Another interesting thing that I noticed, is that AS33611 is not advertising any prefixes other than yours. Either they do not have any of their own (unlikely) or they are advertising their own legitimate prefixes from another AS however I doubt that is the case. It sounds like you were able to verify that this is indeed a malicious attack. If that is truly the case, I would certainly be in contact with your lawyers as this is certainly causing you financial loss and since it is easily verifiable, you would have a solid case i would think. I am no attorney but it seems like a no-brainer to me. So, it does look like you are finally announcing your prefixes as a /24 and that most traffic is again coming to your AS. that probably helped quite a bit right? Regards, John
-----Original Message----- From: John Schneider Sent: Tuesday, January 31, 2012 5:34 PM To: Kelvin Williams Subject: Re: Hijacked Network Ranges
Another interesting thing that I noticed, is that AS33611 is not advertising any prefixes other than yours. Either they do not have any of their own (unlikely) or they are advertising their own legitimate prefixes from another AS however I doubt that is the case. It sounds like you were able to verify that this is indeed a malicious attack.
If I read the previous material correctly, it seems to have gone something like: Customer was initially a customer of Kelvin's firm and had the address assignments in question. Customer relationship with Kelvin's firm terminated and they contracted for service elsewhere but are apparently attempting to maintain the use of the address allocation(s) they received from Kelvin's firm. They apparently did this by misrepresenting the fact that they were entitled to use that address space. If that is the case, it isn't so much a "malicious attack" as it is just plain stealing the use of IP address space they aren't entitled to.
On Wednesday, February 01, 2012 12:10:32 PM George Bonser wrote:
Customer relationship with Kelvin's firm terminated and they contracted for service elsewhere but are apparently attempting to maintain the use of the address allocation(s) they received from Kelvin's firm. They apparently did this by misrepresenting the fact that they were entitled to use that address space.
We've been in such situations without customers requesting us either to: a) Block certain addresses across their transit links in order to mitigate DoS attacks. b) Announce address space which does not necessarily belong to them, even though they aren't being nefarious. In either case, a quick check of the RIR WHOIS database to qualify consistency in information does not hurt. Yes, WHOIS records aren't always the most up-to-date, but it's a fairly good representation of the truth most of the time, especially since 'inetnum' objects tend to be managed by the RIR's themselves, last time I checked. This is quickly making the case for RPKI. Mark.
participants (3)
-
George Bonser
-
John Schneider
-
Mark Tinka