The in-your-face hijacking example, was: Re: Who is announcing bogons?

kai at pac-rim.net kai at pac-rim.net
Tue Apr 29 18:14:36 UTC 2003


On 4/29/2003 at 3:10 AM, Sean Donelan wrote on NANOG-L:

> So which ISPs are confused?  Bogon's don't spontaneously occur in
> BGP.  Some ASN must originate them, and ASNs must pass them to
> other ASNs.  BGP helpfully includes the ASNs in the path.

> What should be done about ASNs which repeatedly announce false or
> unauthorized routes?

Like: AS 15188 (rogue) ?

We call them "rogue AS's" around here - AS's that are not to be trusted
under any circumstances, any routes announced from them should be blocked
or dropped, and complaints about them should be sent to ALL AS upstreams
of the 'rogue' at all times, unless the upstream itself is rogue (in which
case complaints should also go to all non-rogue upstreams of the rogue
upstream, you get the idea)

And to live up to Joe Provo's "Kai's post is not fiction." comment,
oh, more true words have not been spoken lately.

Here you have it RED HOT, for everyone to see, *in your face* :

I received 2 blank emails to stolen ARIN POCs a few minutes ago, presumably
to scan if they are valid: a more primitive method (and one that sets off
alarm bells) than required to establish (in-)validity of registered
contacts for ARIN objects:

Received: from setsllg (mx110.freshnewideas.net [144.128.130.110])
        by speedus.com (8.9.3p2/8.9.3) with SMTP id LAA23999
        for <STOLEN_POC_FOR_AS15349>; Tue, 29 Apr 2003 11:44:53 -0400 (EDT)
Received-Date: Tue, 29 Apr 2003 11:44:55 -0400 (EDT)
From: Stacie <Beulafxv at 24hr-savings.com>
To: <STOLEN_POC_FOR_AS15349>
Subject:  
Date: Tue, 29 Apr 2003 10:46:08 -0400
Content-Type: text/plain

Received: from olfrrtg (mx219.freshnewideas.net [144.128.130.219])
        by conti.nu (8.9.3p2/8.9.3) with SMTP id LAA05363
        for <STOLEN_POC_FOR_KHS-ARIN>; Tue, 29 Apr 2003 11:56:53 -0400 (EDT)
Received-Date: Tue, 29 Apr 2003 11:56:53 -0400 (EDT)
X-Mailer-RCPT-To: <STOLEN_POC_FOR_KHS-ARIN>
From: Contessa <Carinaobn at 24hr-savings.com>
To: <STOLEN_POC_FOR_KHS-ARIN>
Subject:  
Date: Tue, 29 Apr 2003 10:58:03 -0400
Content-Type: text/plain

And this is coming from:

CIDR:       144.128.0.0/16
NameServer: NS1.DSI-NET.NET
NameServer: NS2.DSI-NET.NET
RegDate:    1990-12-13
Updated:    2003-04-27

Freshly updated (2 days ago).

And the domain:
 Domain name: DSI-NET.NET
 Registrar of Record: TUCOWS, INC.
 Record last updated on 19-Apr-2003.
 Record expires on 19-Apr-2004.
 Record Created on 19-Apr-2003.

Brand-spanking new, days before. And Tucows: again and again and again
and again (insiders will know what I mean).


Announcing AS is AS 15188:

Routes transiting through or originating from AS 15188 :

128.13.0.0/24   from AS:  15188  (upstreams: 12124)
128.13.1.0/24   from AS:  15188  (upstreams: 12124)
128.13.64.0/20  from AS:  15188  (upstreams: 12124)
128.13.96.0/19  from AS:  15188  (upstreams: 12124)
144.128.64.0/20 from AS:  15188  (upstreams: 12124)
144.128.128.0/19 from AS:  15188  (upstreams: 12124)

Woah. that's *TWO* stolen/hijacked /16's now.

Sole upstream: thorn.net (AS 12124) - courtesy CC:'d here, so that
noone can say later "you didn't tell them".

http://www.ris.ripe.net shows (using RRC00):

- space in 144.128.0.0/16 first announced on: 2003-04-27
- no routes from AS 15188 from 2003-01-04 until 2003-04-22,
  when they started announcing out of 128.13.0.0/16

An unused AS that suddenly springs to life? Suspicion: AS is hijacked.

ASNumber:   15188
ASName:     DIALI-INTERNETWORK-01
ASHandle:   AS15188
Comment:
RegDate:    2000-03-31
Updated:    2000-03-31
TechHandle: BL374-ARIN

This handle however:
RegDate:    2000-03-31
Updated:    2003-04-21
Phone:      +1-212-284-0189  (Office)
Email:      bob_lowry at ureach.com

Updated the day before, and the email is a drop-box at an email/communications
solutions provider, the phone number is an 'all circuits busy' (fast busy).
A courtesy copy is going to abuse at ureach.com here.
Too bad ARIN's 'historic' records are not open for public inspection.

A search for "ureach.com +abuse"  on Google Groups results in 1,850 hits.
Certainly a popular "destination" for people wanting a "front" to hide behind.

We are giving this 9 out of 10 votes for "hijacked AS with no credibility".


But hey, we got more!


A quick Google search for historic records of 128.13.0.0/16 (the SECOND
stolen/hijacked /16 this AS is announcing) turns up:

  http://www.geocities.com/alias_faq/whois.htm :
  NetHandle: NET-128-13-0-0-1
  Parent: NET-128-0-0-0-0
  NetType: Direct Assignment
  NameServer: NIC.DSI.NET
  NameServer: NOC.DSI.NET
  Comment:
  RegDate: 1983-02-24
  Updated: 1992-07-17

DSI.net seems to have had new owners for quite a while, but this fits the
scheme of using "similarly named" entities pretending to be the original
entity owning the ARIN object(s).


However, that record also shows:
TechHandle: SM73-ARIN
TechName: Miller, Steve
TechPhone: +1-617-873-3427
TechEmail: twb_help at bbn.com


And SM73-ARIN is now, you guessed it: the POC for both

  CIDR:       128.13.0.0/16
  RegDate:    1983-02-24
  Updated:    2003-04-20

and

  CIDR:       144.128.0.0/16
  RegDate:    1990-12-13
  Updated:    2003-04-27

With the SM73-ARIN handle now being:

Name:       Miller, Steve
Handle:     SM73-ARIN
Company:
Address:    30 west 32nd st
City:       New York
StateProv:  NY
PostalCode: 10016
Country:    US
Comment:
RegDate:    1992-05-14
Updated:    2003-04-19
Phone:      +1-212-431-4321  (Office)
Email:      hostmaster at dsi-net.net

bbn.com (Genuity) most certainly wants to find out who twb_help at bbn.com
was going to in recent times.

That phone number (212-431-4321) sure looks bogus as well, and the fact that
it's ring-no-answer in the middle of the business day in New York certainly
shows that it's not an "Office" number. A quick Google search turns up the
phone number as the fax number of mouse.org, the "NYC Schools Volunteer
Organizaton".

Everything covered?

That leaves a few more suspects: any and all domain names that follow have
been registered in the last few days:

freshnewideas.net aka digitalstore-network.net with nameservers in the
stolen/hijacked space:

    NS1.DIGITALSTORE-NETWORK.NET   128.13.0.90
    NS2.DIGITALSTORE-NETWORK.NET   128.13.0.92

And that is:
 Rita Lee Marketing Inc
 901 Parkview Drive
 King of Prussia, PA 19406
    Lee, Rita  funnelcake at rock.com
    Lee, Rita  gallopinto at rock.com
    781.394.5655

(and remember, if it's "optin" by name, you can *really trust them* !)
Courtesy copy to rock.com (free email), to see if they really want to be
implicated in a hijacked/stolen network case.

And the two domains: well, HELLO WORLD! Nice to see you! (reg'd 2/7 days ago)
And always and again, the favorite registrar of IP space hijackers: Tucows.


 Domain name: FRESHNEWIDEAS.NET
 Registrar of Record: TUCOWS, INC.
 Record last updated on 26-Apr-2003.
 Record expires on 26-Apr-2004.
 Record Created on 26-Apr-2003.

 Domain name: DIGITALSTORE-NETWORK.NET
 Registrar of Record: TUCOWS, INC.
 Record last updated on 25-Apr-2003.
 Record expires on 21-Apr-2004.
 Record Created on 21-Apr-2003.

And now a little rDNS-scanning:

144.128.129.1 mx1.freshgoods-2urdoorstep.com
 through
144.128.129.254 mx254.freshgoods-2urdoorstep.com

 Domain name: FRESHGOODS-2URDOORSTEP.COM
 Registrar of Record: TUCOWS, INC.
 Record last updated on 26-Apr-2003.
 Record expires on 26-Apr-2004.
 Record Created on 26-Apr-2003.

And:
144.128.130.1 mx1.freshnewideas.net
 through
144.128.130.254 mx254.freshnewideas.net

And:
144.128.131.1 mx1.hightech-goods.com
 through
144.128.131.254 mx254.hightech-goods.com

 Domain name: HIGHTECH-GOODS.COM
 Registrar of Record: TUCOWS, INC.
 Record last updated on 26-Apr-2003.
 Record expires on 26-Apr-2004.
 Record Created on 26-Apr-2003.


144.128.65.2 server2.digital-superstore.net

 Domain name: DIGITAL-SUPERSTORE.NET
 Registrar of Record: TUCOWS, INC.
 Record last updated on 25-Apr-2003.
 Record expires on 21-Apr-2004.
 Record Created on 21-Apr-2003.

And now for the 128.13.0.0/16 space:

128.13.0.1 router.dsi-net.net
128.13.0.2 one.dsi-net.net
128.13.0.3 ns1.infinite-hosting.net
128.13.0.4 dnscache.dsi-net.net
128.13.0.5 mail.dsi-net.net
128.13.0.6 ns2.infinite-hosting.net

 Domain name: INFINITE-HOSTING.NET
   Hartford, Harry  admin at infinite-hosting.com
    732 Marysville Dr.
    Jersey City, NJ 07305
    US
    201-239-6725
 Registrar of Record: TUCOWS, INC.
 Record last updated on 19-Apr-2003.
 Record expires on 19-Apr-2004.
 Record Created on 19-Apr-2003.

"Infinite", eh? Yeah, with 2 /16's under the belt, it certainly feels that
way - until sometime later this afternoon, I am sure!

128.13.0.30 ns1.hosted-here.com
128.13.0.32 ns2.hosted-here.com

 Domain name: HOSTED-HERE.COM
 Gee, there's  Lee, Rita  funnelcake at rock.com again!
 Registrar of Record: TUCOWS, INC.
 Record last updated on 25-Apr-2003.
 Record expires on 25-Apr-2004.
 Record Created on 25-Apr-2003.

There's certainly a party here:
128.13.64.128 mail.infinite-hosting.net
128.13.64.130 mail.hosted-here.com
128.13.64.132 mail.digital-superstore.net
128.13.64.134 mail.digitalstore-network.net

And a 2 very lonely hosts:
128.13.96.7 server1.digital-superstore.net
128.13.126.7 test1.digital-superstore.net

Last but not least: the domain used for the From: address of the probing
mails: 24hr-savings.com

 Domain name: 24HR-SAVINGS.COM
 Registrar of Record: TUCOWS, INC.
 Record last updated on 10-Apr-2003.
 Record expires on 10-Apr-2004.
 Record Created on 10-Apr-2003.
 NS1.INFINITE-HOSTING.COM   144.2.0.101
 NS2.INFINITE-HOSTING.COM   144.2.0.102
 Henderson, Dave  contact at ultimate-savings.com
 Ultimate Savings
 1321 Mill Creek Drive
 Cincinnati, OH 45221
 513-261-1254

 This is a bogus address, as far as Mapquest.com and Mapsonus.com are concerned.


This is one very big forged-identity, throwaway-domains fest here.

AS 15188 routes off into Null0 ....




More information about the NANOG mailing list