Re: AS hijacking (Philosophy, rants, GeoMind)

[Michael Davis <davis () udel edu>]

Thanks Bill,
    As our canned Email stated, AS2 (and many low digit AS') get 
hijacked and
often go on to hijack someone's prefix.  AS2 (proper) is rarely changed and
the chances of an actual prefix hijack from it is extremely low.

So as I've asked our peers, I'll ask here: What is expected of us to be good
"Net Citizens" with these hijacks?

We don't have a FTE to assign to contact IX,ISP,etc. sites, often not in 
this country,
to track down these weekly hijacks.  The canned Email has resulted in 
some feedback
where the hijack is found to be a prepending syntax error, or a lab 
config slipping
through to production, but still a majority are supposed malicious and 
we never
hear back.

Seeing AS paths of the prefix hijacks would be helpful, but we're not 
aware of where
we can get to them and offer the Email response asking the victim to 
inquire locally.

thanks


On 5/30/20 2:09 PM, William Herrin wrote:
> On Fri, May 29, 2020 at 8:40 AM Justin Wilson (Lists) <lists () mtin net> wrote:
> > Here is where the philosophy comes into play.  The very terse e-mail we received back was basically “As2 gets hijacked 
> > a lot and it’s not our problem”. So my question for the NANOG folks.  At what point do you say “it’s not your problem” 
> > when it involves your ASN?
> The point where someone who isn't you is both hijacking your ASN *and*
> someone else's prefix? Have you confirmed that the hijack actually
> came from UDel, that the AS path matches one that's legitimate for
> UDel? The guy hijacking your route doesn't have to list just one AS as
> the origin; he can' list an entire chain.
>
> Regards,
> Bill Herrin


--
 Mike Davis
 IT - University of Delaware - 302.831.8756
 Newark, DE 19716       Email davis () udel edu