AS11296 -- Hijacked?

Nathan Eisenberg nathan at atlasnetworks.us
Wed Sep 29 13:32:06 CDT 2010


> There would be several filters for this.  Is the person reporting this a known
> network operator that people trust or is it some Joe Blow out of nowhere
> that nobody has heard of before?  That would make a huge difference.  Is
> the AS assigned to a company that is known to be defunct? That would be
> another flag.  Why would a company that no longer exists have its ASN active
> and its IPs sending traffic?  This would be particularly interesting if the carrier
> handling the traffic is not a carrier known to have a relationship with that AS
> in the past.  So a pattern of ... AS works for many years, disappears for some
> period of time, company goes defunct, and some period of time later the AS
> appears on a completely different carrier without any reassignment from the
> registrar.

Agree, and those are all good filters (except for the perilously fallacious appeal to authority).  But none of these claims were made, and that's the source of this extended discussion.  If those claims had been made, then this entire discussion could have been circumvented - and those that care could independently validate the claims.  There is a LOT of danger to blindly blackholing networks simply because a trusted email address posts on a netops list.  In my experience, netops people (NANOG'ers being an especially good example) tend to be largely logical, rational, skeptical beings.

So in a nutshell: if the post had included what you're suggesting, we could at least go out and go:

"oh, yes, he's right - that AS belongs to a dead company, and is coming from a very different carrier than it did when it was operating"
AND
"his email address has a history of posting reliable information of a similar nature"
AND 
"his message is validly PGP signed so that we can trust that the owner of the email address sent the message"
AND
"his email is written in a way that recognizes that clued, skeptical individuals are going to carefully analyze it"
THEN
I would expect a very different set of responses from the list.

But an email that says "I'm going to deliberately withhold all of the vital information I used to come to this conclusion, but request that you take action anyways" is going to consistently be roundfiled.

Nathan





More information about the NANOG mailing list