AS11296 -- Hijacked?

James Hess mysidia at gmail.com
Sat Oct 2 18:59:01 CDT 2010


On Sat, Oct 2, 2010 at 3:41 PM, John Curran <jcurran at arin.net> wrote:
> On Oct 2, 2010, at 4:03 PM, Robert Bonomi <bonomi at mail.r-bonomi.com> wrote:
> Robert -
>    You are matching nearly verbatim from ARIN's actual procedures for recognizing a transfer via merger or acquisition.   The problem is compounded because often the parties appear years later, don't have access to the legal documentation of the merger, and there is no "corporate" surviving entity to contact.   Many parties abandon these transfers mid-process, leaving us to wonder whether they were exactly as claimed but simply lacking needed documentation, or whether they were optimistic attempts to hijack.
> /John

Hm.. just a thought...  if an org doesn't have and are unable to
obtain any good written documentation
at all,  from even the public record, then aren't they (as far as the
operator community should
be concerned) not the same registrant,  or authorized?

Where would a person be if they were trying to claim the right to a
certain piece of land, and someone else
(an opportunist/scammer) also claimed ownership using "papers" they
had created, but the 'rightful' owner
had neither a deed, nor a transfer agreement, proof of their use of
that land,  nor other certified document,
and the local authority  did not have any record of a transfer from
the now defunct original owner?
---

So, I wonder why only ARIN itself is singled out.. Have other RIRs
found something much
better to do with fraud reports?   This matters,  because scammers can
concentrate on
whichever IP blocks are easiest to hijack.

If ARIN somehow creates a hostile environment for scammers, they can concentrate
on  APNIC/RIPE/AfriNic/LACNIC-administered IP ranges  instead.

Assume scanners don't care or need to be undetected for long at all,
they just need to stay off
 'hijacked IP lists'  for a very brief time, perhaps a week, until
they are blacklisted by major RBLs for spamming,
stop using the range,  find a new one, under a new manufactured
identity, lather, rinse, ....

Even with excellent RIR detection and reclaiming of defunct ranges,
the most capable anti-scammer mechanisms may still be independent
Bogon lists and   RBLs.

Watch the  global visibility of  prefixes,   and detect when part of a
completely unannounced RIR assigned
prefix starts being announced or when an entire RIR prefix stops being
announced for more than a couple days or so.

And it doesn't fall into the category of  'newly registered prefix' .

Those should be additional "triggers"  for  defunct  contact detection
/ additional verification,
and  anti-fraud detection by RIRs and others.
Because address ranges can become defunct at any time....

Something  really should be watching for a previously defunct range
re-appearing  from a different AS or
from a completely different place net-wise.

--
-J




More information about the NANOG mailing list