nanog mailing list archives

RE: AS11296 -- Hijacked?

From: Nathan Eisenberg <nathan () atlasnetworks us>
Date: Wed, 29 Sep 2010 18:32:06 +0000

There would be several filters for this.  Is the person reporting this a known
network operator that people trust or is it some Joe Blow out of nowhere
that nobody has heard of before?  That would make a huge difference.  Is
the AS assigned to a company that is known to be defunct? That would be
another flag.  Why would a company that no longer exists have its ASN active
and its IPs sending traffic?  This would be particularly interesting if the carrier
handling the traffic is not a carrier known to have a relationship with that AS
in the past.  So a pattern of ... AS works for many years, disappears for some
period of time, company goes defunct, and some period of time later the AS
appears on a completely different carrier without any reassignment from the
registrar.


Agree, and those are all good filters (except for the perilously fallacious appeal to authority).  But none of these 
claims were made, and that's the source of this extended discussion.  If those claims had been made, then this entire 
discussion could have been circumvented - and those that care could independently validate the claims.  There is a LOT 
of danger to blindly blackholing networks simply because a trusted email address posts on a netops list.  In my 
experience, netops people (NANOG'ers being an especially good example) tend to be largely logical, rational, skeptical 
beings.

So in a nutshell: if the post had included what you're suggesting, we could at least go out and go:

"oh, yes, he's right - that AS belongs to a dead company, and is coming from a very different carrier than it did when 
it was operating"
AND
"his email address has a history of posting reliable information of a similar nature"
AND 
"his message is validly PGP signed so that we can trust that the owner of the email address sent the message"
AND
"his email is written in a way that recognizes that clued, skeptical individuals are going to carefully analyze it"
THEN
I would expect a very different set of responses from the list.

But an email that says "I'm going to deliberately withhold all of the vital information I used to come to this 
conclusion, but request that you take action anyways" is going to consistently be roundfiled.

Nathan

Current thread:

Re: AS11296 -- Hijacked?, (continued)
- - - Re: AS11296 -- Hijacked? Rich Kulawiec (Sep 29)
    - Re: AS11296 -- Hijacked? deleskie (Sep 29)
    - Re: AS11296 -- Hijacked? Heath Jones (Sep 29)
    - Re: AS11296 -- Hijacked? N. Yaakov Ziskind (Sep 29)
    - Re: AS11296 -- Hijacked? Andrew Kirch (Sep 29)
    - Re: AS11296 -- Hijacked? Scott Howard (Sep 29)
    - Re: AS11296 -- Hijacked? William Herrin (Sep 29)
  - Re: AS11296 -- Hijacked? Heath Jones (Sep 29)
    - RE: AS11296 -- Hijacked? George Bonser (Sep 29)
    - Re: AS11296 -- Hijacked? Heath Jones (Sep 29)
    - RE: AS11296 -- Hijacked? Nathan Eisenberg (Sep 29)
    - RE: AS11296 -- Hijacked? George Bonser (Sep 29)
    - RE: AS11296 -- Hijacked? Nathan Eisenberg (Sep 29)
    - RE: AS11296 -- Hijacked? George Bonser (Sep 29)
    - RE: AS11296 -- Hijacked? Justin Horstman (Sep 29)
- RE: AS11296 -- Hijacked? Robert Bonomi (Sep 29)
- Re: AS11296 -- Hijacked? Robert Bonomi (Sep 29)
  - Re: AS11296 -- Hijacked? Heath Jones (Sep 29)
    - Re: AS11296 -- Hijacked? Franck Martin (Sep 29)
    - Re: AS11296 -- Hijacked? Heath Jones (Sep 29)
    - Re: AS11296 -- Hijacked? Franck Martin (Sep 29)

(Thread continues...)