Another interesting thing that I noticed, is that AS33611 is not
advertising any prefixes other than yours. Either they do not have any of
their own (unlikely)
or they are advertising their own legitimate prefixes from another AS
however I doubt that is the case. It sounds like you were able to verify
that this is indeed
a malicious attack. If that is truly the case, I would certainly be in
contact with your lawyers as this is certainly causing you financial loss
and since it is easily
verifiable, you would have a solid case i would think. I am no attorney
but it seems like a no-brainer to me.
So, it does look like you are finally announcing your prefixes as a /24 and
that most traffic is again coming to your AS. that probably helped quite a
bit right?
Regards,
John
If I read the previous material correctly, it seems to have gone something like:
Customer was initially a customer of Kelvin's firm and had the address assignments in question.
Customer relationship with Kelvin's firm terminated and they contracted for service elsewhere but are apparently attempting to maintain the use of the address allocation(s) they received from Kelvin's firm. They apparently did this by misrepresenting the fact that they were entitled to use that address space.
If that is the case, it isn't so much a "malicious attack" as it is just plain stealing the use of IP address space they aren't entitled to.
We've been in such situations without customers requesting
us either to:
a) Block certain addresses across their transit
links in order to mitigate DoS attacks.
b) Announce address space which does not necessarily
belong to them, even though they aren't being
nefarious.
In either case, a quick check of the RIR WHOIS database to
qualify consistency in information does not hurt. Yes, WHOIS
records aren't always the most up-to-date, but it's a fairly
good representation of the truth most of the time,
especially since 'inetnum' objects tend to be managed by the
RIR's themselves, last time I checked.
This is quickly making the case for RPKI.
Mark.