I run a couple free/paid image and web hosting services.
Yesterday around 11AM we lost connectivity from certain locations to our main IP. Tracerts (as seen below) are stopping at the same point every time. Other IP addresses on our network work fine.
The next 2 hops that we should be seeing in tracerts are to an AT&T handoff to GBLX, then a GBLX router.
I've contacted every abuse, help, and rbl address I can find at both AT&T and GBLX to no avail. The contacts for the IP at ARIN (of which I am one) weren't notified of anything like that though.
Its been suggested by the people at our datacenter that we might have been blackholed by one of these two providers. We dont' send spam, and our users don't have mail service or the ability to use sendmail. We do offer free file storage/hosting, and get the occasional phishing site or trojan uploaded, but we attend to them immediately when notified and remove any offending content on the spot.
This has affected a large chunk of our quarter million users, anyone who takes a route through AT&T to reach the sites. Other routes many people take (through L(3) for example) aren't affected. Can anyone offer any suggestions? We've already moved the IP's for the two sites on this IP to two different IP's, which is a quick-fix, but I need that IP to work...
C:\Documents and Settings\Scott.OPTIPLEX>tracert ripway.com
Tracing route to ripway.com [18.104.22.168]
over a maximum of 30 hops:
1 4 ms 1 ms 1 ms 192.168.1.1
2 16 ms 17 ms 12 ms 10.100.224.1
3 11 ms 8 ms 10 ms 22.214.171.124
4 8 ms 7 ms 7 ms mtc1dsrc01-gew0303.rd.om.cox.net [126.96.36.199]
5 13 ms 10 ms 8 ms 188.8.131.52
6 27 ms 28 ms 27 ms gar1-p370.mpsmn.ip.att.net [184.108.40.206]
7 32 ms 29 ms 26 ms 220.127.116.11
8 29 ms 42 ms 33 ms ggr2-p3120.cgcil.ip.att.net [18.104.22.168]
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
I've found out that GBLX has indeed blackholed this IP, which denied access for many to a service that supports almost 400,000 users.
None of the contacts listed at ARIN for this IP were contacted. We don't do SPAM, and we don't allow our users sendmail services.
Is this legal for them to do? Arbitrarily block an IP address from their transport apparently because of some report they received, and furthermore, apparently with no recourse? GBLX referred me to a $200-per-incident security process. This is like extortion...
Jeez, ya I would go after them pretty strongly then. While they can do this, they have to do it with some notice / proof. Get your lawyer to contact them quickly. If they do have proof you probably need to try to move to another network. Are you colocated with someone? Can they help?
Well before you start on the lawyer path is anything in fact illegal? I do not have much experience in this area but is there anything that says any datacenter cannot just block whatever ips they want. I know plenty of people that block most of asia because of spam and they seem to be perfectly happy with it. I do not disagree that this is a dirty trick, but I am not to sure if it is actually illegal.
John W, CISSP, C|EH
MS Information Security and Assurance ITEagleEye.com - Server Administration and Security Yawig.com - Managed VPS and Dedicated Servers with VIP Service
They directed me to security.gblx.net, which charges a $200 per-case fee if they don't deem it to be an emergency or an improper report. Well, I'm not reporting fraud, spam, trojans, or anything else on their list.
I chose a bogus "type of attack" in their security report form, and was contacted by phone shortly after.
They said they tried to contact the addresses listed at ARIN for our IP, but admitted that their procedure is too strict, and they're making changes to make it more leniant. We did in fact have a phisher running some files from our service (nothing uncommon, we deal with them on a daily basis).
He un-blocked the IP while I was on the phone with them after I got that account removed.