Prefix hijacking by AS20115

Tue Sep 29 06:04:50 UTC 2015

> On Mon, Sep 28, 2015 at 11:59 PM, Bob Evans <bob at fiberinternetcenter.com>
> wrote:
>> That's something I would do. Announce announce and keep adding ports
>> until
>> I hit a 10 Gig port worth of traffic or saw it fixed. Be sure to put in
>> a
>> blackhole route for the prefixes. Try to pick blocks that are as
>> geographically located to your peering routers as possible ...IE in Reno
>> pick the blocks that seem to be near by - like Reno, Tahoe, Sacramento
>> ..... when that batch of customers makes their phones ring all night
>> someone will listen.
>>
>
> that seems like a pretty poor strategy... guaranteed to get you into
> some hot water, I suspect. Keep in mind that the 'noc' at 20115 isn't
> the same thing as the customer-service-center. There's likely little
> to link the 2 things together there :(

You are right - probably creates more problems than good.

>
>> Would be nice if our membership organization ARIN ( that we all pay to
>> keep us somewhat organized) had an ability to do something for you.... I
>> never looked into it...i don't know....maybe it does ?
>
> arin does not guarantee 'routability' of netblocks assigned to your org.

Yep, I was pretty sure of that - but wouldn't it be nice if arin could
have some communication line or at least try. Yes, never any guarantees
really.

bob

>
>> But, in the mean time I am pretty sure you can document this well and
>> prove your announcements of theirs was due to the fact you couldn't get
>> proper technical attention and needed to desperately before your
>> customers
>> cancel after 8 hours of this. Tomorrow call your lawyers and begin to
>> sue
>> that cable company (did I recognize that ASN as cable TV ? ) for damages
>> this must be causing you in ill-will amongst your customer base.
>>
>> I wonder just how you prove the damage...some equation based on customer
>> calls and complaints together with how many years you have been in
>> business as well as the number of contracts that are coming up for
>> renewal. etc etc. Now that would be interesting to see a formula for
>> that
>> if anyone has been through it.
>>
>
> you COULD find a charter person on-list...there are nine names on the
> attendees list for the upcoming meeting... I imagine peeringdb likely
> has folk listed... gosh it sure does:
>
> <https://www.peeringdb.com/private/participant_view.php?id=2144>
>
> what with their emails and everything.
>
>> Thank You
>> Bob Evans
>> CTO
>>
>>
>>
>>
>>> Start announcing their prefixes?
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>> On Sep 28, 2015 11:09 PM, "Seth Mattinen" <sethm at rollernet.us> wrote:
>>>
>>>> On 9/28/15 18:30, William Herrin wrote:
>>>>
>>>>> On Mon, Sep 28, 2015 at 9:01 PM, Seth Mattinen <sethm at rollernet.us>
>>>>> wrote:
>>>>>
>>>>>> I've got a problem where AS20115 continues to announce prefixes
>>>>>> after
>>>>>> BGP
>>>>>> neighbors were shutdown. They claim it's a wedged BGP process but
>>>>>> aren't
>>>>>> in
>>>>>> any hurry to fix it outside of a maintenance window.
>>>>>>
>>>>>
>>>>> If they weren't lying to you, they'd fix it now. That's not the kind
>>>>> of problem that waits.
>>>>>
>>>>> Thing is: they lied to you. Long ago they "helpfully" programmed
>>>>> their
>>>>> router to announce your route regardless of whether you sent a route
>>>>> to them. They want to wait for a maintenance window to remove that
>>>>> configuration.
>>>>>
>>>>>
>>>>> I'm at a loss of what else I can do. They admit the problem but won't
>>>>> take
>>>>>> action saying it needs to wait for a maintenance window. Am I out of
>>>>>> line
>>>>>> insisting that's an unacceptable response to a problem that results
>>>>>> in
>>>>>> prefix/traffic hijacking?
>>>>>>
>>>>>
>>>>> Try dropping the link entirely. If they still announce your
>>>>> addresses,
>>>>> bring it back up but report it as emergency down, escalate, and call
>>>>> back every 10 minutes until the junior tech understands that it's
>>>>> time
>>>>> to call and wake up the guy who makes the decision to fix it now.
>>>>>
>>>>>
>>>>
>>>> I'm at the tail end here almost 8 hours later since the hijacking
>>>> started.
>>>> Their NOC is just blowing me off now and they're happy to continue the
>>>> hijacking until it's convenient for them to have a maintenance window.
>>>> And
>>>> that's apparently the final decision.
>>>>
>>>> ~Seth
>>>>
>>>
>>
>>
>