On Mar 9, 2014, at 23:52 , Sanjeev Gupta <sanjeev@dcs1.biz> wrote:

On Wed, Mar 5, 2014 at 5:19 PM, Owen DeLong <owen@delong.com> wrote:

And any person deciding to announce 1.2.3.0/24 to the open network, would have to face a massive traffic storm anyway. prop-109 by Geoff Huston mentions the traffic flowing to certain easily-remembered ranges. Assuming that 1.2.3.0/24 gets even 50Mbps of traffic if I announce it to the Internet, that is till still an expensive pipe, and probably not worth it on the off-chance that a random user will use it and allow "evil me" to redirect him to the particular bank that he is a member of, and which I am forging a website for.

Never underestimate the willingness of a malefactor to subject hosts he controls (but probably doesn't own) or even hosts he doesn't necessarily control to vast quantities of traffic.

Owen,

Can you give me an example of what would be the scenario here? Assuming I am the upstream ISP of the "hosts I control, willing to subject them to vast quantities of traffic". Would I announce 1.2.3.0/24 upstream, and point it to my customer's link?

I'm not assuming that the upstream ISP would be the malefactor. That is, in fact, a rather odd assumption, is it not?

OTOH, if you are a malefactor that wants to turn your botnet into anycasted DNS servers to issue incorrect redirections to others, getting said botnet (or its upstream routers if you are able to control them somehow) to announce 1.2.3.0/24 really doesn't pose any problem to you as a result of the traffic it generates.

How would (evil me) be able to hurt hosts other than on _my_ network?

You are assuming that you are doing this with routers you own (in the commercial sense of the word). I am assuming someone doing this with routers that they control (in the enable access sense of the word) but do not own (in the commercial sense of the word).