There's an ISP back on the East Coast that has
been periodically advertising more specific
routes for /24's out of our CIDR blocks and
black-holing the traffic within their network.
We've called all the listed numbers for their
technical, admin, billing, and any other contacts
we can find, and haven't been able to reach a
human; we've left messages of various levels of
nastyness, from very sugary on up to vaguely
threatening. In every case, including the
current one, it's been more than 24 hours,
and they still haven't made any response to
the problem; in fact, I just got paged by our
NOC early this morning informing me they've
stolen another one of our /24's.
In this case, the very first thing you should probably do is to
start announcing the more specific /24s to match their advertisements!
Depending on AS-PATH length (how various nets hear your announcements
vs. theirs) this may solve the immediate problem, allowing you to hunt
them down and kill them at your leisure.
As you can well imagine, all the customers on
those blocks are _very_ unhappy. Each time this
happens, we end up with dissatisfied customers,
many of whom leave, deciding that we're too
unstable, and can't provide quality network
connectivity, even though to the best of my
knowledge, there's nothing we can do to prevent
these people from stealing our blocks.
My question to the NANOG community is twofold and
simple: Am I overlooking some solution that would
allow us to 'negate' their advertisement of our
blocks (22.214.171.124/24 and 126.96.36.199/24 in
this case) and secondly, is there a formal process
within the community to seek recompense, or formal
action against a clueless and net-unfriendly ISP,
perhaps one as simple as the net equivalent of
1) Announce *your own* routes more specifically.
This may lose you ANS connectivity, though.
2) Announce *their* routes more specifically.
Especially the routes for their web, news, and dns servers.
I've never had to do this, but it came very close once.
A major backbone provider had a customer that was announcing
our own most critical /24 (that we normally advertise as a
/23) and the NOC staff was unable to get anyone to put an
internal-to-their-net filter on it. They had to spend a few
hours to contact their customer to get them to stop announcing
it! It was quite frustrating, and if announcing the /24 more
specifically ourselves hadn't solved the problem (which it did,
except for the customers of said major backbone, which we really
don't get that many complaints about when they are unreachable)
the next step would have been to announce one of their /24s
- or to take it to NANOG.
3) You can post to NANOG and other lists in an attempt to embarrass/
get someone who knows the jokers to poke them.
Or are we simply out of luck, and have to simply
tell our customers "Sorry, everyone is at the
mercy of the morons who can steal IP blocks
simply by advertising more specific routes
with higher weights?"
Are there higher weights involved?
It's getting really tempting to advertise the
networks they have their nameservers on from
*our* network with a weight of 65535, just to
get them to call us back.
No weights are necessary; the more specific route wins.
Anyhow, enough frustrated venting, I *am* very
interested in what the community feels is the
best policy to follow in situations like this.
(writing from home)