On 9/25/2003 at 2:19 PM, "Deepak Jain" <deepak@ai.net> wrote:
But it's ok when AboveNet does it?...or actually does much worse by secretly and arbitrarily blackholing various networks at will, while advertising connectivity to those networks to their BGP customers and peers?
So why keep connectivity to them? A contract term? Now that you know of the policy and aren't very happy about it, why not change providers -- you already have a few. :)
I think anyone who blackholes sites within their own network should take the specifics with a community that clueful customers can use to route-around them, but obviously its their network, and whoever is setting up the blackholes can decide that for themselves. Just a suggestion.
Travis Haymore, Director of Security at AboveNet, has reportedly (see Spam-L a couple weeks back) made telephoned threats to at least one system owner (digistar.com), threatening (and then following up on that threat) to null-route that particular system (/32) on all of AboveNet/MFNX's routers, for no other reason than a user of that system making unfavorable public statements about AboveNet in public forums - while not disputing the truth of such statements made; he just wanted "that user gone, or else". Unfortunately for Travis, that happened to be the backup outgoing MX for a mailing list of quite some importance to a few ISPs and RIRs: Hijacked-L. As far as my own case is concerned, presumably the same individual null-routed the machine this mail originates from (208.241.101.2), for reasons not explained and not justified with internal documentation whatsoever (that much I got from an AboveNet manager; causing removal of this IP from their BL, for lack of documentation, and the unnamed individual responsible for its entry (Travis was never mentioned by name to me by this AboveNet person, but everyone else who has reported similar experiences with AboveNet seems to be pointing back to him at this point) never contested it). Indeed, quite a bit of mail to abuse@above.net has been sent from this IP (we are talking of maybe a few hundred since Jan 2003, a fraction of the number of actual incidents observed) - and that appeared to be the one and only reason why this machine would appear on his/their radar at all. Legitimate, persistent and continuing complaints about illegal trespassing originating from AboveNet's (or their customer's) IP space into your servers apparently can get you transit-blackholed at AboveNet, rather than getting yourself blocked from accessing *AboveNet OWNED AND OPERATED* machines - while AboveNet, knowingly and willingly, does nothing to stop the illegal activity by itself. If null0-routing the complainant shields that complainant from the illegal activity (in order to make him shut up), I become quite suspicious that the remaining illegal activity against the other 99.99999999999% of the Internet is not just being ignored, but endorsed and shielded from further discovery by the complainant. That's called "collusion", in my I-am-not-a-lawyer-way of expressing this. Add the secrecy on AboveNet's side and the unusual paths it takes to even partially uncover any of this, then tell me: would you rather be SBL-listed for everyone to see, or secretly null0'd at a transit point, with no public or privately accessible record, until you randomly find out about it, because some customer-used services (websites, email, etc.) have been failing randomly for a couple of weeks (blame the Internet!) ?
This way, blackholes designed to protect clue-light customers can be used with little detriment to clueful customers (once the communities are used and well-described/published).
Funny as it is, none of the definitions found at http://www.above.net/antispam.html (section (3) and (8)) ever seem to apply to the cases that we are hearing and reading about here, making the interception and redirection of this traffic NOT AIMED AT AboveNET quite unlawful under federal wiretapping statutes - and all of this is happening with AboveNet managers being well-aware - less the details on the legalities, I am sure. And this one is for Deepak: how exactly would a single host (e.g.: any prefix longer than a /24) evade the giant traffic vacuum cleaner (AboveNet, busy cleansing the Internet of "unwanted by anyone" packets) when your route, as seem from most of the Internet, is a /10, rather than a /22, /23 or /24? And last but not least: Infrastructure failures as a result of operator behavior are on-topic, the last time I checked. bye,Kai