Man who built ISP instead of paying Comcast $50K expands to hundreds of homes

A couple of fun facts about this guy:

His little ISP is AS267, which is a SHOCKINGLY low number. That's like.. the ISP equiv of a 4 digit slashdot id, or owning something like sodapop.com.

He's also one of the authors of RFC 5575, which is a pretty big deal in the DDoS world.

I recognized his name from providing hosting for the outages.org list[0] – if you haven't subscribed, and you do anything operations at all, go hit the button now.

[0]: https://puck.nether.net/mailman/listinfo/outages

I don't know (or care) about how he got that ASN but ARIN does occasionally recycle returned 3 or 4 digit ASN's, including very recently:

  20220607|arin|US|asn|888|1|assigned|66e25d155d3f3d57ff208733b59f8cc8
  20220607|arin|US|asn|889|1|assigned|5b048aafff56a02f895e68ac5188853b
  20220607|arin|US|asn|890|1|assigned|708d3f11915973323c76a5f95fa2d775
  20220607|arin|US|asn|891|1|assigned|ab9bfca0becd32b7fe44c7ea0ba1aac3
  20220607|arin|US|asn|892|1|assigned|0b9118a23862aab1647fd26939f7b219
  20220607|arin|US|asn|893|1|assigned|57d59e6dfd1cd07523724f9cf5fc572b
  20220607|arin|US|asn|894|1|assigned|0a932835b90a81bffeb1539b4bc93040

The first time ARIN did this with a lot of 4-digit ASN's was 2009 and was how Netflix was able to get AS2906.

There is also a market for reselling ASN's that aren't needed anymore: https://auctions.ipv4.global (filter by ASN)

can somebody ELI5? what is this code mean? what is RFC 5575?

RFCs are Requests for Comments, which are what are considered potential standards in the technical world: https://en.wikipedia.org/wiki/Request_for_Comments

Here's this one:

https://www.rfc-editor.org/rfc/rfc5575.html

He's been a backbone guy since the the mid-1990s.

The RFC number is less interesting then the ASN; he has a low ASN, which is for backbone nerds a little like getting a very short domain name; the short ones are long since exhausted, so it's like an O.G. indicator.

(An ASN is a BGP4 network number; think of it as an address in the backbone routing network.)

RFC 5575 is a widely adopted specification implemented by router vendors that lets ISPs (think Comcast, Verizon, Deutsche Telekom, Akamai) block certain kinds of traffic at their routers using rules called "Flow Specifications". A rule looks _something_ like "Drop traffic if it's on Port 80 and its packet size is 252 bits". That level of logic is good enough to block many simple DDoS attacks, and since it's done on a router, it's hardware that the ISP has to buy anyway. The more expensive / but also more powerful solution usually involves a dedicated piece of hardware that does packet inspection.

Jared is not a rando who built an ISP. He is someone who forgot more about networking and running NSPs than most people know.

pc literally said he was not talking about this guy, can’t win I guess

The way it was written, it left many of us wondering what the answer to the question was, though.

Not come across this list before.

I'm being a bit lazy here but do you happen to know if there is a way to consume this programatically? I'm thinking RSS or perhaps an API?

Edit: For the benefit of others who might be interested, I've just subscribed using Feedbin's [0] email-to-RSS feature so updates will appear in my RSS reader!

[0] https://feedbin.com

What is an ASN and what advantage is there to have a low number?

vanity

ASN = Autonomous System Number (https://en.wikipedia.org/wiki/Autonomous_System_Number), it's a number which identifies an ISP in the core Internet routing protocol (BGP). A low ASN usually means your ISP has been part of the Internet for a long time; other than the 16-bit vs 32-bit ASN distinction, it has no practical effect, besides implying that your ISP is one of the "old-timers".

ASN is an Autonomous System Number. An ISP is the primary example of an Autonomous System. There are other organizations that have ASNs like data centers.

The internet is decentralized. Basically, each autonomous system is its own network. This means that they need to connect with one another in order to allow traffic between each other. This is called peering. In order to peer with another network you must have an ASN.

The number doesn't matter.

Yeah FPGA's are marketed for packet inspection. Like on xilinx.com, and microsemi.com, they talk about radar and military, defense, on top of AI and fintech. It's just really hard to market FPGA's, it's such a shiny toy but then it never ends up actually selling in volume, like GPUs, there's envy of that success. Especially because in many ways F's have merits that go toe-to-toe with GPU, and defeat them in eg latency, which is why Wall Street prefers F's to GPU's. Just not enough killer apps.

And packet inspection is a good fit for F's [FPGA's] by their very nature, DDoS's are squirrely and ASICs get stale, you need to reprogram you F's on the fly to catch that attack in-progress. So to adapt to new attacks on the fly, or update based on new fashions of DDoS's, patch vulnerabilities, and plus they're harder to reverse-engineer than ASICs, they're strong against that, good crypto to protect the bitstreams that define them. Basically built for that. ASICs on the other hand, can just have the lid scraped, take a photo, done. (Though to some extent they do put functionality on memory that gets lost if the chip is turned off during abduction, that can be done, the line between F's and ASICs is not truly that sharp).

A lot of DDoS's are done by state-sponsored or -affiliated or -harbored adversaries, capturing the ASIC that stops the DDoS is a real thing. Reverse engineering usually happens in another country, another jurisdiction. Under smiling eyes, blind eyes, can't get the police to go there, can't get extradition, maybe sue, maybe get them punished within the country that harbors them.[1]

[1] I read in China there was a Chinese man who traveled to New Zealand and murdered somebody, I think a woman. But he would not be extradited. Instead, the New Zealanders presented their evidence in Chinese court, which found it had merit and credibility enough to imprison the murder, within China, so he paid for his crimes fully. All without extraditing one of their own.

Amidst all the discussion of fpga vs asic vs flowspec, it's probably worth distinguishing two types of attacks: big, dumb volumetric ddos (flow specifications are great and cheap here, if you can match), and more sophisticated layer 5/6/7 attacks where FPGA/packet inspectors are likely necessary (unless you get lucky and the supposedly smart attack has an obvious signature such as a particular packet length combined with other components)

This is a mailing list. Subscribe and point it to something that can ingest messages, similar to how you would pipe support@ to a helpdesk and auto-create tickets.

In this case, this wasn't recycled - his is actually decades old

My university’s is number 2; is there any significance to that?

Is your university among these? https://www.visualcapitalist.com/wp-content/uploads/2019/03/...

(Not the guy you replied to, but) it's not, unless I am missing it. ASN 2 is University of Delaware. You can search for yourself at whois.arin.net, just type a number in the search bar in the upper right.

University of Delaware, per this: https://dnschecker.org/asn-whois-lookup.php?query=AS2

So, not on that map, but it was part of ARPANET by the time the TCP/IP protocol was introduced in 1983[0], per this map: https://www.historyofinformation.com/image.php?id=6456

[0]: https://blog.google/inside-google/googlers/marking-birth-of-...

It's an NFT representing early participation on the Internet.

I wonder why there's so many weird domains being hosted on AS2? https://dnslytics.com/bgp/as2 (scroll down to Top Domains)

Interesting

They are probably not actually hosted on AS2. Bad actors can inject garbage into BGP AS paths, either accidentally or deliberately.

Hardly non-fungible but yes, it means you've been on the internet for long.

Adding to this, Autonomous Systems, which are identified by ASNs, are the networks that the Internet is internetworking between.

That protocol is called BGP, or border gateway protocol. Most people's familiarity with that initialism, if any, comes from reports of major outages which occur when BGP routing --- effectively the list of peers to which a given AS connects --- gets fuxnored. This happens with somewhat distressing regularity (though not exceptionally high frequency), and along with some other notable failure points in modern telecoms (say, SIM spoofing, DDoS, or good old social engineering) is not-so-charmingly naive in its architecture of implied trust and lack of technical safeguards against either accident or malice.

As originally specified, ASNs ranged to 65,536 distinct systems (16 bits). That's since been bumped up to 32 bits, for 4,294,967,296 distinct systems.

Some old hands would track network abuse by ASN or a somewhat finer gradation, CIDR (classless internet domain routing), which tend to aggregate poorly-behaved networks into identifiable aggregates. That was somewhat more tenable with the smaller number of providers, though power laws and Zipf functions mean that bad behaviour does stil tend to self-organise in useful ways. Growth in indirection (VPNs and Tor) challenge this somewhat, with gateways now being identified as abuse sources, which is ... problematic.

Bad actors aren’t blacklisted for repeatedly injecting garbage?

Maybe? Sometimes? It probably depends if what they're doing causes operational issues. BGP is primarily a trust based system. Many upstreams have filters to limit route announcements from their downstream / customer ASes, but at its core, it is trust based.

It’s hardly trust based if enforcement against those who break the trust is so sporadic.