logoalt Hacker News

galaxygatetoday at 4:51 PM2 repliesview on HN

Affected customer here, if you're curious on our original NANOG post on the whole situation:

Hey NANOG,

After receiving a BGPAlerter notification that one of our subnets (23.150.164.0/24) had been hijacked, I checked and noticed the prefix in question was missing RPKI. Assuming I had fat fingered something and butchered the ROA, I logged into ARIN and found that the prefix was missing from our resource list entirely, and had been reallocated to another organization and announced from their network. I created a ticket in ARIN and called immediately.

They confirmed that our subnet had been accidentally reallocated to another customer, and that they are currently working on returning it to us. After a couple hours, they told us the other organization will stop announcing the prefix, and WHOIS will be returned shortly.

I’m guessing there’s no way to prevent this kind of thing on our side if the RPKI ROA itself is removed along with the allocation? I’m planning on adding checks to look for missing ROAs (in addition to invalid/expiring ones), which I'm guessing would've caught this earlier.

Have any of you had anything like this happen with ARIN or another RIR? I’m especially curious what might have happened if we’d only noticed and reached out a few weeks later instead of within a few minutes.

Replies

Titan2189today at 6:35 PM

The original report says

> The incorrect state persisted for approximately seven days before detection

However you're saying you've reached out "within a few minutes" ?

show 2 replies
thaumaturgytoday at 6:01 PM

Off-topic, but: I see you've got a green username (new account). How did you know this post was on the HN front page? ARIN's writeup doesn't mention your service by name. I looked it up out of curiosity from the CIDR they mentioned, before clicking over into the comments here. Unless you've got a regular HN account and just set up a new business-facing one for this?

I periodically see people showing up early in comment threads posted about things they've written or articles where they're the subject. Usually I figure they've got a Google alert or some other whatsit, or they've got something monitoring referers in their web traffic. But this is a case where neither would apply.

show 2 replies