[padiyar83]

Usually upstream ISP providing transit accepts only a valid set of prefixes that they have agreed to advertise on the public internet from an ISP customer, they enforce a policy on the ingress to make this happen. Idea being, if the customer ISP ends up advertising an incorrect prefix, then the impact is only localised to his ISP and not to the whole world. But some ISPs don't follow this and implicitly trust the customer ISPs and of course there is no cover if the tier1 ISP itself typo's a prefix. There are tools such as BGP RPKI available, but its not widely deployed.

[dice]

>Usually

If only...

BCP 38[0] is nowhere near usual. Lots of networks, including some very problematic big ones (cough Hurricane Electric cough), do not implement it as a matter of course. The AWS Route53 hijack last month which resulted in downtime for a number of sites plus a six figure coin theft[1] could have been prevented by adequate filtering.

0: https://tools.ietf.org/html/bcp38

1: https://arstechnica.com/information-technology/2018/04/suspi...

[namibj]

Could one argue for tort/negligence against the ISP who should have filtered, but didn't, if one's coins were stolen through that? Or even possibly the same, but in criminal court?

[mmt]

I doubt it, since the argument you're suggesting is that the ISP didn't take the best possible care, whereas the standard for negligence is, I believe (IANAL), reasonable care.

They may also not even have a duty of care in the first place, as to the truth of any metadata they're passing on. As a sibling comment pointed out, it's not as if there are laws for this.

[stingraycharles]

Just as with the discussion about hackable routers yesterday, there are no laws for this.

[knorker]

Uhm, BCP38 is about forwarding, not the BGP control plane