We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet
Exchange) immediately filter out network blocks that are being advertised
by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA.
The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and
68.66.112.0/20 are registered in various IRRs all as having an origin AS
11325 (ours), and are directly allocated to us.
The malicious hijacking is being announced as /24s therefore making route
selection pick them.
Our customers and services have been impaired. Does anyone have any
contacts for anyone at Cavecreek that would actually take a look at ARINs
WHOIS, and IRRs so the networks can be restored and our services back in
operation?
Additionally, does anyone have any suggestion for mitigating in the
interim? Since we can't announce as /25s and IRRs are apparently a pipe
dream.
You can break your blocks into /24's or smaller and readvertise them to
your upstreams. You can also modify local preference using community tags
with most upstreams. If you have tier 1 peerings you may be able to get
them to filter the bad routes if you can prove they were assigned to you by
ARIN. There's no real way to get 100% of your traffic back until you get
the other company to stop advertising your routes though. You may also get
traction from the AS's directly connected to the problem AS. I'm not sure
how quickly you can get the other AS's to act on your behalf. The short
blocks and local pref should get some of your traffic back though.
Many/most transit providers filter prefixes longer than /24, so the
effectiveness may be minimal.
At the very least I'd advertise /24s yourself because if the forger is
geographically further away, some local sites may still work. Better than
nothing.
Most large transits and NSPs filter out prefixes more specific than a /24.
Conventionally, at least in my experience, /24's are the most-specific
prefix you can use and expect that it will end up in most places.
Some shops with limited router processing or table storage capacity
will filter even more restrictively, so a bigger aggregate is worth
announcing as well.
We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet
Exchange) immediately filter out network blocks that are being advertised
by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA.
[ ...snip...]
Ugh, what a hassle. I've been there, and it's really no fun.
Our customers and services have been impaired. Does anyone have any
contacts for anyone at Cavecreek that would actually take a look at ARINs
WHOIS, and IRRs so the networks can be restored and our services back in
operation?
Have you tried the contacts listed at PeeringDB for AS19181? Check
out: as19181.peeringdb.com
Additionally, does anyone have any suggestion for mitigating in the
interim? Since we can't announce as /25s and IRRs are apparently a pipe
dream.
If you fail to get AS19181 to respond, you might consider contacting
*their* upstreams and explaining the situation.
May be contacting Level3+Telia+AboveNet+Hurricane Electric since all these
are upstream providers of AS29791 which is your upstream carrier? I guess
they would be able to neutralize effect significantly by filtering those
routes?
To be honest I haven't had much success it convincing a tier 1 to
modify someone else's routes on my behalf for whatever reason. I also
have had limited success in getting them to do anything quickly. I'd
first look to modify your advertisements as much as possible to
mitigate the issue and then work with the other guys upstreams second.
I would go at first by advertising your prefixes as a /24 as well, just
randomly checked 2 different locations and the as-path to 11325 is shorter
than to 33611
This seems to be the case for customers of Tiscali and L3, so this will
probably get most of your traffic back to you...
The interesting thing is that I'm not seeing any new "hosts" from those
subnets in passive dns. It almost seems that their purpose for
hijacking the space was to direct traffic to themselves, possibly for
collecting login attempts.