(no title)
atyvr
|
2 years ago
You'll need to become a member of one of the regional Internet route registries, like RIPE or ARIN. Then you can buy, say a /24, and transfer it into your RIPE/ARIN account.
Now you have your own IPv4 range. And you can start for example start to use it for your own servers. To do so you need to "announce" this new /24 to the internet, using a protocol known as BGP. You can do that yourself, using a router, assuming you have an Autonomous system number (AS). You can get these via RIPE or ARIN as well.
Or rely on your hosting provider to do that. For example AWS support "bring your own IP address". In that case they will announce the ip prefix in BGP for you, and you can assign your ec2 instances public IP's out of your range.
Equinix Metal, (previously Packet), also makes it easy to do this.
j16sdiz|2 years ago
BGP is a very insecure protocol. Most of its "security" are enforced by money and contract.
greyface-|2 years ago
Take a look at the state of RPKI. ROA validation is common these days, and ASPA validation will be common soon. You still need to manually validate that your peer truly represents the AS that they claim to, but if that's been done, ROA+ASPA validation prevents unauthorized announcements.
Absent RPKI, people have been filtering based on IRR for ages, which will not necessarily prevent unauthorized announcements, but will require an attacker to leave a paper trail when making one.
notyourwork|2 years ago
Alifatisk|2 years ago
Is this how BGP hijacking is done?
erinnh|2 years ago
But good ISPs filter the prefixes their customers can announce to only those they actually own.
Then you have shitty providers that dont do it, and thats how you get BGP hijacking.
And you cant do this just from any connection, fyi.
You will need a datacenter, cloud host or residential ISP that actually allows you to peer with them and announce routes. This isnt a standard thing you get just by being a customer.