The in-your-face hijacking example, was: Re: Who is announcing bogons?
kai at pac-rim.net
Thu May 1 22:56:21 UTC 2003
[summary. - What started as a posting of an example for widespread
wrongful, if not criminal conduct involving hijacking of IP space
is now progressing into particulars of that example that most
certainly doesn't concern network operations at large, rather than
the general issue of stolen/hijacked/embezzled IP allocations in use
by rogue parties for rogue purposes. This I fear will be with us for
some considerable time to come. Please restrain your follow-up postings
to the NANOG list bearing this in mind.]
On 4/30/2003 at 12:46 PM, Scott Granados <scott at wworks.net> wrote:
> When doing a look up at whois.arin.net the data looks correct, phone
> numbers listed are correct, and more importantly bills sent to the address
> listed get paid. So since the whois data matches the customer and nobody
> else announces the block I don't see the problem. Clearly someone or
Clearly you don't see the problem. Or won't.
> something at Arin has given authority to this block to be used and that
> authorized figure has requested service from us.
ARIN has done no such thing, as I have documented with meticulous detail.
ARIN assigns IP space to organizations, not individuals owning the
POC, and such POCs are not authorized to act on their own and make use
of such assignment for another organization on their own whim. I call
on ARIN to immediately suspend the assignment of 188.8.131.52/16 based
on the probable cause I and others have delivered that make it likely,
if not certain, that the ARIN principles of assignment have been violated
in this case. Do I need to mention "Trafalgar House Group"?
> I'm not sure the mission your on but it seems like a real misuse of time.
> This customer is not advertising someone elses space ie advertising
> 184.108.40.206 for a goof or to be disrupting services.
See "220.127.116.11/3" below to avoid me having to repeat my own arguments.
I think you are quite sure about my mission about now. Some examples
have to be made to deter others.
On 4/30/2003 at 6:20 PM, Scott Granados <scott at wworks.net> wrote:
> Exactly, and I'm not sure what the whole reason for this thread is with
> the exception of I do understand if the space is previously announced. If
You are questioning the purpose of this discussion re: your direct
customer's use of illicit/stolen/hijacked IP space, unless the space was
'previously used', while the purpose is, as you have certainly noticed, that
the allocated space's registration is by nearly all stretches of
imagination illicit, fraudulent or both?
Gee, let's see: I will start to announce 18.104.22.168/3 starting NOW,
because: well, it's not used, and I have somehow gained control over
"iana.org": what is the big deal anyway, you say?
> the requirements for arin are met and if arin makes the appropriate
> changes to the whois records isn't that enough?
And you have been presented with bonafide probable cause that such
changes that were made BY YOUR CUSTOMER (unless you want to blame
the automatic form processors at ARIN for not paying attention, as
I am quite sure that no humans there were involved until now) were
made in bad faith and while deceiving ARIN about matters of identity
regarding that allocation?
> Obviously, making anouncements can be more complex than that ie a customer
> has company A ip space but buys service from copmpany B so they wish to
> announce a's IPs through B. If swip or rwhois data matches again this
> should be ok assuming someone refered to as a contact makes the request.
Not if you are presented with an unusual request, such as authorization
for the announcement of an entire /16 that had its contact details changed
days before - in that case, one can reasonably expect a whole different
level of scrutiny than for say: a /20 that has up-to-date contact info
yet has not been updated in 2-3 years. ARIN does have a listed phone number,
On 4/30/2003 at 6:42 PM, Scott Granados <scott at wworks.net> wrote:
> In point of fact a credit check was done including the contacting of three
> trade references and some other searches,
care to share the name of the corporation and D&B number of that business
you ran this check against, presuming it was the sought-after
On 4/30/2003 at 7:50 PM, Scott Granados <scott at wworks.net> wrote:
> I'd say our official position is that I'm not sure:).
> I'm just unclear on this whole thing so forgive me, [...]
> I'm just unclear and not certain that anything improper has happened yet.
I am not clear. And there is no bridge.
And you are probably unclear about THIS as well:
On 4/30/2003 at 6:56 PM, Kevin Brott <kbrott at ELI.NET> wrote on SPAM-L:
> Date: Wed, 30 Apr 2003 15:56:50 -0700
> Subject: Re: BLOCK: wworks.net/AS26346, update SPEWS S2489
> At 02:17 PM 4/30/2003, Little Punk wrote:
>> And the beat goes on: 22.214.171.124/16 sliced, diced and meshed by Kai over
>> on the NANOG list.
> All routes to/from the of the parts of that block under wworks.net are
> currently suppressed at our edge routers. This was prompted by having our
> senior firewall admin discover through some clever logfile correlations
> that they were the source of daily vigorous open-proxy scans across
> portions (if not the entirety) of all of our registered netblocks.
> Notices to wworks.net only resulted in claimed null-routes, whereupon the
> IP of the source shifted at the next expected scan-time.
> Our engineering staff is currently working on a more 'permanent' fix.
> === Today's Fortune ===
> He who hesitates is last.
(the fortune has an eery significance here, I think)
And following up on that, I have personal email in my Inbox that has a few
similar things to say about you and your downstream Atrivo to that effect,
I think your credibility with me is reaching a very deep low very fast, and
the fact that abuse.net is listing no less than 3 of your upstreams as
contacts for complaints relating to wworks.net is a very big hint that some
people out there are not very satisfied with your handling of abuse issues,
with some of these issues being pointed out to you by other people in this
thread. It makes me think that it will become necessary to address abuse
issues involving IP space announced with your AS in the AS path directly
with AS's 11608, 8121, 293, 6517, 6939 instead of you. Not the the latter 2
would care to address such issues one bit.
On 4/30/2003 at 8:04 PM, Scott Granados <scott at wworks.net> wrote:
> [...] So sincerely I'm not sure what the problem is.
> Now someone mentioned that LAnet owned the block. If LAnet calls me up
> or sends me proper proof its their block I'd pull the announcement. Else,
> if someone here convinces me that its improper, I'll pull the announcement,
<sarcasm mode on>
"gee kid! you can't continue to hit up stores and gas stations like that!
If I catch you the next time, there'll be SERIOUS consequences! Now,
move along!" *pad-on-back*
That reminds me of UUnet and Teleglobe's treatment of rogue AS 16506
(ayayai.com/eveloz.com/SPEWS S1348) recently, when confronted with the
unlikely possibility that a german steel mill had moved to the swamps of
Panama (126.96.36.199/16). Teleglobe filtered the announcement after other
people's intervention (but after ignoring 2 complaints pointing out the
obvious from me) or made AS 16505 stop it with a "friendly warning",
while UUnet outright denied being responsible, or AS 16506 being their
customer to begin with (at least that's what the official email
correspondence would make any reader believe); then went on with business
[ Nice going, UUnet. Are your managers and VPs-of-something-or-other drawing
matches over who will take the blame and go to prison for housing relay-
and proxy-raping spamware sites ("burglary tools") in violation of the
new Virginia spam law, and defending such hosting up to VP level for
2-3 years ? (see www.spamhaus.org, there was a reference to that a
> but on the surface I do think he's on ok Ground. I actually asked Emil to
> join the list and discussion on this I'm assuming its on topic.
Oh, didn't we look forward to that.
On 5/1/2003 at 1:42 AM, emil at atrivo.com wrote:
[reformatted to 78 columns - which some folks here will appreciate]
> Let's see if we can clarify this once and for all. ISD owner was a good
> friend of mine and helped me when I ran a computer store.
good friends/individuals do not have /16's allocated to them.
Big institutions have /16's. Such institutions are decidedly too busy and
not in the business of helping other people run their computer stores.
> Without him I couldn't run the store and over the years I have repaid him
> for his contributions.
> A few years ago I closed the computer store and started Atrivo.
Do you pay taxes in California, Emil? Is your business incorporated?
If it's not incorporated, have you filed a D/B/A "Atrivo" with the state?
(With apologies to Hank and Barry: http://www.nanog.org/mtg-0302/ppt/hank.pdf)
"Pull over and show us your state incorporation certificate and business
> After discussing our expansion plans to Rob, I came to find out that he did
> posses a /16 which his now defunct company wasn't using anymore.
So his name is "Rob", hmm? Rob who?
Care to name the defunct corporation, its corporate officers and provide
us with the obvious link through http://kepler.ss.ca.gov/list.html ?
ARIN will be most interested to hear that Rob believes he owns a /16.
Is Rob the legal receiver of assets of his defunct corporation? (never mind
that allocated space is not a tangible asset that can be owned by ARIN's
But if we follow Richard Cox's posted lead:
dated Sept 19, 1999, containing the then-registrant of this /16:
188.8.131.52 ISD NET-LANET-1 9150 E. Imperial Hwy. Downey, CA 90242
which leads us directly to:
dated Sept 19, 2002 :
"5. ISD-Downey Data Processing Center 9150 East Imperial Highway,
Leading me to believe that this /16 is allocated to Los Angeles
County's data processing center, and not "Rob" .
How telling: points 2. through 4. in the document describe
"District Attorney" facilities - en entity I took the liberty of
Cc:'ing on this mail.
Why don't you turn yourself in for this great stunt at this point, Emil?
I am sure that'll avoid unnecessary time spent in Lompoc or at the
Pelican Bay State penitentiary.
> From that point I found out what it would take from Arin to have us use
> the space. We followed all the steps that Arin had told us to do.
I am sure that ARIN will make any emails regarding this available for
scrutiny by a trusted party and the the LA County's DA's office.
> We of course wanted to update contact information to reflect the new change
> and so we can respond to any issues that may arrive running a ISP.
I am wondering what we will get if someone faxes the UPS Store and demands to
see what you list as your corporate HQ on the paperwork when you opened that
PO BOX. You ARE using the box for commercial purposes and in public, after all,
which is enough to satisfy the disclosure requirements under Postal
> All our providers and vendors know us as a respectable company.
As long as the bills get paid on time, they will hardly if ever have
a problem with the ongoing abuse from your netblock and the /16 that
I continue to say is hijacked, for lack of further evidence beyond the
information we have, and which evidence is establishing probable cause
for that statement.
> There is nothing wrong that we have done and all this witch hunting is
> unjust and unfair. Might I mention that Spews, SpamHaus or anyone that has
ugh, oh. The words "Witch hunt" and "SPEWS, Spamhaus" were uttered in
the same breath. History will repeat itself.
> made these claims has not even attempted to give me a call.
You run an 'ISP' and expect to deal with such an affair without email,
given the complexity of the affair?
On 5/1/2003 at 2:28 AM, Dan Hollis wrote and summed this up:
> Maybe because they expect your email to actually work, and dont
> care to spend money calling you long distance?
> You have got porno spammers in these netblocks scanning for open
> relays and relay raping innocent third parties.
read: repeat 'business' as far as abuse is concerned, and I think I
have heard the word "null-route" once too many times by now. Null-route
is not customer "termination and sanctions". Especially not when the
source of abuse is going elsewhere in your space within a short period
> I have even tried to make arrangements to meet up at the colo and to
> show anyone that we are for real. Of course this has been always declined.
noone here wants proof that you operate equipment in a datacenter.
We already knew that.
> Well I don't know how much this will help, since it's seems that no matter
> what I offer or do is just not enough. Maybe I have to give my DNA just to
> prove who I am?
Oh, we will reasonably believe that you exist and are a real person.
Just like Nick Geyer. What we want is proof beyond a reasonable doubt that
you didn't deceive ARIN or violated ARIN allocation rules in taking over that
/16. And that proof can't come from you at this point, for obvious lack of
credibility, given the allegations and probable cause.
> Atrivo - Web Innovation
> Emil Kacperski
> Phone: 925-550-3947
> E-mail: emil at atrivo.com
> ICQ: 23531098
The unincorporated corporation operating out of a UPS Store, armed with
a PacBell cell phone and and ICQ account, and proud POC of a /16.
Are you implying that 1372 North Main Street, Ste #205, Walnut Creek,
CA 94596, 925-627-2000 is no longer your business address/number?
And last but not least:
On 5/1/2003 at 2:20 AM, Scott Granados <scott at wworks.net> wrote:
> I would also like to state on Emil's behalf [...]
> Emil has on many occasions restarted machines or helped with server
> work in the colos we occupy together
We see. I think that cooperation will be the subject of further
> I'll also publically offer here to assist Emil in obtaining a direct
> allocation which would be entirely new if he wishes that may put this matter
> to bed as well.
I don't think the state allows routed Internet connections to where Emil
might be heading next, so he might not be needing it. And if you are
indeed sharing facilities like that, why did he need his own ASN?
> I'm quite certain that this has gone way way off topic however so I'll stop
> here and hopefully we can get back to more operational discussions.
"How to set up your route-prefix filters to drop all routes received with
a specific AS present in the AS path" - but that wouldn't teach anyone here
Current routes for the /16:
184.108.40.206/19 16631 27595
220.127.116.11/24 16631 (was 6939 26346 27595 earlier today)
18.104.22.168/24 16631 (was 6939 26346 27595 earlier today)
22.214.171.124/24 11608 26346
126.96.36.199/32 11608 26346 (how does 11608 leak that into the Oregon-IX?)
(Scott said: "Can't have one on 188.8.131.52 I null routed it some time ago
as it was a compromised machine." Gee. So has anyone recorded this route,
and if yes: when?)
184.108.40.206/24 11608 26346
Moved 2 /24's to Cogent in a hurry?
And obviously, filtering 220.127.116.11/24 and 18.104.22.168/24 to world (except
AS 27595 peering, with no-export set) would have been a grand idea for
wworks.net (26346), but whaddaya know.
More information about the NANOG