It was blocked and I did verify it. A very small amount of our traffic comes in on PCCW and *they* were not honoring a tag that they've contractually agreed to honor. I can understand why it may be fun to make this look like a product of my own incompetence, and perhaps it is something I would have noticed if I wasn't busy responding to flames.
It may be a good policy going forward to do your own null-routes. I realize that for a DDOS protection company, the ability to tag nullroutes upstream is handy, but you also need to nullroute the traffic on your own gear, or shut down the switch port. Something that is completely independent of another organization, regardless of their contractual obligations to you. If you were my employee, I would find the fact that you fat-fingered a nullroute to be highly concerning. I would recommend that in addition to changing the way you do nullroutes, you also implement a change control policy which screens commands for approval before making configuration changes upon which your public declarations, and your reputation as a decent operator, rely. Nathan Eisenberg