Fwd: [LN20080729.4147] RE: AS 28551
tme at multicasttech.com
Fri Aug 1 08:05:57 CDT 2008
I think that 126.96.36.199/21 and AS 28551 may be hijacked.
AS 28551 is announcing 188.8.131.52/21
28551 is assigned to LANIC but has not been assigned to a end user.
184.108.40.206/21 is assigned to WalMart
220.127.116.11/21 is currently routed through AS35681 - VINDAVA-AS -
which is in Bucharest, Romania
I think that this is a bogon.
P.S. I have asked WalMart about this, and received no response.
Begin forwarded message:
> From: Lucas Graciano <hostmaster at lacnic.net>
> Date: July 31, 2008 1:10:25 PM EDT
> To: Marshall Eubanks <tme at multicasttech.com>
> Cc: LACNIC Hostmaster <hostmaster at lacnic.net>
> Subject: Re: [LN20080729.4147] RE: AS 28551
> Dear Sir,
> This AS number is under administration by NIC.MX, but is a resource
> that is not allocated yet!
> Hostmaster // Registration Service
> L A C N I C http://lacnic.net
> Latin American and Caribbean Internet Addresses Registry
> On Tue, Jul 29, 2008 at 04:59:02AM -0400, Marshall Eubanks wrote:
>> I contacted LANIC (read below) to see if they actually did register
>> My question remains : Is there a reason for this ASN not to be in the
>> LACNIC whois, or is this a rogue ASN ?
>> Marshall Eubanks
>> On Jul 29, 2008, at 3:14 AM, Network Abuse wrote:
>>> ** This is an automatic message. **
>>> ** Please carefully read the information below. **
>>> You have contacted LACNIC due to some abuse activity (spam,
>>> hacking, etc),
>>> from an IP address allocated or assigned by LACNIC.
>>> LACNIC is an RIR (Regional Internet Registry) for Latin America and
>>> the Caribbean region. What that means is that LACNIC is responsible
>>> the IP address space and ASN allocation/assignment in this region.
>>> As mentioned, the IP address in question was allocated by LACNIC to
>>> some other organization or ISP in the region. So the abuse activity
>>> originated in that organization's network, not in LACNIC.
>>> You should query our whois database to get information about the
>>> source of this abuse activity and the appropriate network contact.
>>> LACNIC's whois is available at:
>>> or via the command line:
>>> whois -h whois.lacnic.net [IP ADDRESS]
>>> Important Note:
>>> Addresses allocated to "Comite Gestor da Internet no Brasil" are
>>> allocated to the Brazilian NIR (Registro BR), and in this case you
>>> might want to query their Whois database:
>>> whois -h whois.nic.br [IP ADDRESS]
>>> Please note that LACNIC has no authority to investigate spam,
>>> or any other kind of network abuse activity committed by other
>>> organizations. Nor can we punish other organizations' users.
>>> More details are available at: http://lacnic.net/abuse
>>> If this information did not help you, please reply this message to
>>> hostmaster at lacnic.net and keep the subject line.
>>> LACNIC Hostmaster
>>> ----------Original Header
>>> From tme at multicasttech.com Tue Jul 29 04:14:07 2008
>>> Return-Path: <tme at multicasttech.com>
>>> X-Original-To: whois-contact at lacnic.net
>>> Delivered-To: whois-contact at lacnic.net
>>> Received: from localhost (localhost [127.0.0.1])
>>> by mail.lacnic.net (Postfix) with ESMTP id C6A23B9C3
>>> for <whois-contact at lacnic.net>; Tue, 29 Jul 2008 04:14:07 -0300
>>> X-Virus-Scanned: amavisd-new at lacnic.net
>>> X-Spam-Score: -2.407
>>> X-Spam-Status: No, score=-2.407 tagged_above=-99 required=4
>>> Received: from mail.lacnic.net ([127.0.0.1])
>>> by localhost (mail.lacnic.net [127.0.0.1]) (amavisd-new, port
>>> with ESMTP id 7B1tNXyA0p7h for <whois-contact at lacnic.net>;
>>> Tue, 29 Jul 2008 04:14:05 -0300 (BRT)
>>> X-Greylist: delayed 3599 seconds by postgrey-1.27 at
>>> mail.lacnic.net; Tue, 29 Jul 2008 04:14:04 BRT
>>> Received: from multicasttech.com (lennon.multicasttech.com
>>> by mail.lacnic.net (Postfix) with ESMTP id DB5F5B9C0
>>> for <whois-contact at lacnic.net>; Tue, 29 Jul 2008 04:14:04 -0300
>>> Received: from [18.104.22.168] (account marshall_eubanks HELO
>>> by multicasttech.com (CommuniGate Pro SMTP 3.4.8)
>>> with ESMTP-TLS id 12277392 for whois-contact at lacnic.net; Tue, 29
>>> Jul 2008 02:14:04 -0400
>>> Message-Id: <DBB7E3A2-E4AB-4A43-8362-720FBDE289CC at multicasttech.com>
>>> From: Marshall Eubanks <tme at multicasttech.com>
>>> To: whois-contact at lacnic.net
>>> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>>> Content-Transfer-Encoding: 7bit
>>> Mime-Version: 1.0 (Apple Message framework v926)
>>> Subject: AS 28551
>>> Date: Tue, 29 Jul 2008 02:14:03 -0400
>>> X-Mailer: Apple Mail (2.926)
>>> ----------Original Message
>>> AS 28551 is in a ASN block assigned to LACNIC and is shwoing up in
>>> BGP tables,
>>> but a whois returns a blank :
>>> [tme at lennon mcast]$ lacnic_whois 28551
>>> % Joint Whois - whois.lacnic.net
>>> % This server accepts single ASN, IPv4 or IPv6 queries
>>> % LACNIC resource: whois.lacnic.net
>>> % Copyright LACNIC lacnic.net
>>> % The data below is provided for information purposes
>>> % and to assist persons in obtaining information about or
>>> % related to AS and IP numbers registrations
>>> % By submitting a whois query, you agree to use this data
>>> % only for lawful purposes.
>>> % 2008-07-29 03:13:17 (BRT -03:00)
>>> % No match for "AS28551"
>>> % whois.lacnic.net accepts only direct match queries.
>>> % Types of queries are: POCs, ownerid, CIDR blocks, IP
>>> % and AS numbers.
>>> Is there a reason for this, or is this a rogue ASN ?
>>> Marshall Eubanks
More information about the NANOG