27 Feb
2016
27 Feb
'16
10:33 a.m.
No one has permission to announce that subnet. It is
apparently
being announced by TINET in Italy. I shall have to write to them
to find out what's going on. It may be a mistake or it may be a
prefix hijack; it wouldn't be the first.
Thank you for calling it to my attention. Somehow our
BGP monitoring
missed it.
I have 4 snapshots of the BGP routed subnet situation here, and this entry
is present in all of them. It apparently is not a recent change.
ampr/bgpnets-201406:44.68.52.0/24
ampr/bgpnets-201406:44.68.52.0, 44.68.52.255, "AS12637 Seeweb s.r.l."
ampr/data-add-ARIN-201508: 12637 44.68.52.0/24
ampr/data-add-ARIN-201512: 12637 44.68.52.0/24
ampr/data-add-ARIN-201601: 12637 44.68.52.0/24
Rob
27 Feb
27 Feb
1:40 p.m.
New subject: BGP stats for AMPRNet
Checking back I see that I wrote to them a few years ago asking
what was going on and not getting any reply. Let's see if I get
anything back this time. The fact is that there's very little
we can actually do if someone hijacks some of our network space.
- Brian
On Sat, Feb 27, 2016 at 11:33:53AM +0100, Rob Janssen wrote:
I have 4 snapshots of the BGP routed subnet situation
here, and this entry
is present in all of them. It apparently is not a recent change.
ampr/bgpnets-201406:44.68.52.0/24
ampr/bgpnets-201406:44.68.52.0, 44.68.52.255, "AS12637 Seeweb s.r.l."
ampr/data-add-ARIN-201508: 12637 44.68.52.0/24
ampr/data-add-ARIN-201512: 12637 44.68.52.0/24
ampr/data-add-ARIN-201601: 12637 44.68.52.0/24
2:02 p.m.
New subject: BGP stats for AMPRNet
On 02/27/2016 02:40 PM, Brian Kantor wrote:
The fact is that there's very little
we can actually do if someone hijacks some of our network space.
- Brian
That is bad really news...
Best regards.
--
Tom - SP2L
------------------------------------
It is nice to be important.
But it is more important to be nice!
2:22 p.m.
New subject: BGP stats for AMPRNet
Hijack it back?
On 16-02-27 10:02 AM, Tom SP2L wrote:
(Please trim inclusions from previous messages)
_______________________________________________
On 02/27/2016 02:40 PM, Brian Kantor wrote:
The fact is that there's very little
we can actually do if someone hijacks some of our network space.
- Brian
That is bad really news...
Best regards.
3:26 p.m.
New subject: BGP stats for AMPRNet
Maybe we will ask to hams to fight that network doing DOS attacks we have plenty of
hams and we can do it very easy
________________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)hamradio.ucsd.edu> on behalf of Brian
Kantor <Brian(a)UCSD.Edu>
Sent: Saturday, February 27, 2016 7:01 AM
To: AMPRNet working group
Subject: Re: [44net] BGP stats for AMPRNet
(Please trim inclusions from previous messages)
_______________________________________________
Not very practical, I regret to say.
- Brian
On Sat, Feb 27, 2016 at 10:22:18AM -0400, ve1jot wrote:
Hijack it back?
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
3:29 p.m.
New subject: BGP stats for AMPRNet
That makes us criminals and bad network neighbors.
Don't even think about it.
- Brian
On Sat, Feb 27, 2016 at 03:26:48PM +0000, R P wrote:
Maybe we will ask to hams to fight that network doing
DOS attacks we have plenty of hams and we can do it very easy
4:10 p.m.
New subject: BGP stats for AMPRNet
As a note, even though it's a weekend, SEEWEB has responded
and we are working things out.
- Brian
4:31 p.m.
New subject: BGP stats for AMPRNet
Excellent ... Ignore my angry mail i wrote for Tim about that subject
Just for curiosity may you ask them what this announcement was (mistake ? or maybe
something else )
________________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)hamradio.ucsd.edu> on behalf of Brian
Kantor <Brian(a)UCSD.Edu>
Sent: Saturday, February 27, 2016 8:10 AM
To: AMPRNet working group
Subject: Re: [44net] BGP stats for AMPRNet
(Please trim inclusions from previous messages)
_______________________________________________
As a note, even though it's a weekend, SEEWEB has responded
and we are working things out.
- Brian
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
3:01 p.m.
New subject: BGP stats for AMPRNet
On Sat, 27 Feb 2016, Brian Kantor wrote:
Checking back I see that I wrote to them a few years
ago asking
what was going on and not getting any reply. Let's see if I get
anything back this time. The fact is that there's very little
we can actually do if someone hijacks some of our network space.
- Brian
Brian,
Did a quick research on them, here's some more info you can use to email
them and tell them to stop. If you don't get anywhere let me know and we can
then take it up with their providers for allowing their customer to illegally
announce prefixes that they are not authorize to announce. I'm guessing they do
care as they seem to be a somewhat sizable hosting company. Might Email a few of
the specific personal Emails below of the key employees :)
General Email:
hostmaster(a)seeweb.it
noc(a)seeweb.it
abuse(a)seeweb.it
info(a)seeweb.it
domini(a)seeweb.it
28 people are listed on linked-in, only listing a few:
--------------------------------------------------------------------
Antonio Baldassarra <antoniob(a)seeweb.it>
CEO at Seeweb srl
https://it.linkedin.com/in/antonio-baldassarra-82511b1
Fabio Fedele <fafed(a)seeweb.it>
Coordinatore Tecnico presso Seeweb
https://it.linkedin.com/in/fabio-fedele-4003623b
Marco d'Itri <md(a)seeweb.it>
Internet Oompa-Loompa
https://www.linkedin.com/in/rfc1036
Claudia Antobenedetti <claudia.a(a)seeweb.com>
Account Manager at SEEWEB srl
https://it.linkedin.com/in/claudia-antobenedetti-0a95618
Chiara Grande <chiara.g(a)seeweb.it>
Customer Care
https://www.linkedin.com/in/chiara-grande-338b8538/en
Tamara Arduini
Amministrazione Generale
https://it.linkedin.com/in/tamara-arduini-aa783545
Loreno Edelmondo <loreno.e(a)seeweb.it>
Supporto Tecnico
Gianluca Geralico <gianlucag(a)seeweb.it>
Registrazione Domini
They purposely put a routing object in IRR Nov 29, 2009
-------------------------------------------------------
route: 44.68.52.0/24
descr: Seeweb s.r.l.
origin: AS12637
mnt-by: SEEWEB-MNT
changed: noc(a)seeweb.it 20091129
source: RIPE
44.68.52.0/24 announced by AS12637 and 26 other prefixes
---------------------------------------------------------
5.144.160.0/20
31.14.183.0/24
37.9.224.0/20
37.9.239.0/24
44.68.52.0/24
77.81.143.0/24
85.94.192.0/19
85.94.208.0/20
86.106.76.0/24
91.206.74.0/23
91.233.181.0/24
95.169.64.0/20
95.174.0.0/19
176.56.128.0/21
176.223.119.0/24
185.24.104.0/22
185.47.108.0/22
193.200.3.0/24
195.182.210.0/23
195.200.94.0/24
195.200.95.0/24
212.25.160.0/19
212.35.192.0/19
213.171.160.0/19
217.64.192.0/20
217.194.0.0/20
General info from their web page
----------------------------------------------
Milano via Caldera,
21
edificio B - 20153 - Italia
(+39) 02 87365100
Frosinone C.so Lazio, 9/a
03100 Italia
(+39) 0775 880 041
Frosinone Via A. Vona, 66
03100 Italia
(+39) 0775 880 041
info(a)seeweb.it
General info from whois and RADB
----------------------------------------------------------
aut-num: AS12637
as-name: SEEWEB
descr: Seeweb s.r.l.
descr: Web hosting, colocation and cloud services
person: Marco d'Itri
address: Seeweb s.r.l.
address: Via Caldera 21 - edificio B
address: I-20153 Milano
person: Antonio Baldassarra
address: SEEWEB Hosting Company
address: C.so Lazio 9/a
address: I-03100 Frosinone
person: Fabio Fedele
address: corso Lazio 9/a
address: 03100 Frosinone - IT
address: Italy
phone: +39 0775 880041
fax-no: +39 0775 830054
role: NOC Seeweb
address: Corso Lazio 9/a
address: I-03100 Frosinone
phone: +39-0775-880041 ext. 1
fax-no: +39-0775-830054
abuse-mailbox: abuse(a)seeweb.it
role: Seeweb Abuse Desk
address: Corso Lazio 9/a
address: I-03100 Frosinone
phone: +39-0775-880041 ext. 1
fax-no: +39-0775-830054
abuse-mailbox: abuse(a)seeweb.it
Tim Osburn
http://www.m2os.com
W7RSZ / JG1MBR
https://instagram.com/tim.osburn/
3:10 p.m.
New subject: BGP stats for AMPRNet
Thanks, I've written to a few of those addresses already and
I'll keep the others in reserve in case I don't get any reply
in a few days.
- Brian
On Sun, Feb 28, 2016 at 12:01:37AM +0900, Tim Osburn wrote:
On Sat, 27 Feb 2016, Brian Kantor wrote:
Checking back I see that I wrote to them a few
years ago asking
what was going on and not getting any reply. Let's see if I get
anything back this time. The fact is that there's very little
we can actually do if someone hijacks some of our network space.
- Brian
Brian,
Did a quick research on them, here's some more info you can use to
email them and tell them to stop. If you don't get anywhere let me
know and we can then take it up with their providers for allowing
their customer to illegally announce prefixes that they are not
authorize to announce. I'm guessing they do care as they seem to be a
somewhat sizable hosting company. Might Email a few of the specific
personal Emails below of the key employees :)
General Email:
hostmaster(a)seeweb.it
noc(a)seeweb.it
abuse(a)seeweb.it
info(a)seeweb.it
domini(a)seeweb.it
28 people are listed on linked-in, only listing a few:
--------------------------------------------------------------------
Antonio Baldassarra <antoniob(a)seeweb.it>
CEO at Seeweb srl
https://it.linkedin.com/in/antonio-baldassarra-82511b1
Fabio Fedele <fafed(a)seeweb.it>
Coordinatore Tecnico presso Seeweb
https://it.linkedin.com/in/fabio-fedele-4003623b
Marco d'Itri <md(a)seeweb.it>
Internet Oompa-Loompa
https://www.linkedin.com/in/rfc1036
Claudia Antobenedetti <claudia.a(a)seeweb.com>
Account Manager at SEEWEB srl
https://it.linkedin.com/in/claudia-antobenedetti-0a95618
Chiara Grande <chiara.g(a)seeweb.it>
Customer Care
https://www.linkedin.com/in/chiara-grande-338b8538/en
Tamara Arduini
Amministrazione Generale
https://it.linkedin.com/in/tamara-arduini-aa783545
Loreno Edelmondo <loreno.e(a)seeweb.it>
Supporto Tecnico
Gianluca Geralico <gianlucag(a)seeweb.it>
Registrazione Domini
They purposely put a routing object in IRR Nov 29, 2009
-------------------------------------------------------
route: 44.68.52.0/24
descr: Seeweb s.r.l.
origin: AS12637
mnt-by: SEEWEB-MNT
changed: noc(a)seeweb.it 20091129
source: RIPE
44.68.52.0/24 announced by AS12637 and 26 other prefixes
---------------------------------------------------------
5.144.160.0/20
31.14.183.0/24
37.9.224.0/20
37.9.239.0/24
44.68.52.0/24
77.81.143.0/24
85.94.192.0/19
85.94.208.0/20
86.106.76.0/24
91.206.74.0/23
91.233.181.0/24
95.169.64.0/20
95.174.0.0/19
176.56.128.0/21
176.223.119.0/24
185.24.104.0/22
185.47.108.0/22
193.200.3.0/24
195.182.210.0/23
195.200.94.0/24
195.200.95.0/24
212.25.160.0/19
212.35.192.0/19
213.171.160.0/19
217.64.192.0/20
217.194.0.0/20
General info from their web page
----------------------------------------------
Milano via
Caldera, 21
edificio B - 20153 - Italia
(+39) 02 87365100
Frosinone C.so Lazio, 9/a
03100 Italia
(+39) 0775 880 041
Frosinone Via A. Vona, 66
03100 Italia
(+39) 0775 880 041
info(a)seeweb.it
General info from whois and RADB
----------------------------------------------------------
aut-num: AS12637
as-name: SEEWEB
descr: Seeweb s.r.l.
descr: Web hosting, colocation and cloud services
person: Marco d'Itri
address: Seeweb s.r.l.
address: Via Caldera 21 - edificio B
address: I-20153 Milano
person: Antonio Baldassarra
address: SEEWEB Hosting Company
address: C.so Lazio 9/a
address: I-03100 Frosinone
person: Fabio Fedele
address: corso Lazio 9/a
address: 03100 Frosinone - IT
address: Italy
phone: +39 0775 880041
fax-no: +39 0775 830054
role: NOC Seeweb
address: Corso Lazio 9/a
address: I-03100 Frosinone
phone: +39-0775-880041 ext. 1
fax-no: +39-0775-830054
abuse-mailbox: abuse(a)seeweb.it
role: Seeweb Abuse Desk
address: Corso Lazio 9/a
address: I-03100 Frosinone
phone: +39-0775-880041 ext. 1
fax-no: +39-0775-830054
abuse-mailbox: abuse(a)seeweb.it
Tim Osburn
http://www.m2os.com
W7RSZ / JG1MBR
https://instagram.com/tim.osburn/
3:25 p.m.
New subject: BGP stats for AMPRNet
Brian
If someone announce that network BGP and you announce it from your main router
would your announcement will be "more dominant" and the network will return to
UCSD back ?
if the answer us yes maybe this is the way to stop someone from hijacking our network
________________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)hamradio.ucsd.edu> on behalf of Brian
Kantor <Brian(a)UCSD.Edu>
Sent: Saturday, February 27, 2016 5:40 AM
To: AMPRNet working group
Subject: Re: [44net] BGP stats for AMPRNet
(Please trim inclusions from previous messages)
_______________________________________________
The fact is that there's very little
we can actually do if someone hijacks some of our network space.
- Brian
On Sat, Feb 27, 2016 at 11:33:53AM +0100, Rob Janssen wrote:
I have 4 snapshots of the BGP routed subnet situation
here, and this entry
is present in all of them. It apparently is not a recent change.
ampr/bgpnets-201406:44.68.52.0/24
ampr/bgpnets-201406:44.68.52.0, 44.68.52.255, "AS12637 Seeweb s.r.l."
ampr/data-add-ARIN-201508: 12637 44.68.52.0/24
ampr/data-add-ARIN-201512: 12637 44.68.52.0/24
ampr/data-add-ARIN-201601: 12637 44.68.52.0/24
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
3:28 p.m.
New subject: BGP stats for AMPRNet
No, at best you get route flaps.
I prefer to solve these things in a diplomatic manner.
- Brian
On Sat, Feb 27, 2016 at 03:25:21PM +0000, R P wrote:
If someone announce that network BGP and you
announce it from your main router
would your announcement will be "more dominant" and the network will return to
UCSD back ?
9:57 p.m.
New subject: BGP stats for AMPRNet
yes, I tend to agree...my first reaction was to want to hijack it back,
but two wrongs don't make one right hi!
On 16-02-27 11:28 AM, Brian Kantor wrote:
(Please trim inclusions from previous messages)
_______________________________________________
No, at best you get route flaps.
I prefer to solve these things in a diplomatic manner.
- Brian
On Sat, Feb 27, 2016 at 03:25:21PM +0000, R P wrote:
If someone announce that network BGP and you
announce it from your main router
would your announcement will be "more dominant" and the network will return to
UCSD back ?
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
3:48 p.m.
New subject: BGP stats for AMPRNet
If someone announce that network BGP and you announce
it from your main router
would your announcement will be "more dominant" and the network will return to
UCSD back ? if the answer us yes maybe this is the way to stop someone from
hijacking our network
Ronen,
That is what they call AnyCast basically. It's also ok to announce the
same space from different AS's as well. When you have multiple announcements of
the same block. Who ever has the shortest AS path is who you will get routed to
generally. The only way to guarantee a route path win is to announce something
more specific like {44.68.52.0/25, 44.68.52.128/25}, but most carriers will not
accept or announce anything smaller then a /24 so that most likely will not work
in this case. Correct action here is to go down the path to have them withdraw
the announcement or have their carriers block it from them.
Tim Osburn
http://www.m2os.com
W7RSZ / JG1MBR
https://instagram.com/tim.osburn/
4:28 p.m.
New subject: BGP stats for AMPRNet
Tim
Thank for the info
I used to manage BGP
I was the System manager of an american company (NetManage) we had two internet feeds
one from the USA mother company and other is from Local ISP and I announced the BGP
from my router (we had Class B network ) But I forgot all it that was about 20 years ago
...
As for the situation
I think that if someone put BGP for network that not belong to him from from 2009 and
not answering mails (as Brian wrote) is very serious
Im not so optimistic as Brian in solving such a problem in diplomatic ways ..
(specially if he already wrote them long ago and not even got answer ) but hes the
"boss" i respect him for all his dedicated work he did (and still doing ) for us
since the AMPR network started and i will follow his rules
but if needed i am willing to be in the frontline to fight back against Network
Hijackers of our network ...
NB Not connected to Network but connected to Hamradio Fights
Maybe the Old Timers (who was active on the HF those days) remember the
"woodpecker" the Russian Over The Horizon Radar that make big mess on our
Bands
I had the "honor" to to suffer from it as well ..
at those times when the hams start to understand that this is a Over the Horizon Radar
and that nothing help to stop its transmission a group of ham radios start to fight back
they transmitted with CW keyer CW pulses on the radar frequency (of course in the
ham bands)
not long ago i have read article on the net about this fight ...
it tern out that this fight succeeded a monitors station reported that every time
that was a massive CW attack on the radar frequency they shifted it to another frequency
(most of the time outside the ham-bands)
so fight can solve things (if no other ways can)
Regards
Ronen - 4Z4ZQ
http://www.ronen.org
________________________________________
in this case. Correct action here is to go down the path to have them withdraw
the announcement or have their carriers block it from them.
Tim Osburn
http://www.m2os.com
W7RSZ / JG1MBR
https://instagram.com/tim.osburn/
_________________________________________
44Net mailing list
44Net(a)hamradio.ucsd.edu
http://hamradio.ucsd.edu/mailman/listinfo/44net
2991
days inactive
2991
days old
15 comments
6 participants
participants (6)
-
Brian Kantor -
R P -
Rob Janssen -
Tim Osburn -
Tom SP2L -
ve1jot