[130167] in North American Network Operators' Group
RE: AS11296 -- Hijacked?
daemon@ATHENA.MIT.EDU (Nathan Eisenberg)
Wed Sep 29 14:32:27 2010
From: Nathan Eisenberg <nathan@atlasnetworks.us>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 29 Sep 2010 18:32:06 +0000
In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0A52B00F@RWC-EX1.corp.seven.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> There would be several filters for this. Is the person reporting this a =
known
> network operator that people trust or is it some Joe Blow out of nowhere
> that nobody has heard of before? That would make a huge difference. Is
> the AS assigned to a company that is known to be defunct? That would be
> another flag. Why would a company that no longer exists have its ASN act=
ive
> and its IPs sending traffic? This would be particularly interesting if t=
he carrier
> handling the traffic is not a carrier known to have a relationship with t=
hat AS
> in the past. So a pattern of ... AS works for many years, disappears for=
some
> period of time, company goes defunct, and some period of time later the A=
S
> appears on a completely different carrier without any reassignment from t=
he
> registrar.
Agree, and those are all good filters (except for the perilously fallacious=
appeal to authority). But none of these claims were made, and that's the =
source of this extended discussion. If those claims had been made, then th=
is entire discussion could have been circumvented - and those that care cou=
ld independently validate the claims. There is a LOT of danger to blindly =
blackholing networks simply because a trusted email address posts on a neto=
ps list. In my experience, netops people (NANOG'ers being an especially go=
od example) tend to be largely logical, rational, skeptical beings.
So in a nutshell: if the post had included what you're suggesting, we could=
at least go out and go:
"oh, yes, he's right - that AS belongs to a dead company, and is coming fro=
m a very different carrier than it did when it was operating"
AND
"his email address has a history of posting reliable information of a simil=
ar nature"
AND=20
"his message is validly PGP signed so that we can trust that the owner of t=
he email address sent the message"
AND
"his email is written in a way that recognizes that clued, skeptical indivi=
duals are going to carefully analyze it"
THEN
I would expect a very different set of responses from the list.
But an email that says "I'm going to deliberately withhold all of the vital=
information I used to come to this conclusion, but request that you take a=
ction anyways" is going to consistently be roundfiled.
Nathan
