Hijacked Network Ranges

PC paul4004 at gmail.com
Tue Jan 31 12:22:13 CST 2012


Many/most transit providers filter prefixes longer than /24, so the
effectiveness may be minimal.

At the very least I'd advertise /24s yourself because if the forger is
geographically further away, some local sites may still work.  Better than
nothing.



On Tue, Jan 31, 2012 at 11:19 AM, Grant Ridder <shortdudey123 at gmail.com>wrote:

> Hi,
>
> What is keeping you from advertising a more specific route (i.e /25's)?
>
> -Grant
>
> On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams <kwilliams at altuscgi.com
> >wrote:
>
> > Greetings all.
> >
> > We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek
> Internet
> > Exchange) immediately filter out network blocks that are being advertised
> > by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA.
> >
> > The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and
> > 68.66.112.0/20 are registered in various IRRs all as having an origin AS
> > 11325 (ours), and are directly allocated to us.
> >
> > The malicious hijacking is being announced as /24s therefore making route
> > selection pick them.
> >
> > Our customers and services have been impaired.  Does anyone have any
> > contacts for anyone at Cavecreek that would actually take a look at ARINs
> > WHOIS, and IRRs so the networks can be restored and our services back in
> > operation?
> >
> > Additionally, does anyone have any suggestion for mitigating in the
> > interim?  Since we can't announce as /25s and IRRs are apparently a pipe
> > dream.
> >
> > --
> > Kelvin Williams
> > Sr. Service Delivery Engineer
> > Broadband & Carrier Services
> > Altus Communications Group, Inc.
> >
> >
> > "If you only have a hammer, you tend to see every problem as a nail." --
> > Abraham Maslow
> >
>


More information about the NANOG mailing list