> There's an ISP back on the East Coast that has
> been periodically advertising more specific
> routes for /24's out of our CIDR blocks and
> black-holing the traffic within their network.
> We've called all the listed numbers for their
> technical, admin, billing, and any other contacts
> we can find, and haven't been able to reach a
> human; we've left messages of various levels of
> nastyness, from very sugary on up to vaguely
> threatening. In every case, including the
> current one, it's been more than 24 hours,
> and they still haven't made any response to
> the problem; in fact, I just got paged by our
> NOC early this morning informing me they've
> stolen another one of our /24's.
In this case, the very first thing you should probably do is to
start announcing the more specific /24s to match their advertisements!
Depending on AS-PATH length (how various nets hear your announcements
vs. theirs) this may solve the immediate problem, allowing you to hunt
them down and kill them at your leisure.
The downside to this is that we go from advertising /16's
out, to advertising a fleet of /24's out, most of which
would be filtered by Sprint's ever-lovin' CIDR-forcing
wall. I agree with Sprint, and Sean, but in this case
it pretty much makes it hard for us to force the issue
by dropping to the same or smaller sized announcement.
Good thought, though! Even if it does result in going
from 2 /16 announcements to 512 /24 announcements in
the process, growing the routing tables, and generally
making everyone else unhappy as well.
*sigh* There really MUST be some nice way of handling
lame ISP's like this.
> As you can well imagine, all the customers on
> those blocks are _very_ unhappy. Each time this
> happens, we end up with dissatisfied customers,
> many of whom leave, deciding that we're too
> unstable, and can't provide quality network
> connectivity, even though to the best of my
> knowledge, there's nothing we can do to prevent
> these people from stealing our blocks.
> My question to the NANOG community is twofold and
> simple: Am I overlooking some solution that would
> allow us to 'negate' their advertisement of our
> blocks (126.96.36.199/24 and 188.8.131.52/24 in
> this case) and secondly, is there a formal process
> within the community to seek recompense, or formal
> action against a clueless and net-unfriendly ISP,
> perhaps one as simple as the net equivalent of
> Mennonite 'shunning'?
1) Announce *your own* routes more specifically.
This may lose you ANS connectivity, though.
And Sprint, and anyone else that filters small specifics.
2) Announce *their* routes more specifically.
Especially the routes for their web, news, and dns servers.
I've never had to do this, but it came very close once.
A major backbone provider had a customer that was announcing
our own most critical /24 (that we normally advertise as a
/23) and the NOC staff was unable to get anyone to put an
internal-to-their-net filter on it. They had to spend a few
hours to contact their customer to get them to stop announcing
it! It was quite frustrating, and if announcing the /24 more
specifically ourselves hadn't solved the problem (which it did,
except for the customers of said major backbone, which we really
don't get that many complaints about when they are unreachable)
the next step would have been to announce one of their /24s
- or to take it to NANOG.
I took that step last night, and was advised to remove it by
those more in tune with legal issues. I guess it's not
considered "nice" to sink to the same level as your
attacker, and play dirty. :-}
So, I removed my announcement of their backbone shortly after
putting it in place. 'Twould have been sweet revenge, though...
3) You can post to NANOG and other lists in an attempt to embarrass/
get someone who knows the jokers to poke them.
> Or are we simply out of luck, and have to simply
> tell our customers "Sorry, everyone is at the
> mercy of the morons who can steal IP blocks
> simply by advertising more specific routes
> with higher weights?"
Are there higher weights involved?
Nominally higher, but I won't vouschafe that it's
intentional--it could be more of a simple matter of
by default, they've set their weights at a level
that happens to be higher than our default level.
I try to avoid assuming culpability in cases where
it may just be coincidence. Occam's razor, and
all that sort of thing.
> It's getting really tempting to advertise the
> networks they have their nameservers on from
> *our* network with a weight of 65535, just to
> get them to call us back.
No weights are necessary; the more specific route wins.
I know, I actually did it briefly yesterday out of
sheer frustration, and then pulled it back out when
counselled that even self-defense isn't always a
sure win if the laywers get involved.
> Anyhow, enough frustrated venting, I *am* very
> interested in what the community feels is the
> best policy to follow in situations like this.
> Thanks again!
> Matt Petach
> Network Engineer
> (writing from home)
Again, my thanks for you feedback and support!