<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>in the current state of society with certain governmental
agencies performing things the way they are, i don't trust any ISP
anymore or government agency anymore. the apology from that ISP,
in my opinion, smells like the worst pile of crap ever. i don't
buy it.</p>
<p>i wish there was a way for us to run a TOR network without having
to be on an ISP's network.<br>
</p>
<br>
<div class="moz-cite-prefix">On 05/14/2018 10:39 AM, Trevor
Ellermann wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANiDOiD5GZEEGorBikveV4A2Byf4FY3FocGx+ryMgt4nCoqSbQ@mail.gmail.com">
<div dir="ltr">Thanks for the responses. To follow up this is how
the offending ISP responded to our inquiries. I do not believe
any further follow up is necessary.
<div><br>
</div>
<div>*snip*</div>
<div>
<div>Thank you for getting in touch.</div>
<div><br>
</div>
<div>I am afraid an engineer made an error in the BGP
configuration of one of our devices earlier this afternoon,
which resulted in a number a host routes being inadvertently
announced to certain of our upstream providers.</div>
<div><br>
</div>
<div>The route itself existed as part of a set of prefixes
internally routed to null on our network. This particular
IP hosts a TOR relay node, and while that is perfectly
legitimate we have a business requirement to block access to
these internally:</div>
<div><br>
</div>
<div><a
href="https://metrics.torproject.org/rs.html#details/383D6E34D9BEA92E97092B134A708EEF476DF2E4"
target="_blank" moz-do-not-send="true">https://metrics.torproject.<wbr>org/rs.html#details/<wbr>383D6E34D9BEA92E97092B134A708E<wbr>EF476DF2E4</a></div>
<div><br>
</div>
<div>The route should never have been announced outside our
own AS. Unfortunately due to human error it was advertised
earlier today (May 9th) from approx. 11:04 to 11:10 UTC. I
can assure you this was an unintentional error, we had no
desire to interrupt or affect communications outside our
AS. The mistake was quickly spotted by our own NOC team and
reverted.</div>
<div><br>
</div>
<div>I hope you can accept our sincere apologies for this
issue, we have taken steps to ensure that any similar
mistake will not have such impact in future.</div>
</div>
<div>*snip*</div>
<div class="gmail_extra">
<br>
<div class="gmail_quote">On Wed, May 9, 2018 at 11:54 AM,
grarpamp <span dir="ltr"><<a
href="mailto:grarpamp@gmail.com" target="_blank"
moz-do-not-send="true">grarpamp@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On
Wed, May 9, 2018 at 2:06 PM, Trevor Ellermann <<a
href="mailto:trevor@ellermann.net" target="_blank"
moz-do-not-send="true">trevor@ellermann.net</a>>
wrote:<br>
> I just a notification from my data center that
someone is trying to hijack<br>
> the IP of my exit node. Seems like the sort of
thing someone might do when<br>
> trying to attack Tor. I'm in a very remote area
with limited access but any<br>
> suggestions on actions I should take?<br>
<br>
</span>Make sure your box and keys aren't compromised.<br>
If that's ok, best they can do if the announcements are<br>
listened to is camp on the ip for a while using their own
keys,<br>
(there might be some identification attacks made possible
with<br>
such a transient reroute,) circuits would fail till the
consensus<br>
updated to them, but there could be some duplicate ip
split horizon<br>
issues involved due to filtering.<br>
If they hacked the boxes there's hardly need to expend
noisy<br>
reroutes when they can do most attacks using the box
itself.<br>
<br>
Hop on the route servers or your other favorite interfaces<br>
to the net and analyze who all is announcing /32's trying
to<br>
cover any other tor nodes.<br>
<br>
Sane isp's will filter such things without prior
coordination. It's fairly rare,<br>
and for them to bother giving customers courtesy reports.
Though<br>
depending on nature of ticket / relationship with GBLX,
you might want<br>
to reply saying you've never worked with Asavie and don't
approve<br>
of the action regarding your IP.<br>
<br>
You can also search AS200005 to see what kind of heat<br>
they catch from other operators / internet analysis tools.<br>
<span class="m_-5095930169604774368im
m_-5095930169604774368HOEnZb"><br>
> ==============================<wbr>==============================<wbr>========<br>
> Possible Prefix Hijack (Code: 10)<br>
> ==============================<wbr>==============================<wbr>========<br>
> Your prefix: <a
href="http://204.17.32.0/19" rel="noreferrer"
target="_blank" moz-do-not-send="true">204.17.32.0/19</a>:<br>
> Prefix Description: GBLX-US-BGP<br>
> Update time: 2018-05-09 12:11 (UTC)<br>
> Detected by #peers: 1<br>
> Detected prefix: <a
href="http://204.17.56.42/32" rel="noreferrer"
target="_blank" moz-do-not-send="true">204.17.56.42/32</a><br>
> Announced by: AS200005 (Asavie Technologies
Limited)<br>
> Upstream AS: AS200005 (Asavie Technologies
Limited)<br>
> ASpath: 200005<br>
><br>
><br>
> <a
href="https://torstatus.blutmagie.de/router_detail.php?FP=383d6e34d9bea92e97092b134a708eef476df2e4"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://torstatus.blutmagie.de<wbr>/router_detail.php?FP=383d6e34<wbr>d9bea92e97092b134a708eef476df2<wbr>e4</a><br>
</span>
<div class="m_-5095930169604774368HOEnZb">
<div class="m_-5095930169604774368h5">______________________________<wbr>_________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org"
target="_blank" moz-do-not-send="true">tor-relays@lists.torproject.or<wbr>g</a><br>
<a
href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays"
rel="noreferrer" target="_blank"
moz-do-not-send="true">https://lists.torproject.org/c<wbr>gi-bin/mailman/listinfo/tor-re<wbr>lays</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
tor-relays mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>
</pre>
</blockquote>
<br>
</body>
</html>