AT&T blocking individual IP addresses
As of about an hour ago AT&T appear to have started blocking access to a few of our IP addresses. This is being done at a /32 level, and the IP addresses above and below are still allowed through. Has anyone seen them do this before, or know who I need to contact to get it fixed? AT&T won't talk to me as I'm not a customer... Traceroute to the blocked IPs from AT&T all end at : 5 cr2.phlpa.ip.att.net (12.122.3.226) [MPLS: Labels 20559/17406 Exp 0] 116 msec 20 msec 20 msec 6 cr2.cl2oh.ip.att.net (12.122.2.209) [MPLS: Labels 20527/17406 Exp 0] 24 msec 20 msec 20 msec 7 cr1.cl2oh.ip.att.net (12.122.2.125) [MPLS: Labels 0/17406 Exp 0] 24 msec 20 msec 20 msec 8 cr82.dtrmi.ip.att.net (12.123.139.154) [MPLS: Label 16623 Exp 0] 24 msec 20 msec 20 msec 9 gar4.dtrmi.ip.att.net (12.122.102.89) 20 msec 20 msec 20 msec 10 12.87.238.238 [AS 7018] 24 msec 20 msec 24 msec 11 12.87.238.237 [AS 7018] !A * * Traceroute to the neighboring IP addresses don't go anywhere near the above path, so it's apparently a blackhole of sorts. Scott.
On Dec 9, 2009, at 10:22 PM, Scott Howard wrote:
Traceroute to the neighboring IP addresses don't go anywhere near the above path, so it's apparently a blackhole of sorts.
Are they bots or C&C servers, or open DNS recursors? ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
On Wed, Dec 9, 2009 at 7:25 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
Traceroute to the neighboring IP addresses don't go anywhere near the above path, so it's apparently a blackhole of sorts.
Are they bots or C&C servers, or open DNS recursors?
They are (authenticated-required) proxy servers with 10's of thousands of users behind them, so it's possible that they were seeing some bot-like traffic from them, although the volume would have been tiny compared to the volume of legitimate traffic. Scott.
On Dec 9, 2009, at 11:03 PM, Scott Howard wrote:
They are (authenticated-required) proxy servers with 10's of thousands of users behind them, so it's possible that they were seeing some bot-like traffic from them, although the volume would have been tiny compared to the volume of legitimate traffic.
So, if, say, AT&T customers are getting zorched from traffic behind those proxies, then blocking them would make sense, no? ;> Do you have visibility into the traffic into/out of those proxies, in order to determine if there's DDoS or spam or other undesirable traffic emanating from them? ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
On Wed, Dec 9, 2009 at 9:26 AM, Paul Bennett <paul.w.bennett@gmail.com>wrote:
On Wed, 09 Dec 2009 10:22:50 -0500, Scott Howard <scott@doc.net.au> wrote:
As of about an hour ago AT&T appear to have started blocking access to a
few of our IP addresses.
AT&T won't talk to me as I'm not a customer...
So, wait, are they your addresses or not?
They are our non-AT&T addresses, and AT&T was blocking access to them from their network, so any of our customers on AT&T were unable to access our systems. AT&T has now resolved the problem, claiming that it was a "provisioning error"... Thanks, Scott.
participants (3)
-
Dobbins, Roland
-
Paul Bennett
-
Scott Howard