Hijacking of address blocks assigned to Trafalgar House Group , London UK

Roland Verlander rolyv at bigpond.com
Sun Apr 13 23:44:12 UTC 2003


Richard Cox wrote:
> On 13 Apr 2003 15:11 UTC, David Temkin <temkin at sig.com> wrote:
>
> | Maybe they should do everyone a favor and return the hijacked blocks
> | to ARIN....  I mean hell, does anyone really think that they have
> | 6 /16's worth of machines directly accessible via the 'net?
>
> Maybe so indeed.  We've been asked to help clear up the mess, and to my
> mind it's far more important to limit the damage to the rest of the net
> from the hard-to-trace abuse and the other evils that were the reason
> why the blocks were hijacked in the first place, than to deal with the
> consequential admin issues.  But those issues *will* be addressed.

If it is possible to get old the old whois of those blocks from around ~8
months ago from ARIN it will be much easier to find out how they were
hijacked.

> So that's why we first gave you all an update on what was happening,
> while I try to reach the security teams at the networks that are still
> allowing the bogus announcements to go out.  Sprint responded quickly,
> and thanks to those of you here who mailed me better contact details,
> I was able to reach Telia who filtered their announcements promptly.

There are still some active routes - the block hijacker is leasing out
SWIP'd chunks of 144.176.0.0/16 to spammers who have to find thier own
routing.

One of the SWIP'd chunks of it owned by a spammer that is been announced is
144.176.209.0/24 (Empire Towers, routed to Sprint in the USA).

> Some networks however are proving rather more difficult to "reach"!
>
> Once we've shut the abuse down, we'll be sure to brief Aker Kvaerner's
> management on all the issues involved and, from what I've seen so far,
> I'm completely satisfied that they will then "do the right thing".
>
> | Obviously if they have been hijacked and the admins had the time
> | to post here about it, it's not the end of the world for them...
>
> Aker Kvaerner were until last week unaware that the company they had
> acquired had ever had any allocations from ARIN.  We've been asked to
> clear up the mess, and to that extent only we are the "admins".  When
> one of the hijackers lost their connection, and was immediately able
> to get a new connection from another provider, we realised just how
> important it was to ensure that network operators were generally made
> aware of what was going on: firstly so that they didn't inadvertently
> allow anyone else to announce anything in those netblocks, and also so
> that any network could, if they wished, could keep traffic from those
> netblocks off their systems.
>
> At our request ARIN have now deleted all contact handles from those
> blocks, so that further identity-spoofing should be more difficult.

There are still a lot of SWIPs made to spammers out out of those blocks w/
contact handles such as 144.176.208.0/20.





More information about the NANOG mailing list