There's an ISP back on the East Coast that has been periodically advertising more specific routes for /24's out of our CIDR blocks and black-holing the traffic within their network.
We've called all the listed numbers for their technical, admin, billing, and any other contacts we can find, and haven't been able to reach a human; we've left messages of various levels of nastyness, from very sugary on up to vaguely threatening. In every case, including the current one, it's been more than 24 hours, and they still haven't made any response to the problem; in fact, I just got paged by our NOC early this morning informing me they've stolen another one of our /24's.
In this case, the very first thing you should probably do is to start announcing the more specific /24s to match their advertisements! Depending on AS-PATH length (how various nets hear your announcements vs. theirs) this may solve the immediate problem, allowing you to hunt them down and kill them at your leisure.
As you can well imagine, all the customers on those blocks are _very_ unhappy. Each time this happens, we end up with dissatisfied customers, many of whom leave, deciding that we're too unstable, and can't provide quality network connectivity, even though to the best of my knowledge, there's nothing we can do to prevent these people from stealing our blocks.
My question to the NANOG community is twofold and simple: Am I overlooking some solution that would allow us to 'negate' their advertisement of our blocks (205.159.193.0/24 and 207.88.102.0/24 in this case) and secondly, is there a formal process within the community to seek recompense, or formal action against a clueless and net-unfriendly ISP, perhaps one as simple as the net equivalent of Mennonite 'shunning'?
1) Announce *your own* routes more specifically. This may lose you ANS connectivity, though. 2) Announce *their* routes more specifically. Especially the routes for their web, news, and dns servers. I've never had to do this, but it came very close once. A major backbone provider had a customer that was announcing our own most critical /24 (that we normally advertise as a /23) and the NOC staff was unable to get anyone to put an internal-to-their-net filter on it. They had to spend a few hours to contact their customer to get them to stop announcing it! It was quite frustrating, and if announcing the /24 more specifically ourselves hadn't solved the problem (which it did, except for the customers of said major backbone, which we really don't get that many complaints about when they are unreachable) the next step would have been to announce one of their /24s - or to take it to NANOG. 3) You can post to NANOG and other lists in an attempt to embarrass/ get someone who knows the jokers to poke them.
Or are we simply out of luck, and have to simply tell our customers "Sorry, everyone is at the mercy of the morons who can steal IP blocks simply by advertising more specific routes with higher weights?"
Are there higher weights involved?
It's getting really tempting to advertise the networks they have their nameservers on from *our* network with a weight of 65535, just to get them to call us back. :-( :-(
No weights are necessary; the more specific route wins.
Anyhow, enough frustrated venting, I *am* very interested in what the community feels is the best policy to follow in situations like this.
Thanks again!
Matt Petach Network Engineer (writing from home)
Avi