The in-your-face hijacking example, was: Re: Who is announcing bogons?

Kai Schlichting kai at pac-rim.net
Wed Apr 30 16:34:07 UTC 2003


On 4/30/2003 at 3:26 AM, Hank Nussbacher  wrote:


> At 06:09 AM 30-04-03 +0000, Christopher L. Morrow wrote:

>>That may be true, but what does a provider do when they are presented with
>>written 'authority to use address space' from a customer? Certianly if the
>>customer provides 'proper' documentation that the ip space is available
>>for them to route, and that they have authority from the 'owner' to do
>>this... what is an ISP to do? Aside from route the blocks?

> A very valid question and one that all too few ISPs handle.  How many ISPs 
> have as part of their implementation/provisioning process an item called 
> "check IP address space against IRRs"?

> I would suggest that written proof of ownership is not enough and that part 
> of the legal framework each ISP has customers complete that it state 
> something to the effect "IP address space and ASNs announced by the 
> customer must be properly registered in one of the online IRRs such as 
> ARIN, RADB, APNIC or RIPE and must reflect the name of the organization 
> placing the request."

> -Hank

It has been brought to my attention that such written/faxed authorization
letters are outright forged at times. Copy&Paste job on the letterhead,
an imaginary letterhead for a company that hasn't been in existence for
years, etc.

In light of the recent hijackings, any customer coming in the door with
a /16 or with purported IP space located in a /16  that has been recently
updated, but not routed, should be given the full royal treatment of a
background check: Pull over and show us your state incorporation certificate
and your seal...and dare you if the corporation is listed as "inactive"
with the state, or the incorporation date is past the date the space was
registered, or you don't have the paperwork showing your legal successorship
to such corporation.

The fact that a customer owns a domain that includes DNS servers and
MX's for the registered POCs for a space means nothing (paging Scott
Granados!). Just have a look at rogue AS 27595 (RegDate: 2003-04-07)
(atrivo.com) interesting 'ownership' of some of their announced space:

   OrgName:    ISD
   OrgID:      ISD-1
   Address:    180 Golf Club Road #118
   City:       Pleasant Hill
   StateProv:  CA
   PostalCode: 94523

   NetRange:   170.208.0.0 - 170.208.255.255
   CIDR:       170.208.0.0/16
   NetName:    LANET-1
   NetHandle:  NET-170-208-0-0-1
   Parent:     NET-170-0-0-0-0
   NetType:    Direct Allocation
   NameServer: MAIL.ATRIVO.COM
   NameServer: PAVEL.ATRIVO.COM
   Comment:
   RegDate:    1995-01-05
   Updated:    2003-03-04

How many owners of a /16 do you know that use an MBE/UPS Store address
as their primary place of business?

This is matching the current ARIN POC for the space:
Name:       Kacperski, Emil
Handle:     EKA4-ARIN
Company:    Atrivo
Address:    180 Golf Club Road #118
City:       Pleasant Hill
StateProv:  CA
PostalCode: 94523

http://kepler.ss.ca.gov/list.html shows no fitting matches for "ISD"
or "I.S.D." residing anywhere near Pleasanton, nor is there any
corporation by the name of "Atrivo" in the California Republic.


And comparing this record with a historical one shown at:
http://spews.org/html/S2489.html shows:

     OrgName:    ISD
     OrgID:      ISD-1
     Address:    1324 South Ridge Parkway
     City:       Beverly Hills
     StateProv:  CA
     PostalCode: 90210
     Updated:    2003-01-23

     TechHandle: DS127-ARIN
     TechName:   Shelley, Dennis
     TechPhone:  +1-213-246-6565
     TechEmail:  dshelley58 at netscape.net

This is a non-existing address as shown by Yahoo Maps, Mapquest and Mapsonus,
in other words: pure fiction.

Any other owners of freemail accounts in possession of a free /16 ?

Paging ARIN: who or what is that "ISD" corporation that this /16 was
originally assigned to, back in 1995 (a year before ARIN was formed)?



In unrelated news: can someone explain to me the exact meaning of multiple
AS numbers enclosed in {}'s (or []'s as far as RIS RIPE's display is
concerned) at the end of the AS path?

*  162.33.64.0/19   207.246.129.6                          0 11608 2914 3356 14390 {22714,27481} i
*                   4.0.4.90              1080             0 1 701 14390 {22714,27481} i
*                   203.194.0.5                            0 9942 1 701 14390 {22714,27481} i
*                   192.205.31.33                          0 7018 3356 14390 {22714,27481} i
*                   195.66.224.82        31502             0 4513 3356 14390 {22714,27481} i
*                   216.140.2.59           981             0 6395 3356 14390 {22714,27481} i

I am familiar with announcements with inconsistent AS's, but what exactly does
the above mean?

bye,Kai




More information about the NANOG mailing list