No one has permission to announce that subnet. It is apparently being announced by TINET in Italy. I shall have to write to them to find out what's going on. It may be a mistake or it may be a prefix hijack; it wouldn't be the first.
Thank you for calling it to my attention. Somehow our BGP monitoring missed it.
I have 4 snapshots of the BGP routed subnet situation here, and this entry is present in all of them. It apparently is not a recent change.
ampr/bgpnets-201406:44.68.52.0/24 ampr/bgpnets-201406:44.68.52.0, 44.68.52.255, "AS12637 Seeweb s.r.l." ampr/data-add-ARIN-201508: 12637 44.68.52.0/24 ampr/data-add-ARIN-201512: 12637 44.68.52.0/24 ampr/data-add-ARIN-201601: 12637 44.68.52.0/24
Rob
Checking back I see that I wrote to them a few years ago asking what was going on and not getting any reply. Let's see if I get anything back this time. The fact is that there's very little we can actually do if someone hijacks some of our network space. - Brian
On Sat, Feb 27, 2016 at 11:33:53AM +0100, Rob Janssen wrote:
I have 4 snapshots of the BGP routed subnet situation here, and this entry is present in all of them. It apparently is not a recent change.
ampr/bgpnets-201406:44.68.52.0/24 ampr/bgpnets-201406:44.68.52.0, 44.68.52.255, "AS12637 Seeweb s.r.l." ampr/data-add-ARIN-201508: 12637 44.68.52.0/24 ampr/data-add-ARIN-201512: 12637 44.68.52.0/24 ampr/data-add-ARIN-201601: 12637 44.68.52.0/24
On 02/27/2016 02:40 PM, Brian Kantor wrote:
The fact is that there's very little we can actually do if someone hijacks some of our network space.
- Brian
That is bad really news...
Best regards.
Hijack it back?
On 16-02-27 10:02 AM, Tom SP2L wrote:
(Please trim inclusions from previous messages) _______________________________________________ On 02/27/2016 02:40 PM, Brian Kantor wrote:
The fact is that there's very little we can actually do if someone hijacks some of our network space. - Brian
That is bad really news...
Best regards.
Maybe we will ask to hams to fight that network doing DOS attacks we have plenty of hams and we can do it very easy
________________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@hamradio.ucsd.edu on behalf of Brian Kantor Brian@UCSD.Edu Sent: Saturday, February 27, 2016 7:01 AM To: AMPRNet working group Subject: Re: [44net] BGP stats for AMPRNet
(Please trim inclusions from previous messages) _______________________________________________ Not very practical, I regret to say. - Brian
On Sat, Feb 27, 2016 at 10:22:18AM -0400, ve1jot wrote:
Hijack it back?
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
That makes us criminals and bad network neighbors. Don't even think about it. - Brian
On Sat, Feb 27, 2016 at 03:26:48PM +0000, R P wrote:
Maybe we will ask to hams to fight that network doing DOS attacks we have plenty of hams and we can do it very easy
As a note, even though it's a weekend, SEEWEB has responded and we are working things out. - Brian
Excellent ... Ignore my angry mail i wrote for Tim about that subject Just for curiosity may you ask them what this announcement was (mistake ? or maybe something else )
________________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@hamradio.ucsd.edu on behalf of Brian Kantor Brian@UCSD.Edu Sent: Saturday, February 27, 2016 8:10 AM To: AMPRNet working group Subject: Re: [44net] BGP stats for AMPRNet
(Please trim inclusions from previous messages) _______________________________________________ As a note, even though it's a weekend, SEEWEB has responded and we are working things out. - Brian
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
On Sat, 27 Feb 2016, Brian Kantor wrote:
Checking back I see that I wrote to them a few years ago asking what was going on and not getting any reply. Let's see if I get anything back this time. The fact is that there's very little we can actually do if someone hijacks some of our network space.
- Brian
Brian, Did a quick research on them, here's some more info you can use to email them and tell them to stop. If you don't get anywhere let me know and we can then take it up with their providers for allowing their customer to illegally announce prefixes that they are not authorize to announce. I'm guessing they do care as they seem to be a somewhat sizable hosting company. Might Email a few of the specific personal Emails below of the key employees :)
General Email: hostmaster@seeweb.it noc@seeweb.it abuse@seeweb.it info@seeweb.it domini@seeweb.it
28 people are listed on linked-in, only listing a few: -------------------------------------------------------------------- Antonio Baldassarra antoniob@seeweb.it CEO at Seeweb srl https://it.linkedin.com/in/antonio-baldassarra-82511b1 Fabio Fedele fafed@seeweb.it Coordinatore Tecnico presso Seeweb https://it.linkedin.com/in/fabio-fedele-4003623b Marco d'Itri md@seeweb.it Internet Oompa-Loompa https://www.linkedin.com/in/rfc1036 Claudia Antobenedetti claudia.a@seeweb.com Account Manager at SEEWEB srl https://it.linkedin.com/in/claudia-antobenedetti-0a95618 Chiara Grande chiara.g@seeweb.it Customer Care https://www.linkedin.com/in/chiara-grande-338b8538/en Tamara Arduini Amministrazione Generale https://it.linkedin.com/in/tamara-arduini-aa783545 Loreno Edelmondo loreno.e@seeweb.it Supporto Tecnico Gianluca Geralico gianlucag@seeweb.it Registrazione Domini
They purposely put a routing object in IRR Nov 29, 2009 ------------------------------------------------------- route: 44.68.52.0/24 descr: Seeweb s.r.l. origin: AS12637 mnt-by: SEEWEB-MNT changed: noc@seeweb.it 20091129 source: RIPE
44.68.52.0/24 announced by AS12637 and 26 other prefixes --------------------------------------------------------- 5.144.160.0/20 31.14.183.0/24 37.9.224.0/20 37.9.239.0/24 44.68.52.0/24 77.81.143.0/24 85.94.192.0/19 85.94.208.0/20 86.106.76.0/24 91.206.74.0/23 91.233.181.0/24 95.169.64.0/20 95.174.0.0/19 176.56.128.0/21 176.223.119.0/24 185.24.104.0/22 185.47.108.0/22 193.200.3.0/24 195.182.210.0/23 195.200.94.0/24 195.200.95.0/24 212.25.160.0/19 212.35.192.0/19 213.171.160.0/19 217.64.192.0/20 217.194.0.0/20
General info from their web page ----------------------------------------------
Milano via Caldera, 21 edificio B - 20153 - Italia (+39) 02 87365100
Frosinone C.so Lazio, 9/a 03100 Italia (+39) 0775 880 041
Frosinone Via A. Vona, 66 03100 Italia (+39) 0775 880 041
info@seeweb.it
General info from whois and RADB ---------------------------------------------------------- aut-num: AS12637 as-name: SEEWEB descr: Seeweb s.r.l. descr: Web hosting, colocation and cloud services
person: Marco d'Itri address: Seeweb s.r.l. address: Via Caldera 21 - edificio B address: I-20153 Milano
person: Antonio Baldassarra address: SEEWEB Hosting Company address: C.so Lazio 9/a address: I-03100 Frosinone
person: Fabio Fedele address: corso Lazio 9/a address: 03100 Frosinone - IT address: Italy phone: +39 0775 880041 fax-no: +39 0775 830054
role: NOC Seeweb address: Corso Lazio 9/a address: I-03100 Frosinone phone: +39-0775-880041 ext. 1 fax-no: +39-0775-830054 abuse-mailbox: abuse@seeweb.it
role: Seeweb Abuse Desk address: Corso Lazio 9/a address: I-03100 Frosinone phone: +39-0775-880041 ext. 1 fax-no: +39-0775-830054 abuse-mailbox: abuse@seeweb.it
Tim Osburn http://www.m2os.com W7RSZ / JG1MBR
Thanks, I've written to a few of those addresses already and I'll keep the others in reserve in case I don't get any reply in a few days. - Brian
On Sun, Feb 28, 2016 at 12:01:37AM +0900, Tim Osburn wrote:
On Sat, 27 Feb 2016, Brian Kantor wrote:
Checking back I see that I wrote to them a few years ago asking what was going on and not getting any reply. Let's see if I get anything back this time. The fact is that there's very little we can actually do if someone hijacks some of our network space.
- Brian
Brian, Did a quick research on them, here's some more info you can use to email them and tell them to stop. If you don't get anywhere let me know and we can then take it up with their providers for allowing their customer to illegally announce prefixes that they are not authorize to announce. I'm guessing they do care as they seem to be a somewhat sizable hosting company. Might Email a few of the specific personal Emails below of the key employees :)
General Email: hostmaster@seeweb.it noc@seeweb.it abuse@seeweb.it info@seeweb.it domini@seeweb.it
28 people are listed on linked-in, only listing a few:
Antonio Baldassarra antoniob@seeweb.it CEO at Seeweb srl https://it.linkedin.com/in/antonio-baldassarra-82511b1 Fabio Fedele fafed@seeweb.it Coordinatore Tecnico presso Seeweb https://it.linkedin.com/in/fabio-fedele-4003623b Marco d'Itri md@seeweb.it Internet Oompa-Loompa https://www.linkedin.com/in/rfc1036 Claudia Antobenedetti claudia.a@seeweb.com Account Manager at SEEWEB srl https://it.linkedin.com/in/claudia-antobenedetti-0a95618 Chiara Grande chiara.g@seeweb.it Customer Care https://www.linkedin.com/in/chiara-grande-338b8538/en Tamara Arduini Amministrazione Generale https://it.linkedin.com/in/tamara-arduini-aa783545 Loreno Edelmondo loreno.e@seeweb.it Supporto Tecnico Gianluca Geralico gianlucag@seeweb.it Registrazione Domini
They purposely put a routing object in IRR Nov 29, 2009
route: 44.68.52.0/24 descr: Seeweb s.r.l. origin: AS12637 mnt-by: SEEWEB-MNT changed: noc@seeweb.it 20091129 source: RIPE
44.68.52.0/24 announced by AS12637 and 26 other prefixes
5.144.160.0/20 31.14.183.0/24 37.9.224.0/20 37.9.239.0/24 44.68.52.0/24 77.81.143.0/24 85.94.192.0/19 85.94.208.0/20 86.106.76.0/24 91.206.74.0/23 91.233.181.0/24 95.169.64.0/20 95.174.0.0/19 176.56.128.0/21 176.223.119.0/24 185.24.104.0/22 185.47.108.0/22 193.200.3.0/24 195.182.210.0/23 195.200.94.0/24 195.200.95.0/24 212.25.160.0/19 212.35.192.0/19 213.171.160.0/19 217.64.192.0/20 217.194.0.0/20
General info from their web page
Milano via Caldera, 21 edificio B - 20153 - Italia (+39) 02 87365100
Frosinone C.so Lazio, 9/a 03100 Italia (+39) 0775 880 041
Frosinone Via A. Vona, 66 03100 Italia (+39) 0775 880 041
info@seeweb.it
General info from whois and RADB
aut-num: AS12637 as-name: SEEWEB descr: Seeweb s.r.l. descr: Web hosting, colocation and cloud services
person: Marco d'Itri address: Seeweb s.r.l. address: Via Caldera 21 - edificio B address: I-20153 Milano
person: Antonio Baldassarra address: SEEWEB Hosting Company address: C.so Lazio 9/a address: I-03100 Frosinone
person: Fabio Fedele address: corso Lazio 9/a address: 03100 Frosinone - IT address: Italy phone: +39 0775 880041 fax-no: +39 0775 830054
role: NOC Seeweb address: Corso Lazio 9/a address: I-03100 Frosinone phone: +39-0775-880041 ext. 1 fax-no: +39-0775-830054 abuse-mailbox: abuse@seeweb.it
role: Seeweb Abuse Desk address: Corso Lazio 9/a address: I-03100 Frosinone phone: +39-0775-880041 ext. 1 fax-no: +39-0775-830054 abuse-mailbox: abuse@seeweb.it
Tim Osburn http://www.m2os.com W7RSZ / JG1MBR
Brian If someone announce that network BGP and you announce it from your main router would your announcement will be "more dominant" and the network will return to UCSD back ? if the answer us yes maybe this is the way to stop someone from hijacking our network
________________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@hamradio.ucsd.edu on behalf of Brian Kantor Brian@UCSD.Edu Sent: Saturday, February 27, 2016 5:40 AM To: AMPRNet working group Subject: Re: [44net] BGP stats for AMPRNet
(Please trim inclusions from previous messages) _______________________________________________ The fact is that there's very little we can actually do if someone hijacks some of our network space. - Brian
On Sat, Feb 27, 2016 at 11:33:53AM +0100, Rob Janssen wrote:
I have 4 snapshots of the BGP routed subnet situation here, and this entry is present in all of them. It apparently is not a recent change.
ampr/bgpnets-201406:44.68.52.0/24 ampr/bgpnets-201406:44.68.52.0, 44.68.52.255, "AS12637 Seeweb s.r.l." ampr/data-add-ARIN-201508: 12637 44.68.52.0/24 ampr/data-add-ARIN-201512: 12637 44.68.52.0/24 ampr/data-add-ARIN-201601: 12637 44.68.52.0/24
_________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
No, at best you get route flaps.
I prefer to solve these things in a diplomatic manner. - Brian
On Sat, Feb 27, 2016 at 03:25:21PM +0000, R P wrote:
If someone announce that network BGP and you announce it from your main router would your announcement will be "more dominant" and the network will return to UCSD back ?
yes, I tend to agree...my first reaction was to want to hijack it back, but two wrongs don't make one right hi!
On 16-02-27 11:28 AM, Brian Kantor wrote:
(Please trim inclusions from previous messages) _______________________________________________ No, at best you get route flaps.
I prefer to solve these things in a diplomatic manner.
- Brian
On Sat, Feb 27, 2016 at 03:25:21PM +0000, R P wrote:
If someone announce that network BGP and you announce it from your main router would your announcement will be "more dominant" and the network will return to UCSD back ?
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
If someone announce that network BGP and you announce it from your main router would your announcement will be "more dominant" and the network will return to UCSD back ? if the answer us yes maybe this is the way to stop someone from hijacking our network
Ronen, That is what they call AnyCast basically. It's also ok to announce the same space from different AS's as well. When you have multiple announcements of the same block. Who ever has the shortest AS path is who you will get routed to generally. The only way to guarantee a route path win is to announce something more specific like {44.68.52.0/25, 44.68.52.128/25}, but most carriers will not accept or announce anything smaller then a /24 so that most likely will not work in this case. Correct action here is to go down the path to have them withdraw the announcement or have their carriers block it from them.
Tim Osburn http://www.m2os.com W7RSZ / JG1MBR
Tim Thank for the info I used to manage BGP I was the System manager of an american company (NetManage) we had two internet feeds one from the USA mother company and other is from Local ISP and I announced the BGP from my router (we had Class B network ) But I forgot all it that was about 20 years ago ... As for the situation I think that if someone put BGP for network that not belong to him from from 2009 and not answering mails (as Brian wrote) is very serious Im not so optimistic as Brian in solving such a problem in diplomatic ways .. (specially if he already wrote them long ago and not even got answer ) but hes the "boss" i respect him for all his dedicated work he did (and still doing ) for us since the AMPR network started and i will follow his rules but if needed i am willing to be in the frontline to fight back against Network Hijackers of our network ...
NB Not connected to Network but connected to Hamradio Fights Maybe the Old Timers (who was active on the HF those days) remember the "woodpecker" the Russian Over The Horizon Radar that make big mess on our Bands I had the "honor" to to suffer from it as well .. at those times when the hams start to understand that this is a Over the Horizon Radar and that nothing help to stop its transmission a group of ham radios start to fight back they transmitted with CW keyer CW pulses on the radar frequency (of course in the ham bands) not long ago i have read article on the net about this fight ... it tern out that this fight succeeded a monitors station reported that every time that was a massive CW attack on the radar frequency they shifted it to another frequency (most of the time outside the ham-bands) so fight can solve things (if no other ways can) Regards Ronen - 4Z4ZQ http://www.ronen.org
________________________________________
in this case. Correct action here is to go down the path to have them withdraw the announcement or have their carriers block it from them.
Tim Osburn http://www.m2os.com W7RSZ / JG1MBR
https://instagram.com/tim.osburn/ _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
-
Brian Kantor -
R P -
Rob Janssen -
Tim Osburn -
Tom SP2L -
ve1jot