mailing list archives
Re: Thanks & Let's Prevent this in the Future.
From: Arturo Servin <aservin () lacnic net>
Date: Fri, 3 Feb 2012 10:16:01 -0200
One option is to use RPKI and origin validation. But it won't help much unless prefix holders create their
certificates and ROAs and networks operators use those to validate origins. It won't solve all the issues but at least
some fat fingers/un-expierience errors.
We are running an experiment to detect route-hijacks/missconf using RPKI. So far, not many routes are "signed"
but at least we can periodically check our own prefix (or any other with ROAs) to detect some inconsistencies:
On 1 Feb 2012, at 06:58, Kelvin Williams wrote:
First off, I'd like to thank everyone on this list who have reached out
today and offered us help with our hijacked network space. It's so
refreshing to see that there are still so many who refuse to leave a
I'm not going to place any blame, its useless. There were lies, there were
incompetencies, and there was negligence but that is now water under the
However, I think that we as network operators have a duty to each other to
make sure we don't allow a downstream customer wreck the operations of
another entity who has been rightfully allocated resources.
A few months ago, when establishing a new peering relationship I was
encouraged (actually required) to utilize one of the IRRs. I took the time
to register all of my routes, ASNs, etc. However, as I learned today, this
was probably done in vain. Too many people won't spend the extra
30-seconds to verify the information listed there or in ARINs WHOIS.
I don't care what a customer tells me, too many times I've found they
aren't 100% honest either for malicious/fraudulent reasons or they are
unknowing. So, for our networks or the networks we manage, we want to
verify what a customer is saying to prevent what happened to us today.
I'd like to get a conversation going and possibly some support of an
initiative to spend that extra 30-seconds to verify ownership and
authorization of network space to be advertised. Additionally, if someone
rings your NOC's line an industry-standard process of verifying "ownership"
and immediately responding by filtering out announcements. There's no sense
in allowing a service provider to be impaired because a spammer doesn't
want to give up clean IP space. Do you protect a bad customer or the
Internet as a whole? I pick the Internet as a whole.
How can we prevent anyone else from ever enduring this again? While we may
never stop it from ever happening, spammers (that's what we got hit by
today) are a dime a dozen and will do everything possible to hit an Inbox,
so how can we establish a protocol to immediate mitigate the effects of an
I thought registering with IRRs and up-to-date information in ARINs WHOIS
was sufficient, apparently I was wrong. Not everyone respects them, but
then again, they aren't very well managed (I've got several networks with
antiquated information I've been unable to remove, it doesn't impair us
normally, but its still there).
What can we do? Better yet, how do we as a whole respond when we encounter
upstream providers who refuse to look at the facts and allow another to
Sr. Service Delivery Engineer
Broadband & Carrier Services
Altus Communications Group, Inc.
"If you only have a hammer, you tend to see every problem as a nail." --