Internal process for handling route hijacking reports
With increased interest in BGP hijacking (also known as “route hijacking”), we thought it might be helpful to explain how we currently handle these reports. First of all, the Registration Services team receives route hijacking complaints from many different sources including other RIRs, customers, people that report them on network operator mailing lists (e.g. NANOG), SPAM enforcement companies, fraud reports entered on the ARIN website, feedback reports and many other avenues. These reports are always brought to my attention as the leader of the team, and I perform a quick review of the situation and then assign it to our Technical Services Lead, Jon Worley, or to the RSD Manager, Lisa Liedel. Currently we investigate these reports, but do not log or produce reports regarding these incidents. On average, the team spends between 10-20 hours per month on this activity.
Once we have received a report, we investigate it as follows:
- Review for accuracy.
- Ensure that it has potential to be a possible hijacking.
- Review the history of the number resource reported as hijacked.
- Reach out to the ASN holder that the reported hijacked routes are being announced from if they are in the ARIN region. If they are instead a customer of any other RIR, then we will coordinate with the other RIR (who will usually reach out to the ASN holder directly.) This process has worked well, and there have been many instances that have resulted in having hijacked routes removed.
The main reason that ARIN does not report on this activity is because it is extremely difficult to identify the entity that is actually behind the hijacking. Almost always, the ASN that is announcing the hijacked routes will remove them or let us know that they have some reason for routing them. At the time we normally advise the network involved to reach out to the Points of Contact (POCs) in Whois to confirm that the routing is incorrect. There are times when we have to go to the upstream ASN holder when the ASN announcing is unresponsive and it is apparent that the space should not be routed (e.g. for address space which is presently in RIR inventory.)
ARIN takes route hijacking very seriously, and does work, where possible, to address these issues. If you would like more information or would like to see this reported on at an upcoming ARIN meeting, please reach out and let us know. You can contact the Help Desk, Monday through Friday 7:00 AM – 7:00PM ET, +1.703.227.0660.