HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

Ronald F. Guilmette rfg at tristatelogic.com
Wed Mar 30 22:26:15 CDT 2011


In message <AANLkTikEmpr3QvVDOrvUgRNZn0CnkoA4vTBta5Q3mBuN at mail.gmail.com>, you 
wrote:

>This is an old enough "technique" dating back to a few years -
>re-registering an expired domain that belonged to the ARIN contact,
>and filling out the ISP paperwork.

FYI - That does not seem to have been what occured in the two particular
cases I reported on today.  The e-mail contact domain for the two relevant
ARIN allocation records seems to still be in use by the chemical company,
Hoechst Celanese.

So that _really_ begs the question... Why did Circle Internet and (apparently)
Level3's customer, BANDCON, blindly accept _any_ sort of assertion that the
crook who hijacked these two /16s had the right to use them?

% traceroute to 148.163.5.2 (148.163.5.2), 64 hops max, 40 byte packets
 ...
 8  ae-62-62.csw1.SanJose1.Level3.net (4.69.153.18)  42.796 ms
    ae-82-82.csw3.SanJose1.Level3.net (4.69.153.26)  44.268 ms
    ae-72-72.csw2.SanJose1.Level3.net (4.69.153.22)  43.296 ms
 9  ae-4-90.edge8.SanJose1.Level3.net (4.69.152.212)  44.877 ms
    ae-3-80.edge8.SanJose1.Level3.net (4.69.152.148)  44.731 ms
    ae-1-60.edge8.SanJose1.Level3.net (4.69.152.20)  44.426 ms
10  BANDCON.edge8.SanJose1.Level3.net (4.53.30.42)  45.018 ms  45.779 ms  45.043 ms
11  148.163.5.2 (148.163.5.2)  44.820 ms  45.651 ms  44.571 ms


In the case of Circle Internet, I feel sure that the check cleared, so they
didn't see it as either necessary or useful to inquire further.  But the
question that I'd most like to get an answer to... and the one that nobody
will likely ever get an answer to... is "Did BandCon likewise see that the
check which was made out to them cleared, and that thus they didn't see fit
to inquire any further?"

Separately, Jim Gonzalez raised an interesting and related point... If I
were to simply forge the sender address of an e-mail message, send it to
Level3, and ask Level3 to route some arbitrary hunk of IP space for me,
would Level3 just blindly do it?

If so, I may perhaps see if I can have a bit of fun, at their expense, this
weekend.  I mean what the hay!  It's pretty obvious that nobody from law
enforcement has any interest in any of this crap, and that random bad actors
can perpetrate whatever kinds of frauds they wish on the net with virtual
impunity.  So why should this hijacking crap only be a spectator's sport?


Regards,
rfg




More information about the NANOG mailing list