HIJACKED: 184.108.40.206/16 -- WTF? Level3 is now doing IP hijacking??
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Mar 31 04:27:23 CDT 2011
In message <Pine.OSX.4.64.1103310053260.312 at cevin-2.local>,
Brandon Ross <bross at pobox.com> wrote:
>On Wed, 30 Mar 2011, Ross Harvey wrote:
>> Wait a second, I'm pretty sure that in most contexts, a signature or
>> letterhead means not so much "this is real because it's so obviously
>> genuine", but rather:
>> "This is real or I am willing to take a forgery rap".
>Do you think most providers check the signer's ID to make sure they
>actually signed their own name? How do you prove that whomever you accuse
>of signing it actually forged it if not?
>Does anyone know of there ever being even a single case where someone was
>convicted of forgery for this?
Excuse me, but I think that this discussion is starting to stray rather
far from either the known or the reasonably plausible facts.
In the first place, I do not accept the theory that either Circle Internet
or Bandcon were hoodwinked by cleverly forged letterheads, and there is
no evidence I am aware of which would support that theory.
Until, if ever, additional facts are forthcoming, I believe that it is
just as plausible that some spammer simply came to each of these companies
and said to them "Hi! I really want to hijack these two unused /16 blocks.
Will you help me?" and that one, or another, or perhaps both of these
companies simply replied "Yea. Sure. We didn't quite make our quarterly
numbers, and we are always on the lookout for new revenue streams. So
how much money do you intend to give us if we help you with this, exactly?"
In the second place, this amusing "letterhead fraud" theory only holds
up if one also believes that, upon being presented with a mere forged
letterhead, allegedly coming in "over the transom" as it were, i.e. from
a previously unknown source, along with a request to announce some
routes to a couple of sizable blocks of IPv4 space, neither Circle
Internet nor BandCon even bothered to pick up the bleepin' phone to call
the contact number that is/was plainly visible for all to see, right
there in the relevant ARIN allocation WHOIS records for the IPv4 space
Then there is also the small matter of the name on the _checks_...
you know... the checks that _somebody_ had to write, in the first instance,
before either BandcCon or Circle Internet would have been likely to provide
_any_ kind of service to some new and total stranger. Or was this "duped
by clever forgeries" single bullet theory that you folks have been dis-
cussing also intended to include the forging of CHECKS in the name of
"Hoechst Celanese Corporation"?
See, no matter how you slice it, both BandCon and Circle Internet have
a lot of explaining to do. At the very least, and even if this
implausible "forged letterhead" theory were true... which I gravely
doubt... both BandCon and Circle Internet have been rather grotesquely
negligent, i.e. in accepting, without any checking whatsoever, the
representations made to them by some total stranger who simply para-
chutted out of the clouds one day, clutching a forged letterhead in one
hand and a bag of unmarked small denomination bills in the other.
So that's the very least... the companies were both, at the very least,
rather stupendously negligent.
At the very worst on the other hand, one or another or both of them may
have been entirely "in on" and part of these hijacking schemes/scams from
I myself would tend to go with the latter theory, simply because it is
the only one that would seem to make any sense, you know, logically. Ask
yourself which of these theories seems the most plausible?
1) The spammer forged two checks in the name "Hoechst Celanese
Corporation" and gave one each to Circle Internet and BandCon,
respectively, along with similarly forged letters of introduction
and requests for routing of IP space.
Unless I am misremembering, this means that the spammer would have
engaged in not one but TWO very serious federal fraud offenses.
Even sleezy low-life spammers do not customarily accept this level
of risk, e.g. just to get their hands on some IPv4 space which, we
must remember, is only likely to be of value to them for a relatively
brief period of time, EVEN IF they can manage to keep it routed.
2) The spammers gave Circle Internet and BandCon forged letters of
introduction (on forged letterheads) and requests for routing
services, and gave the two companies -zero- actually money, and
nonetheless, both companies started happily announcing routes for
the purported "Hoechst Celanese Corporation", even though neither
company received a dime for this service, and even though they both
CONTINUED to provide this service, utterly for free, apparently for
at least THREE FULL MONTHS.
3) The spammers gave Circle Internet and BandCon forged letters of
introduction (on forged letterheads) and requests for routing
services, and gave the two companies checks that were NOT
"Hoechst Celanese Corporation" checks (either forged or otherwise),
and then both Circle Internet and BandCon just cashed BOTH of those
two checks (which were presumably written against the account of
"Joe's Fly-By-Night Spammery and Pizza Parlor") and both companies
cashed these two checks without ever even looking at them or even
wondering aloud why "Joe's Fly-By-Night Spammery and Pizza Parlor"
would be paying for Internet services which were ACTUALLY going to
be delivered to the large and internationally-known Hoechst Celanese
chemical company (which is, quite obviously, perfecly capable of
paying its own ISP bills, thank you very much).
4) The spammers simply went to Circle Internet and BandCon and said
"We want to hijack some IP space. If you help us, we'll pay you
handsomly for your trouble." and both companies simply replied "Yea.
Sure. We like money. And as far as we know, nobody's ever gone to
jail for hijacking IP space, so, um, what the hell! When did you
want to get started?"
The first three theories are, in my opinion, utterly implausible. That
doesn't really leave very much to wonder about.
Let me put this all to you another way. I would like to respectfully suggest
that anybody who is actually taking this "forged letterhead" fairy story
seriously should write to both Circle Internet and BandCon, explain to them
both that either their competence or their honesty, or both, have been the
subject of questions here on the NANOG list, and that they would each do
well to make some sort of a clarifying comment... or, if possible, a refu-
tation... here on the NANOG list.
If they were merly hoodwinked, well then they should come here, admit that,
explain to us all exactly how it happened (so that nobody else will get
taken in in the same way in future) and thus set the record straight. Yes,
it will always be a bit embarrasing to admit that you were hoodwinked, but
that is still a damn sight better than being publically reputed to be
So please, if you really think that these companies were merely hoodwinked,
and that they were NOT in on the (hijacking) deal from the get-go, please
invite them to come here to the NANOG list and clear the air, along with
I got twenty bucks that says that no verifiable official representative of
either company will be making an appearance here anytime soon, or that if
they do, they won't be taking any questions. Any takers?
More information about the NANOG