[149265] in North American Network Operators' Group
Re: Hijacked Network Ranges
daemon@ATHENA.MIT.EDU (Andrew Fried)
Tue Jan 31 16:17:30 2012
Date: Tue, 31 Jan 2012 16:16:31 -0500
From: Andrew Fried <andrew.fried@gmail.com>
To: nanog@nanog.org
In-Reply-To: <CANEysbE7GiFM++ykwiO0nBmfPvWHw_KSPUFDPfNbM5Y2TL1kMw@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The interesting thing is that I'm not seeing any new "hosts" from those
subnets in passive dns. It almost seems that their purpose for
hijacking the space was to direct traffic to themselves, possibly for
collecting login attempts.
Andrew Fried
andrew.fried@gmail.com
On 1/31/12 1:00 PM, Kelvin Williams wrote:
> Greetings all.
>
> We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet
> Exchange) immediately filter out network blocks that are being advertised
> by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA.
>
> The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and
> 68.66.112.0/20 are registered in various IRRs all as having an origin AS
> 11325 (ours), and are directly allocated to us.
>
> The malicious hijacking is being announced as /24s therefore making route
> selection pick them.
>
> Our customers and services have been impaired. Does anyone have any
> contacts for anyone at Cavecreek that would actually take a look at ARINs
> WHOIS, and IRRs so the networks can be restored and our services back in
> operation?
>
> Additionally, does anyone have any suggestion for mitigating in the
> interim? Since we can't announce as /25s and IRRs are apparently a pipe
> dream.
>
