Prefix hijacking by AS20115

Jürgen Jaritsch jj at anexia.at
Tue Sep 29 05:14:29 UTC 2015


Cogent and Level3 will tell you that you are not their customer ...HE and XO will react.


Jürgen Jaritsch
Head of Network & Infrastructure

ANEXIA Internetdienstleistungs GmbH

Telefon: +43-5-0556-300
Telefax: +43-5-0556-500

E-Mail: jj at anexia.at
Web: http://www.anexia.at

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601


-----Original Message-----
From: Paul S. [contact at winterei.se]
Received: Dienstag, 29 Sep. 2015, 6:57
To: nanog at nanog.org [nanog at nanog.org]
Subject: Re: Prefix hijacking by AS20115

+1, this is the only sensible advice here.

NSPs actually do seem to care about not letting things like these happen.

On 2015/09/29 01:24 PM, Hank Nussbacher wrote:
> At 23:11 28/09/2015 -0400, Josh Luthman wrote:
>
>> Start announcing their prefixes?
>
> Contact the upstreams of AS20115 - Cogent, Level3, HE and XO.
>
> -Hank
>
>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>> On Sep 28, 2015 11:09 PM, "Seth Mattinen" <sethm at rollernet.us> wrote:
>>
>> > On 9/28/15 18:30, William Herrin wrote:
>> >
>> >> On Mon, Sep 28, 2015 at 9:01 PM, Seth Mattinen <sethm at rollernet.us>
>> >> wrote:
>> >>
>> >>> I've got a problem where AS20115 continues to announce prefixes
>> after BGP
>> >>> neighbors were shutdown. They claim it's a wedged BGP process but
>> aren't
>> >>> in
>> >>> any hurry to fix it outside of a maintenance window.
>> >>>
>> >>
>> >> If they weren't lying to you, they'd fix it now. That's not the kind
>> >> of problem that waits.
>> >>
>> >> Thing is: they lied to you. Long ago they "helpfully" programmed
>> their
>> >> router to announce your route regardless of whether you sent a route
>> >> to them. They want to wait for a maintenance window to remove that
>> >> configuration.
>> >>
>> >>
>> >> I'm at a loss of what else I can do. They admit the problem but
>> won't take
>> >>> action saying it needs to wait for a maintenance window. Am I out
>> of line
>> >>> insisting that's an unacceptable response to a problem that
>> results in
>> >>> prefix/traffic hijacking?
>> >>>
>> >>
>> >> Try dropping the link entirely. If they still announce your
>> addresses,
>> >> bring it back up but report it as emergency down, escalate, and call
>> >> back every 10 minutes until the junior tech understands that it's
>> time
>> >> to call and wake up the guy who makes the decision to fix it now.
>> >>
>> >>
>> >
>> > I'm at the tail end here almost 8 hours later since the hijacking
>> started.
>> > Their NOC is just blowing me off now and they're happy to continue the
>> > hijacking until it's convenient for them to have a maintenance
>> window. And
>> > that's apparently the final decision.
>> >
>> > ~Seth
>> >
>




More information about the NANOG mailing list