Hijacked IP blocks

• Previous message (by thread): Interesting ASN usage data point
• Next message (by thread): Hijacked IP blocks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As some of you have seen from sessions today, hijacking of ips has been 
noticed by many. I want to give report of what the current situation is as 
I've been monitoring known hijacked ip ranges and active use of those.
The active list is included later in this email and is available online at
http://www.completewhois.com/hijacked/hijacked_flist-bgp_routed_asannounced-details.txt

First I want to thank quite a number of companies both large and smaller 
for helping to deal with this problem. By now very few ip blocks are left 
that were hijacked and are still in active use, in fact 1/2 of the ones 
left announcing space are victims that were resold the space (particularly
in 146.20.0.0/8 block; I wish they would finally renumber out of these 
blocks, some of them have had 4 months to do it from original notice). 

New hijacked blocks do not appear to be such a common occurance by 
spammers which makes things easier (but we must still remember what 
happened before and all of you must remember to take care of the resources 
where you maybe listed as an admin for. If your company is beeing aquired 
- make sure when you leave the company new administrator is assigned from 
new company (if this is not possible, inform ARIN ip block will be left 
without active administrator and what led to this). Those of you that were 
administrators for companies no longer in business (even going back up to 
10 years), please at some if you remember what ip block were to check on 
what whois currently looks like and who that companie's domains are 
registered to. If you find problems, address them to ARIN or to completewhois
for investigation about what happend to original company.

Now today at NANOG meeting I was approached by a group of people concerned 
that the are too many names of network engineers listed on the site. I 
have to point it that I make all possible efforts to contact network engineers
and have them resolve questionable problems on their own - some just do 
not answer such emails, but others did and netblocks with references to 
those people no matter if those people may have been involved in hijacking
or not are not mentioned on the site. I would hope that I would not have 
to approach you in the first place and considering recent ARIN announcement
http://www.arin.net/announcements/20031014.html (with which BTW I do not 
fully agree with - reporting every case to authorities maybe going too 
far - but they may not have any choice, either do it for all or for none)
So I hope that any of you that may have questinable blocks in current 
use would on your stop and return them to the state they were before in 
whois or return them to arin or continue using the blocks and apply to
officially transfer them (remember ARIN currently does transfers at no 
extra charge, this will not last forever!!!).

The group that approached me had specific concerns because while some may
have been mentioned on site as directly involved in hijacking, which I 
think is appropriate to them; others may have been mentioned indirectly 
when their whois records were listed under some blocks current use 
section. I want to stress out that active use in no way implies any 
connection to hijacking, it is simply result of dns and related whois
info on what active use of the block and what it has been (i.e. isp 
customers, irc, spam sites, etc) and having it comes very usefull for 
correlation between different cases and people previously asked me to 
include it in fact. To differentiate about this data, I'm willing to 
put a desclaimer up in each file regarding data listed in active use 
section. Please make your suggestions on the best text for this to me 
privately or on hijacked mail list when I bring this topic up there. I 
also understand that number of people do not want google and other search 
engines to be able to reference  their names and other data if its in the 
current use section. Please make a suggestions on how to best achieve this 
without stopping google from searching other sections of the site. Would 
the solution of separating current use  data into separate files in separate
directory and putting robots.txt file there work? Should I also make sure 
that people are only able to reference those files when they first looked 
at the data in primary data file?

And understand that if I do not hear your concerns, I would not know what 
maybe wrong with the completewhois hijacked section or what is done wrong 
as far as investigations go. I do answer emails even if it may take several 
days sometimes and have in the past made changes based on what has been 
suggested.

Now going back to the top of this post, below is the list of actively 
advertised hijacked blocks (same program as has been used for bogon 
advertisements has been used here as well):

142.105.220.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc.
142.105.224.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc.
142.105.228.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc.
142.105.232.0/22 ## AS3908 : SUPERNETASBLK : SuperNet, Inc.
146.20.36.0/22 ## AS20473 : NETTRANS : NetTransactions, LLC
146.20.40.0/21 ## AS20473 : NETTRANS : NetTransactions, LLC
146.20.48.0/20 ## AS23131 : STARLAN : Starlan Communications Inc.
146.20.64.0/19 ## AS12277 : TRACON : Tracon Industries
146.20.80.0/22 ## AS3638 : GLOBALI : Shaman Exchange, Inc.
146.20.80.0/21 ## AS12277 : TRACON : Tracon Industries
146.20.88.0/22 ## AS12277 : TRACON : Tracon Industries
192.107.49.0/24 ## AS30080 : BA-CONSULTING : BA Consulting
198.182.182.0/24 ## AS16631 : COGENT-ASN : Cogent Communications
199.245.138.0/24 ## AS30080 : BA-CONSULTING : BA Consulting
203.29.33.0/24 ## AS3491 : CAIS-ASN : CAIS Internet
203.29.34.0/24 ## AS16631 : COGENT-ASN : Cogent Communications
203.30.20.0/24 ## AS3491 : CAIS-ASN : CAIS Internet
203.30.26.0/23 ## AS3491 : CAIS-ASN : CAIS Internet
203.55.84.0/22 ## AS3409 : INET-1-AS : Internetworks, Inc.
204.155.240.0/20 ## AS16631 : COGENT-ASN : Cogent Communications

And for for comparison here is what this looked like on Sep 26th when I 
started active monitoring (I also have manual data from early August, but 
it would take too long to put it into email. I can say though, that there 
were twice as many hijacked announcements then, things have really 
changed for good in the last several months as more people and RIRs 
themselve became aware of these issues).

139.81.128.0/17 # AS22653 - GlobalCompass
142.105.0.0/21 # AS19800 - Grant County Public Utility 
142.105.220.0/22 # AS3908 - Supernet
142.105.224.0/22 # AS3908 - Supernet
142.105.228.0/22 # AS3908 - Supernet
142.105.232.0/22 # AS3908 - Supernet
142.247.0.0/16 # AS577 - bell.ca 
(Note - this is proper announcement on behalf on behalf of MDS)
146.20.36.0/22 # AS20473 - NetTransactions
146.20.40.0/21 # AS20473 - NetTransactions
146.20.48.0/20 # AS23131 - Starlan
146.20.64.0/19 # AS12277 - Tracon
146.20.80.0/22 # AS3638 - Globali
146.20.80.0/21 # AS12277 - Tracan
146.20.88.0/22 # AS12277 - Tracan
150.112.0.0/16 # AS8121 - TCH/Layer42.net
157.112.0.0/16 # AS23720 - FUSIONGOL-AS-AP
(Note - this is proper announcement, on behalf of Clipper)
166.88.0.0/16 # AS8121 - TCH/Layer42.net
167.179.0.0/16 # AS4768 - Clear Communications
192.107.49.0/24 # AS30080 - BA Consulting (hijacker used named),
		  routed by AS3568 CW
198.133.167.0/24 # AS8121 - TCH/Layer42
199.245.138.0/24 # AS30080 - BA Consulting
203.4.160.0/24 # AS9826 - ILink.net
203.29.32.0/24 # AS9826 - ILink.Net
203.29.33.0/24 # AS3491 - CAIS
203.30.20.0/24 # AS3491 - CAIS
203.30.26.0/23 # AS3491 - CAIS
204.155.240.0/20 # AS16631 - Cogent
205.235.64.0/24 # AS29698 - Internet America LLC (hijacker named used)
205.235.69.0/24 # AS29698 - Internet America LLC

• Previous message (by thread): Interesting ASN usage data point
• Next message (by thread): Hijacked IP blocks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]