One of the companies I work for recently had an issue with AS 2 (University of Delaware) hijacking a prefix. Due to Origin AS, good upstreams, and the like this has not really affected the traffic to the legit blocks. However, GeoMind picked this up almost immediately it seems. The IP blocks when you go to speedtest.net come back to the university of Delaware. This seems to be the only issue at the moment so we are working through contacting the peers of AS2 and asking them to look into this. We had also contacted University of Delaware.
Here is where the philosophy comes into play. The very terse e-mail we received back was basically “As2 gets hijacked a lot and it’s not our problem”. So my question for the NANOG folks. At what point do you say “it’s not your problem” when it involves your ASN?
Rant
I almost always have issues with GeoMind and others when it comes to IP space. Several of my folks have received allocations from Arin in March. A few are still fighting with geolocation stuff with a few of the providers. So why does GeoMind atomically accept a hijacked prefix as correct? All the right boxes have been ticked. Origin Validiation, registry sets, etc.
Happy Friday!
Justin Wilson
j2sw@mtin.net
Go back to them and tell them that a hijacked prefix is different from a hijacked AS.
I will probably just get another link to like I did in the first e-mail. LOL
Thus spake Justin Wilson (Lists) (lists@mtin.net) on Fri, May 29, 2020 at 11:39:46AM -0400:
One of the companies I work for recently had an issue with AS 2 (University of Delaware) hijacking a prefix. Due to Origin AS, good upstreams, and the like this has not really affected the traffic to the legit blocks. However, GeoMind picked this up almost immediately it seems. The IP blocks when you go to speedtest.net come back to the university of Delaware. This seems to be the only issue at the moment so we are working through contacting the peers of AS2 and asking them to look into this. We had also contacted University of Delaware.
Here is where the philosophy comes into play. The very terse e-mail we received back was basically “As2 gets hijacked a lot and it’s not our problem”.
Given the ASN, have you ruled out that this is hijacking vs a case of
prepending gone wrong. We see this happen quote a bit with ASN 16,
and sometimes even with 50. Typically, ASN's 43, 44, and 45 usually
get spared from this class of misconfiguration.
So my question for the NANOG folks. At what point do you say “it’s not your problem” when it involves your ASN?
Interdomain routing continues to be a community effort, but this
certainly could be in the class of problems of which they had no
hand in.
Dale
are you sure it was really udel? and not someone pretending to be udel
from a random IX peering?
Sounds like a misconfigured prepend, someone thinking the value to provide is the number of prepends instead of the ASN to prepend.
/mark
The point where someone who isn't you is both hijacking your ASN *and*
someone else's prefix? Have you confirmed that the hijack actually
came from UDel, that the AS path matches one that's legitimate for
UDel? The guy hijacking your route doesn't have to list just one AS as
the origin; he can' list an entire chain.
Regards,
Bill Herrin
Thanks Bill,
As our canned Email stated, AS2 (and many low digit AS') get hijacked and
often go on to hijack someone's prefix. AS2 (proper) is rarely changed and
the chances of an actual prefix hijack from it is extremely low.
So as I've asked our peers, I'll ask here: What is expected of us to be good
"Net Citizens" with these hijacks?
We don't have a FTE to assign to contact IX,ISP,etc. sites, often not in this country,
to track down these weekly hijacks. The canned Email has resulted in some feedback
where the hijack is found to be a prepending syntax error, or a lab config slipping
through to production, but still a majority are supposed malicious and we never
hear back.
Seeing AS paths of the prefix hijacks would be helpful, but we're not aware of where
we can get to them and offer the Email response asking the victim to inquire locally.
thanks