There's an ISP back on the East Coast that has been periodically advertising more specific routes for /24's out of our CIDR blocks and black-holing the traffic within their network.
We've called all the listed numbers for their technical, admin, billing, and any other contacts we can find, and haven't been able to reach a human; we've left messages of various levels of nastyness, from very sugary on up to vaguely threatening. In every case, including the current one, it's been more than 24 hours, and they still haven't made any response to the problem; in fact, I just got paged by our NOC early this morning informing me they've stolen another one of our /24's.
In this case, the very first thing you should probably do is to start announcing the more specific /24s to match their advertisements! Depending on AS-PATH length (how various nets hear your announcements vs. theirs) this may solve the immediate problem, allowing you to hunt them down and kill them at your leisure.
The downside to this is that we go from advertising /16's out, to advertising a fleet of /24's out, most of which would be filtered by Sprint's ever-lovin' CIDR-forcing wall. I agree with Sprint, and Sean, but in this case it pretty much makes it hard for us to force the issue by dropping to the same or smaller sized announcement. Good thought, though! Even if it does result in going from 2 /16 announcements to 512 /24 announcements in the process, growing the routing tables, and generally making everyone else unhappy as well. *sigh* There really MUST be some nice way of handling lame ISP's like this.
As you can well imagine, all the customers on those blocks are _very_ unhappy. Each time this happens, we end up with dissatisfied customers, many of whom leave, deciding that we're too unstable, and can't provide quality network connectivity, even though to the best of my knowledge, there's nothing we can do to prevent these people from stealing our blocks.
My question to the NANOG community is twofold and simple: Am I overlooking some solution that would allow us to 'negate' their advertisement of our blocks (205.159.193.0/24 and 207.88.102.0/24 in this case) and secondly, is there a formal process within the community to seek recompense, or formal action against a clueless and net-unfriendly ISP, perhaps one as simple as the net equivalent of Mennonite 'shunning'?
1) Announce *your own* routes more specifically. This may lose you ANS connectivity, though.
And Sprint, and anyone else that filters small specifics.
2) Announce *their* routes more specifically. Especially the routes for their web, news, and dns servers. I've never had to do this, but it came very close once. A major backbone provider had a customer that was announcing our own most critical /24 (that we normally advertise as a /23) and the NOC staff was unable to get anyone to put an internal-to-their-net filter on it. They had to spend a few hours to contact their customer to get them to stop announcing it! It was quite frustrating, and if announcing the /24 more specifically ourselves hadn't solved the problem (which it did, except for the customers of said major backbone, which we really don't get that many complaints about when they are unreachable) the next step would have been to announce one of their /24s - or to take it to NANOG.
I took that step last night, and was advised to remove it by those more in tune with legal issues. I guess it's not considered "nice" to sink to the same level as your attacker, and play dirty. :-} So, I removed my announcement of their backbone shortly after putting it in place. 'Twould have been sweet revenge, though...
3) You can post to NANOG and other lists in an attempt to embarrass/ get someone who knows the jokers to poke them.
Or are we simply out of luck, and have to simply tell our customers "Sorry, everyone is at the mercy of the morons who can steal IP blocks simply by advertising more specific routes with higher weights?"
Are there higher weights involved?
Nominally higher, but I won't vouschafe that it's intentional--it could be more of a simple matter of by default, they've set their weights at a level that happens to be higher than our default level. I try to avoid assuming culpability in cases where it may just be coincidence. Occam's razor, and all that sort of thing.
It's getting really tempting to advertise the networks they have their nameservers on from *our* network with a weight of 65535, just to get them to call us back. :-( :-(
No weights are necessary; the more specific route wins.
I know, I actually did it briefly yesterday out of sheer frustration, and then pulled it back out when counselled that even self-defense isn't always a sure win if the laywers get involved.
Anyhow, enough frustrated venting, I *am* very interested in what the community feels is the best policy to follow in situations like this.
Thanks again!
Matt Petach Network Engineer (writing from home)
Avi
Again, my thanks for you feedback and support! Matt Petach