Hijacked IP space.

Jamie Reid Jamie.Reid at mbs.gov.on.ca
Tue Nov 4 05:54:07 UTC 2003


I must have missed the thread on this, but is there a good summary available
of exactly _how_ these netblocks are getting hijacked? 

Are they taking advantage of sloppy redistribution configurations, 0wning
routers, spoofing OSPF updates,  taking advantage of default static
routes, or is there something more complicated at work? 

Are these attacks actually generating bogons, or are they isolated 
to ASN's they have at one point been legitimately announced by, 
and forgotten? 

I can think up many more interesting applications for these kind of 
ghost-nets than spamming, all of which are quite, if you'll pardon the
pun, haunting.   



--
Jamie.Reid, CISSP, jamie.reid at mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre 
Corporate Security, MBS  
416 327 2324 
>>> "chuck goolsbee" <chucklist at forest.net> 11/03/03 03:56pm >>>

All,

Sorry, to interrupt any off-topic rambles, but I had a client call 
last week who had just had some telephone abuse heaped on them, by 
somebody accusing them of spamming. It turns out our client had a 
netblock assigned to them back in the mid-90's. They used to put on 
networking trade shows, and used the space for making show networks. 
They haven't put on a networking trade show (with a public network) 
since about 1997.

Of course to complicate the matter, the sole contact listed in whois 
no longer works there.

I informed our client how to remove their name from the whois record 
and relinquish the netblock back to ARIN, which I hope they are doing 
now.

I also have (at the suggestion of some research through the nanog 
archives) submitted the netblock to the completewhois site.

[I have no interest in commenting on the current inane OT nanog 
thread about that subject, so don't even try me.]

Mr. Thomas' cymru.com service was offline when I tried to contact it 
last week (he replied via email about an outage... sorry to hear... 
coffee will get there eventually. Order put to the roaster today. - 
hang in there.)

Of course I have no hard data, other than my client's phone call 
about another phone call, so I can't query based on a timestamp to 
see where this was being announced from. It appears to vanished, and 
has remained so according to my casual glances here and there.

The netblock in question is:

204.89.0.0/21



So, my question is: Other than the above, and mentioning it here, is 
there anything else *I* can do to assist my client? Especially since 
I am not at all directly related to this netblock in any way. 
Additionally, it would not hurt to know if anyone here *does* know 
when or where the announcement came from.


The client in question are good folks, and I hate to see their 
reputation tainted by the actions of others.



Thanks,

--chuck goolsbee, digital.forest
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: TEXT.htm
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20031104/6a571f3b/attachment.ksh>


More information about the NANOG mailing list