Another possibly hijacked block -

william at william at
Wed May 14 01:59:47 UTC 2003

> On Sun, 11 May 2003 22:26:46 -0700 (PDT), william at wrote:
> | In any case, this calls for active blocking of this /16 from anybody
> | who does not want to provide services to spammers and ip hijackers.
> | As for XO and Internap, (I'm sure somebody is here from these
> | companies) - take notice and get rid of this customer!!!
> Since clearing up the "Trafalgar House" hijacks, several people have
> written me pointing out an even larger number of probably-hijacked
> blocks that they think should be investigated.  I've researched what
> I can, and drawn the attention of ARIN, and the relevant upstreams,
> to BGP announcements that research suggests may be inappropriate.
> What I have avoided doing is reporting all the gory details here,
> except where there was some specific relevance in doing so.

  I agree with this, but I could not go any futher on the South African 
block, needed help from somebody local to find out what company the block 
should belong now. But on my own I also did research on two other blocks 
hijacked by "Naronda/Publicom Gang" and announced through AS8143 - and Owners of both of the blocks have been 
definetly identified (a lot more certain there then for 
block) and I've sent reports to these companies and to ARIN. 

  Based on these and other information, XO yesterday has stopped announcement
from AS8143 on ther network. Only Internap remains, but I'v been completely
unsussfull on getting ANY response from their abuse team. As such I've 
focused on Internap upstreams - Verio and Global Crossing. Verio is more 
responsive and has already received all necessary information and will 
probably shut down their announcements after reviewing that, Global Crossing
security team still has not responded back to me though, I'm however still
hopefull that by tomorrow both Verio and Global Crossing will shut down
the hijacked block announcements through their networks.
> I have, as promised, set up the mailing list - hijacked at
> for reports and evaluation of likely incidents of IP block hijacking,
> and if the outcome of any evaluation is that hijacking is confirmed,
> the details can be sent to the upstreams and ARIN for consideration.
> I would hope that ARIN and the major networks will want to join that
> list and follow the discussions there anyway.

Great, I'll work with others on that list now.
And if anybody is interested in seeing details on findings on who the 
blocks hijacked by Naronda/Publicom Gang belong too, I'll post information
on that mailing list shortly.

> That list is now open; initial requests have been added manually, and
> anyone else who wishes to join will need to send the usual incantation
> to majordomo at and then respond to the email challenge.
> To avoid misunderstanding can I say very clearly that the "hijacked"
> list will not be discussing any aspect of ARIN's (or indeed any other
> registries') procedure or policies: such matters are more appropriate
> to the individual policy fora of each registry/community.
> At Matthew Sullivan's kind suggestion, a DNS-BL of confirmed hijacked
> IP blocks is now live and available as a separate specific zone within
> the SORBS project; details at  Networks can
> therefore prevent abuse from hijacked netblocks by using SORBS' DNSBL.
> Richard Cox

More information about the NANOG mailing list