"Defensive" BGP hijacking?

Rich Kulawiec rsk at gsp.org
Wed Sep 14 22:34:09 UTC 2016


On Wed, Sep 14, 2016 at 04:04:43PM -0400, Bryan Fields wrote:
> I'm a bit ambivalent about BGP hijacking as a DDOS mitigation strategy.
> Really there is no authority to say it's wrong.  If your peers are cool with
> it, and their peers are cool with it who's to say it's wrong?

Meeting abuse with abuse never works out.  It's tempting (and even
trendy these days in portions of the security world which advocate
striking back at putative attackers, never mind that attack attribution
is almost entirely an unsolved problem in computing).  It's emotionally
satisfying.  It's sometimes momentarily effective.

But all it really does it open up still more attack vectors and accelerate
the spiral to the bottom.   Object lesson: Verizon's deployment of SAV
as an alleged anti-spam measure ~15 years ago.  It didn't take long for
attackers to figure out how to leverage it to their advantage, which of
course they did.

So don't do it.  It may take 5 minutes or 5 years, but it will eventually
become apparent that it's a really bad idea.  And when it does, you won't
be able to get those 5 minutes or 5 years back, nor will you be able to
undo the damage.

---rsk



More information about the NANOG mailing list