Re: Spectrum technical contact

[Josh Luthman]

Got a hold of someone, finally!  All you have to do, if it's done through
BGP, is set a community to 10796:666

This was setup as Time Warner Cable but is Spectrum today.  The people I
spoke with had been with Time Warner Cable for years before the
acquisition/name change.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Sun, Dec 23, 2018 at 12:53 AM Josh Luthman 
wrote:

> Attack is back on.  If there's anyone out there that works at Spectrum and
> can do a route change and hopefully share some info on BGP communities I
> would greatly appreciate hearing from you.
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Sun, Dec 23, 2018, 12:12 AM Tim Warnock 
>> > That’s where you confuse me Josh, if you do BGP with them wouldn’t it be
>> > your advertisement to them that’s causing them to route to you.  In
>> other
>> > words, aren’t they only routing packets to you for prefixes that you
>> advertise
>> > via BGP to them?
>>
>> Unless of course the point-to-point between spectrum and Josh is under
>> attack...?
>>
>

Re: Spectrum technical contact

[Josh Luthman]

Attack is back on.  If there's anyone out there that works at Spectrum and
can do a route change and hopefully share some info on BGP communities I
would greatly appreciate hearing from you.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sun, Dec 23, 2018, 12:12 AM Tim Warnock  > That’s where you confuse me Josh, if you do BGP with them wouldn’t it be
> > your advertisement to them that’s causing them to route to you.  In other
> > words, aren’t they only routing packets to you for prefixes that you
> advertise
> > via BGP to them?
>
> Unless of course the point-to-point between spectrum and Josh is under
> attack...?
>

RE: Spectrum technical contact

[Tim Warnock]

> That’s where you confuse me Josh, if you do BGP with them wouldn’t it be
> your advertisement to them that’s causing them to route to you.  In other
> words, aren’t they only routing packets to you for prefixes that you advertise
> via BGP to them?

Unless of course the point-to-point between spectrum and Josh is under 
attack...?

Re: Spectrum technical contact

[Aaron1]

That’s where you confuse me Josh, if you do BGP with them wouldn’t it be your 
advertisement to them that’s causing them to route to you.  In other words, 
aren’t they only routing packets to you for prefixes that you advertise via BGP 
to them?

Aaron

> On Dec 22, 2018, at 7:51 PM, Josh Luthman  wrote:
> 
> The IP is their routing to me.  It's not BGP.
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> 
>> On Sat, Dec 22, 2018, 7:51 PM Jason Canady > Your upstream provider is null routing it when you send them the command via 
>> BGP, no longer filling your pipe. 
>> 
>>> On Dec 22, 2018, at 19:24, Josh Luthman  wrote:
>>> 
>>> But if they route it to me and I null it, the traffic is already fillimg my 
>>> pipe (which is my issue).
>>> 
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>> 
 On Sat, Dec 22, 2018, 11:32 AM Jason Canady >>> The /32 should override any static route they are sending you with a 
 larger prefix.
 
 Jason Canady
 Unlimited Net, LLC
 Responsive, Reliable, Secure
> On 12/22/18 11:30 AM, Josh Luthman wrote:
> I do BGP with them, but of course the issue is an IP that they route to 
> me.
> 
> My issue is with ASN 10796
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> 
> 
>> On Fri, Dec 21, 2018 at 4:55 PM Aaron1  wrote:
>> If you BGP neighbor with them you can send-community /32 advertisement 
>> to them, and the will remotely black hole it 
>> 
>> Aaron
>> 
>> > On Dec 21, 2018, at 3:51 PM, Josh Luthman 
>> >  wrote:
>> > 
>> > We have had a DOS attack for over 12 hours.  I simply want them to 
>> > null route or black hole an address.  The traffic is filling one of 
>> > our circus with them.
>> > 
>> > The farthest I got was them telling me they can't do route changes 
>> > because we're not public safety.
>> > 
>> > Josh Luthman
>> > Office: 937-552-2340
>> > Direct: 937-552-2343
>> > 1100 Wayne St
>> > Suite 1337
>> > Troy, OH 45373
>> 
 

Re: Spectrum technical contact

[Mike Hammett]

Did you try their NOC on their PeeringDB page? 
https://www.peeringdb.com/net/2144 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Josh Luthman"  
To: "NANOG list"  
Sent: Friday, December 21, 2018 3:51:10 PM 
Subject: Spectrum technical contact 


We have had a DOS attack for over 12 hours. I simply want them to null route or 
black hole an address. The traffic is filling one of our circus with them. 


The farthest I got was them telling me they can't do route changes because 
we're not public safety. 



Josh Luthman 
Office: 937-552-2340 
Direct: 937-552-2343 
1100 Wayne St 
Suite 1337 
Troy, OH 45373 

Re: Spectrum technical contact

[Josh Luthman]

They don't do communities to my knowledge.  At this point they won't do
anything unless I'm public safety.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, Dec 22, 2018, 7:56 PM Ahad Aboss  Your upstream should have provided you with BGP backhole community where
> you tag your /32 and they propagate the BGP BH to all their upstream
> providers.
>
> On Sun, Dec 23, 2018 at 11:27 AM Josh Luthman 
> wrote:
>
>> But if they route it to me and I null it, the traffic is already fillimg
>> my pipe (which is my issue).
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>> On Sat, Dec 22, 2018, 11:32 AM Jason Canady >
>>> The /32 should override any static route they are sending you with a
>>> larger prefix.
>>>
>>> Jason Canady
>>> Unlimited Net, LLC
>>> Responsive, Reliable, Secure
>>>
>>> On 12/22/18 11:30 AM, Josh Luthman wrote:
>>>
>>> I do BGP with them, but of course the issue is an IP that they route to
>>> me.
>>>
>>> My issue is with ASN 10796
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>>
>>>
>>> On Fri, Dec 21, 2018 at 4:55 PM Aaron1  wrote:
>>>
 If you BGP neighbor with them you can send-community /32 advertisement
 to them, and the will remotely black hole it

 Aaron

 > On Dec 21, 2018, at 3:51 PM, Josh Luthman <
 j...@imaginenetworksllc.com> wrote:
 >
 > We have had a DOS attack for over 12 hours.  I simply want them to
 null route or black hole an address.  The traffic is filling one of our
 circus with them.
 >
 > The farthest I got was them telling me they can't do route changes
 because we're not public safety.
 >
 > Josh Luthman
 > Office: 937-552-2340
 > Direct: 937-552-2343
 > 1100 Wayne St
 > Suite 1337
 > Troy, OH 45373


>>>
>
>

Re: Spectrum technical contact

[Josh Luthman]

The IP is their routing to me.  It's not BGP.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, Dec 22, 2018, 7:51 PM Jason Canady  Your upstream provider is null routing it when you send them the command
> via BGP, no longer filling your pipe.
>
> On Dec 22, 2018, at 19:24, Josh Luthman 
> wrote:
>
> But if they route it to me and I null it, the traffic is already fillimg
> my pipe (which is my issue).
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Sat, Dec 22, 2018, 11:32 AM Jason Canady 
>> The /32 should override any static route they are sending you with a
>> larger prefix.
>>
>> Jason Canady
>> Unlimited Net, LLC
>> Responsive, Reliable, Secure
>>
>> On 12/22/18 11:30 AM, Josh Luthman wrote:
>>
>> I do BGP with them, but of course the issue is an IP that they route to
>> me.
>>
>> My issue is with ASN 10796
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>>
>> On Fri, Dec 21, 2018 at 4:55 PM Aaron1  wrote:
>>
>>> If you BGP neighbor with them you can send-community /32 advertisement
>>> to them, and the will remotely black hole it
>>>
>>> Aaron
>>>
>>> > On Dec 21, 2018, at 3:51 PM, Josh Luthman 
>>> wrote:
>>> >
>>> > We have had a DOS attack for over 12 hours.  I simply want them to
>>> null route or black hole an address.  The traffic is filling one of our
>>> circus with them.
>>> >
>>> > The farthest I got was them telling me they can't do route changes
>>> because we're not public safety.
>>> >
>>> > Josh Luthman
>>> > Office: 937-552-2340
>>> > Direct: 937-552-2343
>>> > 1100 Wayne St
>>> > Suite 1337
>>> > Troy, OH 45373
>>>
>>>
>>

Re: Spectrum technical contact

[Ahad Aboss]

Your upstream should have provided you with BGP backhole community where
you tag your /32 and they propagate the BGP BH to all their upstream
providers.

On Sun, Dec 23, 2018 at 11:27 AM Josh Luthman 
wrote:

> But if they route it to me and I null it, the traffic is already fillimg
> my pipe (which is my issue).
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Sat, Dec 22, 2018, 11:32 AM Jason Canady 
>> The /32 should override any static route they are sending you with a
>> larger prefix.
>>
>> Jason Canady
>> Unlimited Net, LLC
>> Responsive, Reliable, Secure
>>
>> On 12/22/18 11:30 AM, Josh Luthman wrote:
>>
>> I do BGP with them, but of course the issue is an IP that they route to
>> me.
>>
>> My issue is with ASN 10796
>>
>> Josh Luthman
>> Office: 937-552-2340
>> Direct: 937-552-2343
>> 1100 Wayne St
>> Suite 1337
>> Troy, OH 45373
>>
>>
>> On Fri, Dec 21, 2018 at 4:55 PM Aaron1  wrote:
>>
>>> If you BGP neighbor with them you can send-community /32 advertisement
>>> to them, and the will remotely black hole it
>>>
>>> Aaron
>>>
>>> > On Dec 21, 2018, at 3:51 PM, Josh Luthman 
>>> wrote:
>>> >
>>> > We have had a DOS attack for over 12 hours.  I simply want them to
>>> null route or black hole an address.  The traffic is filling one of our
>>> circus with them.
>>> >
>>> > The farthest I got was them telling me they can't do route changes
>>> because we're not public safety.
>>> >
>>> > Josh Luthman
>>> > Office: 937-552-2340
>>> > Direct: 937-552-2343
>>> > 1100 Wayne St
>>> > Suite 1337
>>> > Troy, OH 45373
>>>
>>>
>>

Re: Spectrum technical contact

[Jason Canady]

Your upstream provider is null routing it when you send them the command via 
BGP, no longer filling your pipe. 

> On Dec 22, 2018, at 19:24, Josh Luthman  wrote:
> 
> But if they route it to me and I null it, the traffic is already fillimg my 
> pipe (which is my issue).
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> 
>> On Sat, Dec 22, 2018, 11:32 AM Jason Canady > The /32 should override any static route they are sending you with a larger 
>> prefix.
>> Jason Canady
>> Unlimited Net, LLC
>> Responsive, Reliable, Secure
>>> On 12/22/18 11:30 AM, Josh Luthman wrote:
>>> I do BGP with them, but of course the issue is an IP that they route to me.
>>> 
>>> My issue is with ASN 10796
>>> 
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>> 
>>> 
 On Fri, Dec 21, 2018 at 4:55 PM Aaron1  wrote:
 If you BGP neighbor with them you can send-community /32 advertisement to 
 them, and the will remotely black hole it 
 
 Aaron
 
 > On Dec 21, 2018, at 3:51 PM, Josh Luthman  
 > wrote:
 > 
 > We have had a DOS attack for over 12 hours.  I simply want them to null 
 > route or black hole an address.  The traffic is filling one of our 
 > circus with them.
 > 
 > The farthest I got was them telling me they can't do route changes 
 > because we're not public safety.
 > 
 > Josh Luthman
 > Office: 937-552-2340
 > Direct: 937-552-2343
 > 1100 Wayne St
 > Suite 1337
 > Troy, OH 45373
 
>> 

Re: Spectrum technical contact

[Josh Luthman]

But if they route it to me and I null it, the traffic is already fillimg my
pipe (which is my issue).

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Sat, Dec 22, 2018, 11:32 AM Jason Canady  The /32 should override any static route they are sending you with a
> larger prefix.
>
> Jason Canady
> Unlimited Net, LLC
> Responsive, Reliable, Secure
>
> On 12/22/18 11:30 AM, Josh Luthman wrote:
>
> I do BGP with them, but of course the issue is an IP that they route to
> me.
>
> My issue is with ASN 10796
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
>
> On Fri, Dec 21, 2018 at 4:55 PM Aaron1  wrote:
>
>> If you BGP neighbor with them you can send-community /32 advertisement to
>> them, and the will remotely black hole it
>>
>> Aaron
>>
>> > On Dec 21, 2018, at 3:51 PM, Josh Luthman 
>> wrote:
>> >
>> > We have had a DOS attack for over 12 hours.  I simply want them to null
>> route or black hole an address.  The traffic is filling one of our circus
>> with them.
>> >
>> > The farthest I got was them telling me they can't do route changes
>> because we're not public safety.
>> >
>> > Josh Luthman
>> > Office: 937-552-2340
>> > Direct: 937-552-2343
>> > 1100 Wayne St
>> > Suite 1337
>> > Troy, OH 45373
>>
>>
>

Re: Spectrum technical contact

[Jason Canady]

The /32 should override any static route they are sending you with a 
larger prefix.


Jason Canady
Unlimited Net, LLC
Responsive, Reliable, Secure

On 12/22/18 11:30 AM, Josh Luthman wrote:
I do BGP with them, but of course the issue is an IP that they route 
to me.


My issue is with ASN 10796

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Fri, Dec 21, 2018 at 4:55 PM Aaron1 > wrote:


If you BGP neighbor with them you can send-community /32
advertisement to them, and the will remotely black hole it

Aaron

> On Dec 21, 2018, at 3:51 PM, Josh Luthman
mailto:j...@imaginenetworksllc.com>>
wrote:
>
> We have had a DOS attack for over 12 hours.  I simply want them
to null route or black hole an address.  The traffic is filling
one of our circus with them.
>
> The farthest I got was them telling me they can't do route
changes because we're not public safety.
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373

Re: Spectrum technical contact

[Josh Luthman]

I do BGP with them, but of course the issue is an IP that they route to me.

My issue is with ASN 10796

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Fri, Dec 21, 2018 at 4:55 PM Aaron1  wrote:

> If you BGP neighbor with them you can send-community /32 advertisement to
> them, and the will remotely black hole it
>
> Aaron
>
> > On Dec 21, 2018, at 3:51 PM, Josh Luthman 
> wrote:
> >
> > We have had a DOS attack for over 12 hours.  I simply want them to null
> route or black hole an address.  The traffic is filling one of our circus
> with them.
> >
> > The farthest I got was them telling me they can't do route changes
> because we're not public safety.
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
>
>

Re: Real-time BGP hijacking detection: ARTEMIS-1.0.0 just released

[Hank Nussbacher]

On 21/12/2018 17:10, Jared Mauch wrote:

So expect now BGP hijackers to announce /25s from here on in.  They 
generally adopt BCPs faster than providers.


-Hank


Folks have studied announcing a /25 etc.. and it can help because many 
providers will accept them.. it won’t get everyone, but longer than /24 
prefixes do help.

- Jared


On Dec 21, 2018, at 10:07 AM, Kody Vicknair  wrote:

I'm curious, If the highjacked prefix is a /24 (subset of your much larger /22) 
and you can only tie the highjacked prefix, at that point how effective is the 
mitigation outside of a default bgp route selection process?






-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Vasileios Kotronis
Sent: Thursday, December 20, 2018 11:23 AM
To: nanog@nanog.org
Subject: Real-time BGP hijacking detection: ARTEMIS-1.0.0 just released

Dear operators,

FORTH's INSPIRE group and CAIDA are delighted to announce the public release of 
the ARTEMIS BGP prefix hijacking detection tool, available as open-source 
software at https://github.com/FORTH-ICS-INSPIRE/artemis

ARTEMIS is designed to be operated by an AS in order to monitor BGP for potential 
hijacking attempts against its own prefixes. The system detects such attacks within 
seconds, enabling immediate mitigation. The current release has been tested at a 
major greek ISP, a dual-homed edge academic network, and a major US R 
backbone network.

We would be happy if you'd give it a try and provide feedback. Feel free to 
make pull requests on GitHub and help us make this a true community project.

ARTEMIS is funded by European Research Council (ERC) grant agreement no.
338402 (NetVolution Project), the RIPE NCC Community Projects 2017, the Comcast 
Innovation Fund, US NSF grants OAC-1848641 and CNS-1423659 and US DHS S 
contract HHSP233201600012C.

Best regards,
Vasileios

--
===
Vasileios Kotronis
Postdoctoral Researcher, member of the INSPIRE Group INSPIRE = INternet 
Security, Privacy, and Intelligence REsearch Telecommunications and Networks 
Lab (TNL) Foundation for Research and Technology - Hellas (FORTH) Leoforos 
Plastira 100, Heraklion 70013, Greece e-mail : vkotro...@ics.forth.gr
url: http://inspire.edu.gr
===