Best way to deal with bad advertisements?

Avi Freedman freedman at netaxs.com
Sat Sep 28 16:35:54 UTC 1996


> There's an ISP back on the East Coast that has
> been periodically advertising more specific
> routes for /24's out of our CIDR blocks and
> black-holing the traffic within their network.

> We've called all the listed numbers for their
> technical, admin, billing, and any other contacts
> we can find, and haven't been able to reach a 
> human; we've left messages of various levels of
> nastyness, from very sugary on up to vaguely
> threatening.  In every case, including the
> current one, it's been more than 24 hours,
> and they still haven't made any response to
> the problem; in fact, I just got paged by our
> NOC early this morning informing me they've
> stolen another one of our /24's.

In this case, the very first thing you should probably do is to
start announcing the more specific /24s to match their advertisements!
Depending on AS-PATH length (how various nets hear your announcements
vs. theirs) this may solve the immediate problem, allowing you to hunt
them down and kill them at your leisure.

> As you can well imagine, all the customers on
> those blocks are _very_ unhappy.  Each time this
> happens, we end up with dissatisfied customers,
> many of whom leave, deciding that we're too
> unstable, and can't provide quality network
> connectivity, even though to the best of my
> knowledge, there's nothing we can do to prevent
> these people from stealing our blocks.
> 
> My question to the NANOG community is twofold and
> simple:  Am I overlooking some solution that would
> allow us to 'negate' their advertisement of our
> blocks (205.159.193.0/24 and 207.88.102.0/24 in
> this case) and secondly, is there a formal process
> within the community to seek recompense, or formal
> action against a clueless and net-unfriendly ISP,
> perhaps one as simple as the net equivalent of 
> Mennonite 'shunning'?

1) Announce *your own* routes more specifically.
   This may lose you ANS connectivity, though.

2) Announce *their* routes more specifically.
   Especially the routes for their web, news, and dns servers.
   I've never had to do this, but it came very close once.  
   A major backbone provider had a customer that was announcing
   our own most critical /24 (that we normally advertise as a 
   /23) and the NOC staff was unable to get anyone to put an
   internal-to-their-net filter on it.  They had to spend a few
   hours to contact their customer to get them to stop announcing
   it!  It was quite frustrating, and if announcing the /24 more
   specifically ourselves hadn't solved the problem (which it did,
   except for the customers of said major backbone, which we really
   don't get that many complaints about when they are unreachable)
   the next step would have been to announce one of their /24s 
   - or to take it to NANOG.

3) You can post to NANOG and other lists in an attempt to embarrass/
   get someone who knows the jokers to poke them.

> Or are we simply out of luck, and have to simply
> tell our customers "Sorry, everyone is at the
> mercy of the morons who can steal IP blocks
> simply by advertising more specific routes
> with higher weights?"

Are there higher weights involved?

> It's getting really tempting to advertise the
> networks they have their nameservers on from
> *our* network with a weight of 65535, just to
> get them to call us back.  :-(  :-(

No weights are necessary; the more specific route wins.

> Anyhow, enough frustrated venting, I *am* very
> interested in what the community feels is the 
> best policy to follow in situations like this.
> 
> Thanks again!
> 
> Matt Petach
> Network Engineer
> (writing from home)

Avi





More information about the NANOG mailing list