Almost always someone who doesn't understand BGP making a mistake in conjunction with an upstream provider that is incompetent enough to not have prefix filtering in place to avoid putting bad prefixes out into the global routing table. Though, sometimes it certainly is malicious, and impossible to protect against. If someone hijacks your prefix, you basically have to start trying to call all of the upstream networks to see if they can fix it.
This is not my specialty, but isn't that the point of radb registration to protect from route hijacking? When we implemented BGP DDoS mitigation with Verisign, we had to register them with radb for our /22 or smaller, so that they could announce on our behalf.
How is that possible is beyond me, tools like peval https://github.com/irrtoolset/irrtoolset are there forever and quite good. Ironically that HE and RETN accepted that, since they both pretty often bug their upstreams and peers on minor suboptimail routing switchovers and such, while don't have such basic safeguards.
How much longer are we going to have this broken system in place, where large swaths of the internet can be hijacked at will? We have plenty of smart people, but here we are still...
Not just any alternative, but one that can be implemented in a manner backwards-compatible with BGP. "Oh hey, lets get every core router on the planet to use this new protocol!" won't happen overnight. ;)
Well, for one, don't allow people to get masters degrees in security if they don't know how to run ls. Met a guy like that at my last place...
Next, hire more security people who just want to take things apart. There's this weird culture around "oh no, he's a hacker" that prevents legitimately curious people from getting into security. It stinks.
After that, realize that your federally mandated audits are bullshit. They don't catch anything.
Then, hire a pentester to try his damnedest to break in. Forbid them from using paid-for tools and give them a chance to learn, but hire someone else afterwards if they're not able to do the job. Yeah.
Once you're done there, realize that your security is probably going to fail eventually, and just do the best you can with a good team of security experts and actually listen to them. Emphasis on the fucking listen to them.
Criminal hacking charges for the people involved in pushing the change and full liability for all cost in cleaning it up. This means people will be really careful and take steps to not make this mistake again.
It is an interesting thought - opening yourself to charges of criminal negligence for misconfiguring devices/software would be a big change for our industry.
BGP is based on mutual trust and mistakes like this are unavoidable.
All they did was announcing a better route for those prefixes and other routers obliged. I'm sure swamping their own network with unwanted traffic was punishment enough.
