
Swiss ISP hijacks IP prefixes of high profile networks - alpb
http://www.bgpmon.net/large-hijack-affects-reachability-of-high-traffic-destinations/
======
faded242
Almost always someone who doesn't understand BGP making a mistake in
conjunction with an upstream provider that is incompetent enough to not have
prefix filtering in place to avoid putting bad prefixes out into the global
routing table. Though, sometimes it certainly is malicious, and impossible to
protect against. If someone hijacks your prefix, you basically have to start
trying to call all of the upstream networks to see if they can fix it.

~~~
cft
This is not my specialty, but isn't that the point of radb registration to
protect from route hijacking? When we implemented BGP DDoS mitigation with
Verisign, we had to register them with radb for our /22 or smaller, so that
they could announce on our behalf.

~~~
asdfaoeu
That's what he's alluding to with route prefixing but it'd unfortunately less
than universal.

------
pfg
The comments shed some light on what exactly caused this[1]:

> Yes, as part of our investigation we did reach out and it sounds like it was
> related to a route optimizer.

[1]: [http://www.bgpmon.net/large-hijack-affects-reachability-
of-h...](http://www.bgpmon.net/large-hijack-affects-reachability-of-high-
traffic-destinations/comment-page-1/#comment-462074)

------
walrus01
Real headline: Swiss ISP's upstream provider (a large backbone who should know
better) fails to implement prefix filtering.

~~~
betaby
How is that possible is beyond me, tools like peval
[https://github.com/irrtoolset/irrtoolset](https://github.com/irrtoolset/irrtoolset)
are there forever and quite good. Ironically that HE and RETN accepted that,
since they both pretty often bug their upstreams and peers on minor
suboptimail routing switchovers and such, while don't have such basic
safeguards.

------
killbrad
How much longer are we going to have this broken system in place, where large
swaths of the internet can be hijacked at will? We have plenty of smart
people, but here we are still...

~~~
notliketherest
Do you have an alternative solution?

~~~
bpchaps
Well, for one, don't allow people to get masters degrees in security if they
don't know how to run ls. Met a guy like that at my last place...

Next, hire more security people who just want to take things apart. There's
this weird culture around "oh no, he's a hacker" that prevents legitimately
curious people from getting into security. It stinks.

After that, realize that your federally mandated audits are bullshit. They
don't catch anything.

Then, hire a pentester to try his damnedest to break in. Forbid them from
using paid-for tools and give them a chance to learn, but hire someone else
afterwards if they're not able to do the job. Yeah.

Once you're done there, realize that your security is probably going to fail
eventually, and just do the best you can with a good team of security experts
and actually _listen to them_. Emphasis on the _fucking listen to them_.

~~~
mryan
That is an interesting list, but I think notliketherest was asking for a
proposal for a BGP replacement rather than generic security advice.

------
homero
Nsa hits again

~~~
dang
Please stop posting unsubstantive comments to Hacker News.

