---

>If you are a victim (someone has abused your network), then just prove
>it and the policy won't apply and the hivemind will even assist you in
>cleaning your router.

LOL, two of the oldest lies in history neatly rolled into one
statement:

"If you have done nothing wrong you have nothing to fear" and
"I'm from $agency, I'm here to help you"

rgds,
Sascha Luck


>
>Regards,
>-Hank
>
>>On this line of one ISP trying to make damage to other.
>>
>>One might abuse a vulnerable router (thousand out there), create a
>>tunnel to it and announce hijacked blocks originated from victims
>>ASN.
>>
>>Both, victim ASN and vulnerable router owner, would be damaged and
>>no traces of criminal.
>>How could they defend themselves to the so called group of experts?
>>
>>And things in this line had happened already.
>>
>>Regards,
>>
>>On 20/03/2019 07:46, furio ercolessi wrote:
>>>On Wed, Mar 20, 2019 at 11:01:30AM +0300, Andrey Korolyov wrote:
>>>>>
>>>>>
>>>>>And when everything is made clear, if a report is filed
>>>>>against AS1, AS1's
>>>>>holder might have a problem, so i see a strong reason for not even trying
>>>>>:-)
>>>>>
>>>>>
>>>>Out of interest, take an AS1 with single malicious upstream AS2,
>>>>what stops
>>>>AS2 to pretend that AS1 has made bogus announcements and make them for its
>>>>own purposes? This situation looks pretty real without RPKI or other
>>>>advertisement strengthening methods, as I could see. How experts are
>>>>supposed to behave in this situation?
>>>
>>>This has been seen many times, even chain situations like
>>>
>>><upstreams and peers> - AS X
>>> \
>>> AS 3 - AS 2 - AS 1
>>> /
>>><upstreams and peers> - AS Y
>>>
>>>where X and Y are legitimate ISPs, while {1,2,3} is basically a
>>>single rogue
>>>entity - or a set of rogue entities closely working together with a common
>>>criminal goal.
>>>
>>>In such a setup, AS 1 should be considered as the most
>>>"throw-away" resource,
>>>while AS 3 would play the "customer of customer, not my business" role,
>>>and AS 2 would play the "i notified my customer and will disconnect them
>>>if they continue" role. When AS 1 is burnt, a new one is made - with
>>>new people as contacts, new IP addresses, etc, so that no obvious
>>>correlation
>>>can be made. Most of the bad guys infrastructure is in AS 3 and
>>>that remains
>>>pretty stable because their bad nature can not be easily demonstrated.
>>>
>>>Whatever set of rules is made against hijacking, it should be assumed that
>>>these groups will do everything to get around those rules, and many AS's
>>>can be used to this end. Since there is no shortage of AS numbers, I
>>>assume that anybody can get one easily so they can change them as if they
>>>were underwear.
>>>
>>>And yes, unallocated AS's in the AS 1 position, announcing unallocated IPs,
>>>have also been seen. Those are even easier to get :-)
>>>
>>>So the ideal scheme to counteract BGP hijacking should be able to climb up
>>>the BGP tree in some way, until "real" ISPs are reached.
>>>
>>>Nice discussion!
>>>
>>>furio ercolessi
>>>
>>>
>>
>>
>