Prefix hijacking by AS20115

Tue Sep 29 06:15:57 UTC 2015

On Tue, Sep 29, 2015 at 2:04 AM, Bob Evans <bob at fiberinternetcenter.com> wrote:
>
>
>> On Mon, Sep 28, 2015 at 11:59 PM, Bob Evans <bob at fiberinternetcenter.com>
>> wrote:
>>> That's something I would do. Announce announce and keep adding ports
>>> until
>>> I hit a 10 Gig port worth of traffic or saw it fixed. Be sure to put in
>>> a
>>> blackhole route for the prefixes. Try to pick blocks that are as
>>> geographically located to your peering routers as possible ...IE in Reno
>>> pick the blocks that seem to be near by - like Reno, Tahoe, Sacramento
>>> ..... when that batch of customers makes their phones ring all night
>>> someone will listen.
>>>
>>
>> that seems like a pretty poor strategy... guaranteed to get you into
>> some hot water, I suspect. Keep in mind that the 'noc' at 20115 isn't
>> the same thing as the customer-service-center. There's likely little
>> to link the 2 things together there :(
>
> You are right - probably creates more problems than good.
>
>>
>>> Would be nice if our membership organization ARIN ( that we all pay to
>>> keep us somewhat organized) had an ability to do something for you.... I
>>> never looked into it...i don't know....maybe it does ?
>>
>> arin does not guarantee 'routability' of netblocks assigned to your org.
>
> Yep, I was pretty sure of that - but wouldn't it be nice if arin could
> have some communication line or at least try. Yes, never any guarantees
> really.

I'm fairly sure that the arin (or ripe or apnic or...) answer to your
question is: "read the contact info in whois... call the stated
numbers."

pretty sure that's also not going to be super helpful, email the poc's
in the peering-db.

> bob
>
>>
>>> But, in the mean time I am pretty sure you can document this well and
>>> prove your announcements of theirs was due to the fact you couldn't get
>>> proper technical attention and needed to desperately before your
>>> customers
>>> cancel after 8 hours of this. Tomorrow call your lawyers and begin to
>>> sue
>>> that cable company (did I recognize that ASN as cable TV ? ) for damages
>>> this must be causing you in ill-will amongst your customer base.
>>>
>>> I wonder just how you prove the damage...some equation based on customer
>>> calls and complaints together with how many years you have been in
>>> business as well as the number of contracts that are coming up for
>>> renewal. etc etc. Now that would be interesting to see a formula for
>>> that
>>> if anyone has been through it.
>>>
>>
>> you COULD find a charter person on-list...there are nine names on the
>> attendees list for the upcoming meeting... I imagine peeringdb likely
>> has folk listed... gosh it sure does:
>>
>> <https://www.peeringdb.com/private/participant_view.php?id=2144>
>>
>> what with their emails and everything.
>>
>>> Thank You
>>> Bob Evans
>>> CTO
>>>
>>>
>>>
>>>
>>>> Start announcing their prefixes?
>>>>
>>>> Josh Luthman
>>>> Office: 937-552-2340
>>>> Direct: 937-552-2343
>>>> 1100 Wayne St
>>>> Suite 1337
>>>> Troy, OH 45373
>>>> On Sep 28, 2015 11:09 PM, "Seth Mattinen" <sethm at rollernet.us> wrote:
>>>>
>>>>> On 9/28/15 18:30, William Herrin wrote:
>>>>>
>>>>>> On Mon, Sep 28, 2015 at 9:01 PM, Seth Mattinen <sethm at rollernet.us>
>>>>>> wrote:
>>>>>>
>>>>>>> I've got a problem where AS20115 continues to announce prefixes
>>>>>>> after
>>>>>>> BGP
>>>>>>> neighbors were shutdown. They claim it's a wedged BGP process but
>>>>>>> aren't
>>>>>>> in
>>>>>>> any hurry to fix it outside of a maintenance window.
>>>>>>>
>>>>>>
>>>>>> If they weren't lying to you, they'd fix it now. That's not the kind
>>>>>> of problem that waits.
>>>>>>
>>>>>> Thing is: they lied to you. Long ago they "helpfully" programmed
>>>>>> their
>>>>>> router to announce your route regardless of whether you sent a route
>>>>>> to them. They want to wait for a maintenance window to remove that
>>>>>> configuration.
>>>>>>
>>>>>>
>>>>>> I'm at a loss of what else I can do. They admit the problem but won't
>>>>>> take
>>>>>>> action saying it needs to wait for a maintenance window. Am I out of
>>>>>>> line
>>>>>>> insisting that's an unacceptable response to a problem that results
>>>>>>> in
>>>>>>> prefix/traffic hijacking?
>>>>>>>
>>>>>>
>>>>>> Try dropping the link entirely. If they still announce your
>>>>>> addresses,
>>>>>> bring it back up but report it as emergency down, escalate, and call
>>>>>> back every 10 minutes until the junior tech understands that it's
>>>>>> time
>>>>>> to call and wake up the guy who makes the decision to fix it now.
>>>>>>
>>>>>>
>>>>>
>>>>> I'm at the tail end here almost 8 hours later since the hijacking
>>>>> started.
>>>>> Their NOC is just blowing me off now and they're happy to continue the
>>>>> hijacking until it's convenient for them to have a maintenance window.
>>>>> And
>>>>> that's apparently the final decision.
>>>>>
>>>>> ~Seth
>>>>>
>>>>
>>>
>>>
>>
>
>