Another possibly hijacked block -

Richard Cox Richard at
Wed May 14 03:43:04 UTC 2003

On Sun, 11 May 2003 22:26:46 -0700 (PDT), william at wrote:
| In any case, this calls for active blocking of this /16 from anybody
| who does not want to provide services to spammers and ip hijackers.
| As for XO and Internap, (I'm sure somebody is here from these
| companies) - take notice and get rid of this customer!!!

Since clearing up the "Trafalgar House" hijacks, several people have
written me pointing out an even larger number of probably-hijacked
blocks that they think should be investigated.  I've researched what
I can, and drawn the attention of ARIN, and the relevant upstreams,
to BGP announcements that research suggests may be inappropriate.

What I have avoided doing is reporting all the gory details here,
except where there was some specific relevance in doing so.

I have, as promised, set up the mailing list - hijacked at
for reports and evaluation of likely incidents of IP block hijacking,
and if the outcome of any evaluation is that hijacking is confirmed,
the details can be sent to the upstreams and ARIN for consideration.
I would hope that ARIN and the major networks will want to join that
list and follow the discussions there anyway.

That list is now open; initial requests have been added manually, and
anyone else who wishes to join will need to send the usual incantation
to majordomo at and then respond to the email challenge.

To avoid misunderstanding can I say very clearly that the "hijacked"
list will not be discussing any aspect of ARIN's (or indeed any other
registries') procedure or policies: such matters are more appropriate
to the individual policy fora of each registry/community.

At Matthew Sullivan's kind suggestion, a DNS-BL of confirmed hijacked
IP blocks is now live and available as a separate specific zone within
the SORBS project; details at  Networks can
therefore prevent abuse from hijacked netblocks by using SORBS' DNSBL.

Richard Cox

More information about the NANOG mailing list