Hijacked Network Ranges

Tue Jan 31 18:22:04 UTC 2012

You can break your blocks into /24's or smaller and readvertise them to
your upstreams.  You can also modify local preference using community tags
with most upstreams.  If you have tier 1 peerings you may be able to get
them to filter the bad routes if you can prove they were assigned to you by
ARIN.  There's no real way to get 100% of your traffic back until you get
the other company to stop advertising your routes though.  You may also get
traction from the AS's directly connected to the problem AS.  I'm not sure
how quickly you can get the other AS's to act on your behalf.  The short
blocks and local pref should get some of your traffic back though.

2012/1/31 Kelvin Williams <kwilliams at altuscgi.com>

> Greetings all.
>
> We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet
> Exchange) immediately filter out network blocks that are being advertised
> by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA.
>
> The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and
> 68.66.112.0/20 are registered in various IRRs all as having an origin AS
> 11325 (ours), and are directly allocated to us.
>
> The malicious hijacking is being announced as /24s therefore making route
> selection pick them.
>
> Our customers and services have been impaired.  Does anyone have any
> contacts for anyone at Cavecreek that would actually take a look at ARINs
> WHOIS, and IRRs so the networks can be restored and our services back in
> operation?
>
> Additionally, does anyone have any suggestion for mitigating in the
> interim?  Since we can't announce as /25s and IRRs are apparently a pipe
> dream.
>
> --
> Kelvin Williams
> Sr. Service Delivery Engineer
> Broadband & Carrier Services
> Altus Communications Group, Inc.
>
>
> "If you only have a hammer, you tend to see every problem as a nail." --
> Abraham Maslow
>
>