | rsa1] https://www.gentoo.org/support/news-items/2015-08-

Re: comcast and msoft ports

2016-09-12 Thread Gregg Heimer
Yes of course they do. If you need NetBIOS and SMB, create a VPN tunnel. List of ports https://customer.xfinity.com/help-and-support/internet/list-of-blocked-ports/ On Sep 11, 2016 2:45 PM, Ca By wrote: On Sunday, September 11, 2016, Randy Bush wrote: > anyone know if comcast residential filte

Re: comcast and msoft ports

2016-09-12 Thread Jared Mauch
> On Sep 11, 2016, at 4:02 PM, Ca By wrote: > > On Sunday, September 11, 2016, Filip Hruska wrote: > >> If you really need them, you'll need to use some sort of tunneling >> mechanism, ie PPTP. >> >> > > Friendly reminder, next week ios 10 drops > > > Prepare servers for iOS 10 & macOS Si