
Shutting Down the BGP Hijack Factory - pedro84
https://dyn.com/blog/shutting-down-the-bgp-hijack-factory/
======
zokier
Well its nice that they are now shut down, although the process seems to been
fairly slow and arduous. They were already identified as misbehaving in 2014,
getting kicked out from deixp in 2017, and only now disconnected by transits.
And even in the latest episode they could play this game of cat and mouse for
a (short) while. And what if Guilmette wouldn't had noticed this, or bothered
to rant on nanog, would that happened at all?

I'm not sure what to do improve the situation, but there definitely seems like
a need for improvement.

~~~
viridian
The lessons learned section of the article hints at orgs being way too
permissive or unresponsive when bad behavior occurs. The thing is though, this
isn't a world where that kind of softness and leniency makes any sort of
sense.

~~~
dsr_
It makes sense from a not-wanting-to-get-sued-for-breach-of-contract
standpoint.

The contract at IXPs almost universally includes a phrase like "will not
engage in fraudulent announcement of routes", but proving that happened to the
satisfaction of a non-profit's board of directors is difficult. You really
have to have completely collinear anatidae.

~~~
an_account_name
> collinear anatidae

I'm stealing this phrase, please and thank you.

~~~
9ac345a5509a
Why? It sounds incredibly pretentious. I think most people would appreciate
Plain English [0].

[0]
[https://en.wikipedia.org/wiki/Plain_English](https://en.wikipedia.org/wiki/Plain_English)

~~~
Arnt
Because it's a lovely application of rhyming slang.

[https://en.wikipedia.org/wiki/Rhyming_slang](https://en.wikipedia.org/wiki/Rhyming_slang)

~~~
zokier
How exactly is it rhyming with anything?

------
NKosmatos
I fail to understand why there is no quick and official way to terminate such
bad actors. Isn’t there a task force for monitoring and enforcing some rules?
There should be a SPoC for every AS, available 24/7 so that such notorious
players are kicked out immediately. We live in an age where everything can be
traced and monitored and we allow BGP hijacking and other similar acts. Oh
well, my romantic idea for a properly moderated network.

~~~
akerl_
Who would be in charge of the moderation?

This very article describes the closest thing to that: NANOG is a collection
of network operators, and they communicate with each other about the overall
state and coordination of "the internet", which realistically is just "the
total set of a lot of network operators agreeing to connect to each other".

Domain registration and DNS have much more centralization because there exists
a root entity for the entire (public) system and an owner of each TLD: if an
entity wants to remove example.com from existence, they can go to the .com
operator and attempt to compel them to do that. For IP routing, you're talking
about BGP between a vast number of different entities. By design, traffic can
route a variety of ways between each point.

~~~
blueish
I had a conversation with a friend about this, and the outcome was the idea
that BGP could be extended with functionality for this case. There needs to be
a way to brand "negative" traffic or routes advertised with some sort of
reputation system. In the event of a DDoS attack coming from an AS, you could
have intra-AS weight for any given AS such that if an AS reports malicious
traffic from a route, it's given a lower weight and traffic is less likely to
route to that AS in favor of a less specific prefix. This would encourage any
given AS to act in desirable ways, as their actions (or actions coming from
within them, e.g. a customer of theirs being the source of a DoS attack) would
have consequences.

~~~
akerl_
How would that work in practice? If I compromise a pile of IoT devices running
on Comcast users' networks, and use them to launch and attack, all Comcast
users on their subnet get marked as uncool? And if we're marking them as
"bad", doesn't that mean all of their BGP peers mark them as uncool and then
the weights for their prefix are lower but still even, so routing still ends
up the same?

The only way they'd be impacted would be if some networks didn't implement
your bad-actor-prefix-weight-mod, and then we'd just be penalizing the people
who don't use your system along with the attackers, since we'd be routing the
bad traffic via their networks.

~~~
voltagex_
You can see the impact of this kind of thinking in RBLs and blocklists - try
to send email via your residential connection and you probably won't be able
to.

------
lormayna
I have worked for a medium size ISP for many years (3 upstream Tier-1
provider, presence on 2 IXP) and we sometimes suffer from BGP hijaking. We had
developed a software that every hour checks the BGP prefix assigned to every
peer and update the BGP filter automatically. It takes some time to
engineering it and develop but after then, it works like a charm.

~~~
eecc
That’s a 1-hour attack window though. It should be event driven, something
where peers can securely signal changes as they happen

~~~
j16sdiz
Those are very expensive. According to apnic[1], there are 15,000 update / day
in 2016. For small size ISP, the number is much lower and may be managible.
But event driven can't be a general solution for larger isp.

[1] [https://blog.apnic.net/2017/01/27/bgp-
in-2016/](https://blog.apnic.net/2017/01/27/bgp-in-2016/)

~~~
gcb0
15k updates a day? how big is the payload? ...sounds negligible to someone
ignorant in BGP finer details.

------
phyzome
So... what were they doing with the hijacks? Using it to evade IP reputation
bans for spamming?

~~~
Operyl
Based on what I know of their ASNs, yes.

------
driverdan
If they have been bad actors for years why didn't they lose access earlier?

~~~
jlgaddis
There will always be someone happy to take their money.

------
duxup
Bitcanal sounds like an appropriately terrible name as it sounds like root
canal... but for bits.

BGP really needs some more organized security, but that's nothing new, and i'm
sure not super easy to organize.

~~~
JdeBP
Not in its native language it doesn't.

* [https://en.wiktionary.org/wiki/canal#Portuguese](https://en.wiktionary.org/wiki/canal#Portuguese)

------
petee
And yet still being peered -
[https://bgp.he.net/AS197426#_peers](https://bgp.he.net/AS197426#_peers)

~~~
lima
The HE site takes a while to refresh.

~~~
petee
Good point, thank you. According to the article, Hurricane depeered them on
July 9th; the looking glass says it was updated 5pm July 10th, so unless the
'updated' is incorrect, Hurricane started peering this bad actor again!

~~~
msumpter
If you look up the BGP routes for a Bitcanal IP address (185.215.113.235) on
HE's looking glass ([https://lg.he.net/](https://lg.he.net/)) it does not
appear any routes are present. I believe HE's BGP page may still be out of
date, or the peers are present but not active.

~~~
lima
Last time I checked it took multiple days for it to update when routes
disappear (I would assume they cache them for a while, in case it's just a
temporary change).

~~~
petee
For historical record, as of today, Hurricane isn't listed anymore, but Cogent
is again, and GTT for ip6... Way to remain united against abuse... just, wow.

------
nrki
No comments about the cookie warning/opt-out modal on the page? Perhaps it's
only visible in the EU?

The thing explicitly takes ~2-3mins to send a HTTP POST to each of their
advertising partners saying you've opted out (and warns "Some vendors cannot
receive opt-out requests via https protocols so the processing of your opt-out
request is incomplete")... lovely.

~~~
djaychela
Just came here to post exactly that! What a complete mess... and if you do
follow the https link, lo and behold, they re-set the settings slider to the
lowest level (advertising is OK), despite having set it differently
previously. Took a fair while on the https link, but at least it says it
worked...

------
lossolo
We have RIPE and other IANA organizations that have routing objects in their
databases with information about through which ASN certain classes are
announced, there are also LOAs. GTT and Cogent are huge Tier-1 providers, why
they do not check which classes their clients are announcing? Am I missing
something here?

~~~
msumpter
According to a post by Job on nanog they have been known to submitted false or
fabricated IRR information to RADB and RIPE:
[http://seclists.org/nanog/2018/Jun/379](http://seclists.org/nanog/2018/Jun/379)

At the end of the day, BGP is a very trusting protocol and it requires keeping
the neighborhood clean and clear. IMO providers should be filtering prefixes
their clients shouldn't be announcing (al la BCP38) but keeping up on the
various IP blocks being shifted around is a paperwork nightmare I'm sure.

~~~
walrus01
BGP is still very much built on trust and reputation... At a local ix level if
you were to show up at an ix like the ams-ix and regularly announce prefixes
you have no right to, your company name and AS# would quickly develop the
reputation of a rancid turd.

~~~
im3w1l
The BGP authentication method doesn't seem very secure, so how do you know who
you are trusting?

~~~
walrus01
a properly implemented IX has MAC address filtering on ports. This can of
course be spoofed. But there is also a level of security at OSI layer 1 for
the physical fiber cross connect from an ISP's panel to the IX's panel.

For instance: If the IX is located on the 15th floor of the building. An ISP
might be colocated on the 12th floor. Fiber XC from 12.501.P4.D4 (12th floor,
row 5, rack 01, fiber patch panel 4, SC duplex port D4) to 15.201.P1.D4, then
a fiber cable from D4 to an SFP+ port on the IX's switch. Unless somebody
physically hijacks your fiber crossconnect and moves it (which would be
noticed as hard down immediately) it's pretty hard to pretend to be another
ISP, from the perspective of the switch fabric operator of the IX.

------
EthanHeilman
[http://www.bitcanal.com](http://www.bitcanal.com) is down.

Did they host it in their AS and now their AS is unreachable?

~~~
msumpter
I'm getting a servfail when attempting to resolve their domain, according to
DomainTools[1] the IP for the site was 185.215.113.235 announced from AS42229.

The ASN was mentioned in the article as being listed by Spamhaus ASN Droplist
but wasn't mentioned earlier as one of the targeted ASNs.

Edit: reviewed the ASN more and it is the Ebony Horizon mentioned in the
article, and it is only peered to BitCanal's primary AS197426, which is
subsequently being de-peered, so I'd say that is the main reason bitcanal.com
is down :) 1:
[http://whois.domaintools.com/bitcanal.com](http://whois.domaintools.com/bitcanal.com)

