The in-your-face hijacking example, was: Re: Who is announcing bogons?
kai at pac-rim.net
kai at pac-rim.net
Tue Apr 29 18:14:36 UTC 2003
On 4/29/2003 at 3:10 AM, Sean Donelan wrote on NANOG-L:
> So which ISPs are confused? Bogon's don't spontaneously occur in
> BGP. Some ASN must originate them, and ASNs must pass them to
> other ASNs. BGP helpfully includes the ASNs in the path.
> What should be done about ASNs which repeatedly announce false or
> unauthorized routes?
Like: AS 15188 (rogue) ?
We call them "rogue AS's" around here - AS's that are not to be trusted
under any circumstances, any routes announced from them should be blocked
or dropped, and complaints about them should be sent to ALL AS upstreams
of the 'rogue' at all times, unless the upstream itself is rogue (in which
case complaints should also go to all non-rogue upstreams of the rogue
upstream, you get the idea)
And to live up to Joe Provo's "Kai's post is not fiction." comment,
oh, more true words have not been spoken lately.
Here you have it RED HOT, for everyone to see, *in your face* :
I received 2 blank emails to stolen ARIN POCs a few minutes ago, presumably
to scan if they are valid: a more primitive method (and one that sets off
alarm bells) than required to establish (in-)validity of registered
contacts for ARIN objects:
Received: from setsllg (mx110.freshnewideas.net [144.128.130.110])
by speedus.com (8.9.3p2/8.9.3) with SMTP id LAA23999
for <STOLEN_POC_FOR_AS15349>; Tue, 29 Apr 2003 11:44:53 -0400 (EDT)
Received-Date: Tue, 29 Apr 2003 11:44:55 -0400 (EDT)
From: Stacie <Beulafxv at 24hr-savings.com>
To: <STOLEN_POC_FOR_AS15349>
Subject:
Date: Tue, 29 Apr 2003 10:46:08 -0400
Content-Type: text/plain
Received: from olfrrtg (mx219.freshnewideas.net [144.128.130.219])
by conti.nu (8.9.3p2/8.9.3) with SMTP id LAA05363
for <STOLEN_POC_FOR_KHS-ARIN>; Tue, 29 Apr 2003 11:56:53 -0400 (EDT)
Received-Date: Tue, 29 Apr 2003 11:56:53 -0400 (EDT)
X-Mailer-RCPT-To: <STOLEN_POC_FOR_KHS-ARIN>
From: Contessa <Carinaobn at 24hr-savings.com>
To: <STOLEN_POC_FOR_KHS-ARIN>
Subject:
Date: Tue, 29 Apr 2003 10:58:03 -0400
Content-Type: text/plain
And this is coming from:
CIDR: 144.128.0.0/16
NameServer: NS1.DSI-NET.NET
NameServer: NS2.DSI-NET.NET
RegDate: 1990-12-13
Updated: 2003-04-27
Freshly updated (2 days ago).
And the domain:
Domain name: DSI-NET.NET
Registrar of Record: TUCOWS, INC.
Record last updated on 19-Apr-2003.
Record expires on 19-Apr-2004.
Record Created on 19-Apr-2003.
Brand-spanking new, days before. And Tucows: again and again and again
and again (insiders will know what I mean).
Announcing AS is AS 15188:
Routes transiting through or originating from AS 15188 :
128.13.0.0/24 from AS: 15188 (upstreams: 12124)
128.13.1.0/24 from AS: 15188 (upstreams: 12124)
128.13.64.0/20 from AS: 15188 (upstreams: 12124)
128.13.96.0/19 from AS: 15188 (upstreams: 12124)
144.128.64.0/20 from AS: 15188 (upstreams: 12124)
144.128.128.0/19 from AS: 15188 (upstreams: 12124)
Woah. that's *TWO* stolen/hijacked /16's now.
Sole upstream: thorn.net (AS 12124) - courtesy CC:'d here, so that
noone can say later "you didn't tell them".
http://www.ris.ripe.net shows (using RRC00):
- space in 144.128.0.0/16 first announced on: 2003-04-27
- no routes from AS 15188 from 2003-01-04 until 2003-04-22,
when they started announcing out of 128.13.0.0/16
An unused AS that suddenly springs to life? Suspicion: AS is hijacked.
ASNumber: 15188
ASName: DIALI-INTERNETWORK-01
ASHandle: AS15188
Comment:
RegDate: 2000-03-31
Updated: 2000-03-31
TechHandle: BL374-ARIN
This handle however:
RegDate: 2000-03-31
Updated: 2003-04-21
Phone: +1-212-284-0189 (Office)
Email: bob_lowry at ureach.com
Updated the day before, and the email is a drop-box at an email/communications
solutions provider, the phone number is an 'all circuits busy' (fast busy).
A courtesy copy is going to abuse at ureach.com here.
Too bad ARIN's 'historic' records are not open for public inspection.
A search for "ureach.com +abuse" on Google Groups results in 1,850 hits.
Certainly a popular "destination" for people wanting a "front" to hide behind.
We are giving this 9 out of 10 votes for "hijacked AS with no credibility".
But hey, we got more!
A quick Google search for historic records of 128.13.0.0/16 (the SECOND
stolen/hijacked /16 this AS is announcing) turns up:
http://www.geocities.com/alias_faq/whois.htm :
NetHandle: NET-128-13-0-0-1
Parent: NET-128-0-0-0-0
NetType: Direct Assignment
NameServer: NIC.DSI.NET
NameServer: NOC.DSI.NET
Comment:
RegDate: 1983-02-24
Updated: 1992-07-17
DSI.net seems to have had new owners for quite a while, but this fits the
scheme of using "similarly named" entities pretending to be the original
entity owning the ARIN object(s).
However, that record also shows:
TechHandle: SM73-ARIN
TechName: Miller, Steve
TechPhone: +1-617-873-3427
TechEmail: twb_help at bbn.com
And SM73-ARIN is now, you guessed it: the POC for both
CIDR: 128.13.0.0/16
RegDate: 1983-02-24
Updated: 2003-04-20
and
CIDR: 144.128.0.0/16
RegDate: 1990-12-13
Updated: 2003-04-27
With the SM73-ARIN handle now being:
Name: Miller, Steve
Handle: SM73-ARIN
Company:
Address: 30 west 32nd st
City: New York
StateProv: NY
PostalCode: 10016
Country: US
Comment:
RegDate: 1992-05-14
Updated: 2003-04-19
Phone: +1-212-431-4321 (Office)
Email: hostmaster at dsi-net.net
bbn.com (Genuity) most certainly wants to find out who twb_help at bbn.com
was going to in recent times.
That phone number (212-431-4321) sure looks bogus as well, and the fact that
it's ring-no-answer in the middle of the business day in New York certainly
shows that it's not an "Office" number. A quick Google search turns up the
phone number as the fax number of mouse.org, the "NYC Schools Volunteer
Organizaton".
Everything covered?
That leaves a few more suspects: any and all domain names that follow have
been registered in the last few days:
freshnewideas.net aka digitalstore-network.net with nameservers in the
stolen/hijacked space:
NS1.DIGITALSTORE-NETWORK.NET 128.13.0.90
NS2.DIGITALSTORE-NETWORK.NET 128.13.0.92
And that is:
Rita Lee Marketing Inc
901 Parkview Drive
King of Prussia, PA 19406
Lee, Rita funnelcake at rock.com
Lee, Rita gallopinto at rock.com
781.394.5655
(and remember, if it's "optin" by name, you can *really trust them* !)
Courtesy copy to rock.com (free email), to see if they really want to be
implicated in a hijacked/stolen network case.
And the two domains: well, HELLO WORLD! Nice to see you! (reg'd 2/7 days ago)
And always and again, the favorite registrar of IP space hijackers: Tucows.
Domain name: FRESHNEWIDEAS.NET
Registrar of Record: TUCOWS, INC.
Record last updated on 26-Apr-2003.
Record expires on 26-Apr-2004.
Record Created on 26-Apr-2003.
Domain name: DIGITALSTORE-NETWORK.NET
Registrar of Record: TUCOWS, INC.
Record last updated on 25-Apr-2003.
Record expires on 21-Apr-2004.
Record Created on 21-Apr-2003.
And now a little rDNS-scanning:
144.128.129.1 mx1.freshgoods-2urdoorstep.com
through
144.128.129.254 mx254.freshgoods-2urdoorstep.com
Domain name: FRESHGOODS-2URDOORSTEP.COM
Registrar of Record: TUCOWS, INC.
Record last updated on 26-Apr-2003.
Record expires on 26-Apr-2004.
Record Created on 26-Apr-2003.
And:
144.128.130.1 mx1.freshnewideas.net
through
144.128.130.254 mx254.freshnewideas.net
And:
144.128.131.1 mx1.hightech-goods.com
through
144.128.131.254 mx254.hightech-goods.com
Domain name: HIGHTECH-GOODS.COM
Registrar of Record: TUCOWS, INC.
Record last updated on 26-Apr-2003.
Record expires on 26-Apr-2004.
Record Created on 26-Apr-2003.
144.128.65.2 server2.digital-superstore.net
Domain name: DIGITAL-SUPERSTORE.NET
Registrar of Record: TUCOWS, INC.
Record last updated on 25-Apr-2003.
Record expires on 21-Apr-2004.
Record Created on 21-Apr-2003.
And now for the 128.13.0.0/16 space:
128.13.0.1 router.dsi-net.net
128.13.0.2 one.dsi-net.net
128.13.0.3 ns1.infinite-hosting.net
128.13.0.4 dnscache.dsi-net.net
128.13.0.5 mail.dsi-net.net
128.13.0.6 ns2.infinite-hosting.net
Domain name: INFINITE-HOSTING.NET
Hartford, Harry admin at infinite-hosting.com
732 Marysville Dr.
Jersey City, NJ 07305
US
201-239-6725
Registrar of Record: TUCOWS, INC.
Record last updated on 19-Apr-2003.
Record expires on 19-Apr-2004.
Record Created on 19-Apr-2003.
"Infinite", eh? Yeah, with 2 /16's under the belt, it certainly feels that
way - until sometime later this afternoon, I am sure!
128.13.0.30 ns1.hosted-here.com
128.13.0.32 ns2.hosted-here.com
Domain name: HOSTED-HERE.COM
Gee, there's Lee, Rita funnelcake at rock.com again!
Registrar of Record: TUCOWS, INC.
Record last updated on 25-Apr-2003.
Record expires on 25-Apr-2004.
Record Created on 25-Apr-2003.
There's certainly a party here:
128.13.64.128 mail.infinite-hosting.net
128.13.64.130 mail.hosted-here.com
128.13.64.132 mail.digital-superstore.net
128.13.64.134 mail.digitalstore-network.net
And a 2 very lonely hosts:
128.13.96.7 server1.digital-superstore.net
128.13.126.7 test1.digital-superstore.net
Last but not least: the domain used for the From: address of the probing
mails: 24hr-savings.com
Domain name: 24HR-SAVINGS.COM
Registrar of Record: TUCOWS, INC.
Record last updated on 10-Apr-2003.
Record expires on 10-Apr-2004.
Record Created on 10-Apr-2003.
NS1.INFINITE-HOSTING.COM 144.2.0.101
NS2.INFINITE-HOSTING.COM 144.2.0.102
Henderson, Dave contact at ultimate-savings.com
Ultimate Savings
1321 Mill Creek Drive
Cincinnati, OH 45221
513-261-1254
This is a bogus address, as far as Mapquest.com and Mapsonus.com are concerned.
This is one very big forged-identity, throwaway-domains fest here.
AS 15188 routes off into Null0 ....
More information about the NANOG
mailing list